Preventing form spam & improving email deliverability – WS Form Webinar Series, Episode 3

Get 20% off WS Form, click this button and use code “WPBuilds”

This is the third in a series of 6 webinars in which WS Form founder and developer, Mark Westguard, explains how to use the plugin. We move onto how you can make sure that the form submissions you receive are not spam, and also how you can maximise the amount of emails that delivered successfully.

Today, we cover:

Preventing form spam & improving email deliverability

Lifecycle of a Form Submission

  • User
  • Client
  • Server
  • Email
  • Recipient

Preventing Form Spam

  • User
  • Web Application Firewall (WAF)
  • Mod_security
  • OWASP Core Rule Set (CRS)


  • AI (Human Presence)
  • Honeypot
  • Captcha
  • Validation


  • AI (OpenAI Moderatrion)
  • Akismet
  • Cleantalk
  • Server-Side Validation (PHP)


  • Fake Email Detection (Disposable email addresses)

Improving Email Deliverability

  • What is wp_mail?
  • My emails won’t send!
  • SMTP Providers
    • Benefits
  • Recommended Send Email Settings
  • Other Potential Issues
Read Full Transcript

[00:00:00] Nathan Wrigley: This episode of the WP Builds podcast is brought to you by GoDaddy Pro, the home of manage WordPress hosting that includes free domain SSL, and 24 7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients and get 30% off new purchases. Find out more at

[00:00:35] Mark Westguard: Hello, mark. Hello, Nathan. Are we

[00:00:38] Nathan Wrigley: gonna do this in Yorkshire accent today?

[00:00:40] Mark Westguard: Apparently, yeah. No, we're not good.

[00:00:43] Nathan Wrigley: No,

[00:00:43] Mark Westguard: we're not. How are you doing? I'm good. How are you? Yeah, I'm good. Hey, smart. Smart. Ah.

[00:00:49] Nathan Wrigley: Went the wrong way every time. I know it's wrong. That's Mark Westguard.

Look, there he is. Mark Westguard from WS form the the WordPress form plugin. We're doing a we're doing a six part webinar series. We've done two episodes so far. Fear not though. Each of them are distinct and self-contained, so if you miss them so far, it doesn't really matter. I'll just give you a bit of a rundown on what we've done so far.

The first episode couple of weeks ago was all about just building the form within the WS form ui. And then last week we covered building interactive forms and conditional logic and variables and cascading and all of that fun stuff. And today we're gonna be talking about preventing form spam and improving email deliverability.

That's right, isn't it? That's right. Yeah, that's right. Yeah. Good. I don't even know where the word spam came from. In the uk SPAM is this like tinned meat product that you can buy and it, nobody likes it. It's the poor man's food, if yeah. But it became the.

The universal word for stuff that comes into your inbox that you don't wanna see. Yeah. We're gonna talk about all of that, but we're treating this as a, basically as me and Mark just having a conversation. However, given the nature of the fact that it's live, if anybody is watching this and they wanna.

Put a comment, feel free do that. We've had a couple of comments on the shows that we've done previously and we've answered any questions that have arisen. If you wanna do that, probably you, if you're on the WP Builds live page, which is at that u r url, WP, you need to be logged into a Google account cuz it's face sorry, it's YouTube comments.

If you are watching this on one of the Facebook streams that we do, you've got a little extra step. You've gotta go to If you want to share your name and avatar, you don't need to do that. We just won't know who you are. That's all. But you can always add your name into the comment that you make.

Yeah. Shall we should we get stuck into it? Mark? Yeah, let's crack on. Shall I share the screen at this point or is there some preamble you wanna go through?

[00:02:57] Mark Westguard: Okay, yeah, let's do that. Let's share the presentation

[00:03:00] Nathan Wrigley: and if memory serves Last week we found that was a better. Display like that.

Should we go with that one? That works good. Yeah.

[00:03:07] Mark Westguard: And I've even charged my mouse this time. Yeah. Yay. See, we should be good.

[00:03:12] Nathan Wrigley: Yeah. All right. It's over to you. Preventing form spam and improving email deliverability.

[00:03:18] Mark Westguard: Nice. Yeah. So let's go for it. So just to remind everybody, we are doing 20% off any of the WS form additions.

Uhp com slash link slash ws. Use coupon code. That's the freelance all the agency edition. And also if you get like the personal audition, you want buy an addon, it includes the 20% off those as well.

[00:03:49] Nathan Wrigley: So funny.

[00:03:51] Mark Westguard: Alright, so the aim of today is to help you get form submissions from a user. To you, the recipient.

That's our ultimate aim is to try and improve that process. And there's a couple of ways of doing that. There's, first of all we wanna prevent submissions that you don't wanna receive from bots and things like that. And then we also want to improve the ability for those emails to get to you.

If it's coming from a user that you do want that information from. We're gonna just quickly go through the life cycle of a form submission. So basically, a user is going to use your form on a client, such as a web browser. That form's gonna get submitted to your server. In this case, we're using WS form as the form plugin, and that is then gonna send an email.

