If your contact form says “sent successfully” but messages end up in spam (or disappear), the fix is usually not “try another form.” It’s your email authentication + sending pipeline.
This guide is the small-business setup I use to make form notifications reliably land in inbox.
Related: if you want the quick diagnosis first, read Why Contact Forms Go to Spam (and How to Fix).
The 80/20 rule
You don’t need enterprise tooling. You need 3 things:
- Authenticated sending (use SMTP / a real mail provider)
- Domain authentication (SPF + DKIM)
- Policy + alignment (DMARC + correct From/Reply-To strategy)
Step 1: Use authenticated sending (avoid “default mail”)
Many websites still send via server default mail (PHP mail). That’s the fastest path to spam.
Instead, send via authenticated SMTP from your mail provider (example: Google Workspace, Microsoft 365, your domain mail host). Your form tool should support SMTP or an email API.
Practical recommendation for contact forms
- Send the notification to you (your inbox)
-
Set From to an address on
your domain (example:
noreply@yourdomain.com) - Set Reply-To to the visitor’s email (so you can reply normally)
This keeps DMARC alignment clean and avoids “impersonation” signals.
Step 2: SPF (Sender Policy Framework)
SPF tells inbox providers which servers are allowed to send email for your domain.
Important SPF rules
- ✅ You should have only one SPF record per domain.
- ✅ If you use multiple services, you combine them into one record.
-
✅ Start with
~all(soft fail), later tighten to-allif stable.
Example SPF record (replace includes with your actual providers):
v=spf1 include:_spf.google.com include:mailgun.org ~allIf you’re not sure what you already have, check DNS first. Duplicated SPF is a common hidden bug.
Step 3: DKIM (DomainKeys Identified Mail)
DKIM signs outgoing email so inbox providers can verify the message hasn’t been tampered with and that it truly came from a domain-authorized sender.
What to do
- Enable DKIM in your mail provider dashboard.
-
Add the provided DKIM DNS record (usually a TXT record under a
selector like
selector1._domainkey). - Verify DKIM is “passing” in test emails.
DKIM is often the biggest “spam → inbox” switch for small businesses.
Step 4: DMARC (policy + alignment)
DMARC tells inbox providers what to do when SPF/DKIM fails, and it enforces alignment (domain consistency) so spoofing becomes harder.
Start safe: monitor first
Use p=none first to monitor without breaking mail, then
tighten later.
Example DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; adkim=s; aspf=s; pct=100-
rua= where reports go (create that inbox first). -
adkim=sandaspf=s= strict alignment (stronger, but ensure your setup is correct). -
Later you can move to
p=quarantinethenp=rejectafter you confirm everything passes.
Step 5: Fix “From” vs “Reply-To” (the quiet deliverability killer)
One common mistake: setting From to the visitor’s
email (example: example@email.com) while sending from
your domain/server. That creates mismatch and fails DMARC alignment.
Use this instead:
-
From:
noreply@yourdomain.com(orhello@yourdomain.com) - Reply-To: visitor email
- Subject: include context like page name / form name
Step 6: Keep the message “spam-safe” (small tweaks)
- Avoid “salesy” phrases and ALL CAPS in subject.
- Keep HTML simple (or use plain text + basic HTML).
- Don’t attach files from the form (link instead).
- If your domain is new, don’t blast high volume on day one.
Step 7: Test the right way
Don’t just test “it arrived once.” Test like a deliverability engineer:
- Send test form messages to Gmail and Outlook.
- Check spam folder and “Promotions” tab.
- Inspect email headers: confirm SPF=pass and DKIM=pass.
Quick checklist (copy/paste)
- ☐ Form sends via authenticated SMTP (not default server mail)
- ☐ SPF exists and is single (not duplicated)
- ☐ DKIM is enabled and passing
- ☐ DMARC exists (start with p=none)
- ☐ From = your domain, Reply-To = visitor
- ☐ Test headers show SPF/DKIM pass
If you do these, most “spam” issues disappear.
If your emails still go to spam
Send me your website URL. I’ll check the email flow and reply with a clear fix plan (no redesign pitch).
← Back to Affiq LogSupport Independent Work
If my work or articles help you, you can support my independent work here.
Support