The "NEW" way a contact form should work.

Up until recently, it was common practice to build a website form in a way that when it delivers to its recipient, it would often appear to of come "from" what ever email address was entered into the forms "email" input field.  This was very convenient because it allowed you to simply "reply" using your email program and on you went with your conversation. Easy-peasy right?

Well, while it was the seeming best way to go about email transactions, it was always possible for people to fraudulently send emails to you pretending to be someone else.  Care needed to be taken to ensure you weren't falling victim to an imposter.

From a spam side, it was equally difficult do deal with as people used methods like this to send you spam by pretending to be someone on your firewalls "whitelist".  From this issue came about something called "Domain Owner Policy Restrictions".  In 2014, Yahoo started implementing something called DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance". It's an email authentication policy record that aims to prevent from address spoofing. What it actually does is check the source of the email being sent against a database of approved mail servers for said sender - if it fails, it is rejected and returned. This will be especially notable when the destination email of your webform, directly or through forwarding, is the same service as the claimed "from" email.   

This is why you have to send it "from" yourself or at least an email that wont fail a dmarc check. Also watch your forwarders, I have seen yahoo and gmail reject forwarded emails that were originally "from" a gmail or yahoo email address that were not sent from an gmail or yahoo server.

The fact that many email forms send email using a servers email sending program, it is rare that the return message is found.  I myself did not find them until I started digging through my server logs.

This does get a bit difficult to deal with as we all want to just hit "reply".  For the most part, adding the senders email in the "replyto" header of the email can help, it will not guarantee smooth operation 100% of the time because many email clients and webmail interfaces ignore it.

What is important now is that we start making forms that handle this properly AND educate our site users to understand why things now have to be as they are and from this point, always make sure that the email that is being sent from your website is being sent with the actual "from" header containing a email domain from that server.

Personally, I thinks will be moving to a website messaging log built in to the CMS. - unless you have a better idea?

 Sources

• https://help.yahoo.com/kb/SLN24050.html
• https://support.google.com/a/answer/2466580?hl=en
• http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject