Email Sending by Websites

Last Updated: Aug 15, 2019

In a nutshell, we recommend your website not send any email.

However if you do need your website to send email, you must ensure that the email is:

  1. to yourself and related parties (e.g. staff or your website designer) only, or
  2. to a customer for the purpose of order or payment confirmation, or
  3. to a new subscriber confirming their subscription, provided all new subscribers receive exactly the same email.

In addition, any emails sent must use a From or Reply-To address that is under your control, and not that of the enquirer. If you currently receive emails from your website's contact form, and you can reply to the enquiry by clicking Reply in your email program, you need to change your website. If you need to copy and paste the email address into a new email in order to reply, this extra condition does not affect you.

Other specific emails may be acceptable, provided they do not include any text entered on your website by the submitter. Please contact us with the details and we can let you know.

What about contact and enquiry forms?

We recommend you replace these with your contact details, including a clickable email address that the enquirer can use to send you a normal email.

If you really, really want a contact or enquiry form, then you must ensure the enquirer is not sent a copy of their enquiry. You must also ensure the website email you receive is not From the person who submitted the enquiry. These requirements help ensure that, should a spammer use your form to try to send spam, the only person likely to be adversely affected is yourself.

How can a contact form create problems for your normal email?

If a spammer uses your form to try to send spam, your email address will be considered a source of spam. This can have two quite different effects. Legitimate email to you may be blocked either temporarily (e.g. 24 hours) or permanently. Email you send is also more likely to be considered as spam by those receiving your email, as your email address is now a known sender of spam.

How can a spammer use my website to send spam?

A standard contact or enquiry form accepts the enquirer's email address, and sends a copy of the enquiry to you and the enquirer.

A spammer creates a program that submits that form thousands of times. Each time, a different email address is entered, none of which actually belong to the spammer. The enquiry message is their spam. Your website sends their spam to every email address the spammer entered, as well as to you.

Some contact forms can actually send to multiple addresses at once, if the spammer formats the list of email addresses properly. In which case, for each spam email you receive from your website, the spammer may have sent tens or hundreds of emails via your website.

If this happens, you may be unaware of the severity of the problem. The first few spam emails may make it into your Inbox, but then your email provider may block them so you do not see your copy of the remaining hundreds or thousands that are sent.