To yourself, to the recipient. Now, WS form can do a lot more besides just send one email. It can send emails to multiple recipients, or it could be sending information to, I dunno, constant contact. But for the purpose of this presentation, we're just gonna talk about this life cycle. Along the way, there's lots of other things that happen and we are trying to stop this little guy.

And the bottom left hand side, the bot, we don't like him. We don't want him to first of all, we don't want him to even get to the form. We don't want him to get to the server or send an email or, reach you. So there's different things that we can do along the way to try and prevent that, but also get that user through to the recipient.

So just very briefly, I'll go into some of these a little bit more, but on the user side, before they even hit your website, and we, I won't go into this much today because this is, a whole presentation in itself, but there are things you can do on the hosting side. To try and prevent people that you don't want filling out your form, accessing your website such as W A F, which is a web application firewall.

A lot of the times that is provided by what's called Mod Security which is a module that runs on your server and it will be using a rule set. To determine whether or not we like that user access in the site, such as an Owas core rule set. Now a lot of hosting providers provide that functionality outta the box.

If you using someone like Rocket Net for example, they have all of this functionality built in. And it's all man, hence the term managed WordPress hosting. So if you are using managed WordPress hosting, a lot of the time this stuff is being done for you on the client side, on the form itself.

So let's assume that bot has actually got through that and managed to reach the client. Maybe a spa is actually going onto websites and filling forms out. There are things we can do on the client side to try and prevent them from submitting lots and lots of submissions on your page, ai is one of those.

So ai, we're all talking about ai. We do that on the, WP Builds Monday. Cast that you do, Nathan and AI can be used to determine whether or not the user on your website is a bot or not. And we'll quickly have a look at that in a moment. Honey is another way that we can try and prevent automated submissions from coming through to you.

And I'll talk about that in a moment. Captures we're all familiar. Those we like recapture H capture, CloudFlare Turns style. There's lots of different captures out there. WS form supports three different captures. Recapture, which is the one provided by Google. H Capture, which is a capture that is a little bit more they say ethical.

It doesn't capture so much data and stuff about the user. And then CloudFlare Tetel, which is my personal favorite, which is a little less intrusive, it's more accessible as well. So that's the one that I prefer. And then also validation. So on the form itself, we can put some validation in place to make sure the data that's entered on that form.

It's formatted in the way that we want to receive it. So a lot of bots will just fill out a form with rubbish and don't necessarily take into account that validation that's going on the client side. So by introducing validation and we'll have a look at that in a demo internet we can try and prevent submissions by introducing validation on fields.

Once that form is submitted and we get to the service side, there are other things that we can do. So again, with ai we've got things like OpenAI where we can check for malicious content and things like that. AKIs can look for spam content. There are third party services like Clean Talk. Which will actually block submissions from certain our AP addresses and do a multitude of other things.

Some of those services are really great to look at, we're gonna talk about as well, which is a number used once. And that can be used to try and stop multiple submissions coming in, using data from that form. And it'll actually expire after a certain amount of time, so that can't be used again. And we'll talk about that.

And also server side validation, which is where you can write some custom PHP to validate any of the field content coming through. On the email side there are different services that you can use to detect things like fake emails. There are emails called disposable email addresses, which spas will tend to use, and we can detect those and see if there are actual submissions coming through.

Using those fake email addresses, we can also then look at SMTP providers to improve the deliverability of the emails that we do want. And we'll go into email deliverability in the second part of this presentation on how to improve the emails coming through to the recipient. And then ultimately at the end, this is something you can't control.

But you can, if it's yourself, but spam section in your inbox, basically. So ways of reducing the chance of an email going into an inbox being classed as spam. So that's the life cycle. This is only a small sample really of things that you can do, but hopefully some of the key things we'll go through today.

[00:10:02] Nathan Wrigley: Can I just ask you on the first one there, the user one, I've been very lucky in the typically months go by. And I get the occasional. Piece of email spam through a contact form. Yeah. But then it seems to go in waves, I'll have a week where where there's definitely a, an uptick in that.

Yeah. In Facebook groups and things like that, you h you do hear horror stories of people who are just gang. Absolutely. Pounded. Yeah. So I, is this. Genuinely. For some people it's more than an inconvenience. It is crippling to their email inbox and you're just getting deluged with thousands a day, which may mean that all of that productivity that you might have figured out in your inbox has just been shot to pieces.

[00:10:46] Mark Westguard: Yeah. Yeah. And it's becoming more and more of a challenge to stop that at that user end because these bots are coming in from multiple IP address. They're used to just come in from one IP address, so you could just block it. Now they're coming in from thousands of different IP addresses, and it's not just email spam.

This WA echo, the web application firewalls can be used to stop all manner of traffic to your website. So people just accessing your site and hitting it and maybe. Siphoning pages off your your server. It's becoming more and more difficult. The way that the mod security system works is it's looking for patterns of traffic coming through.

So certain strings, so if it sees a certain word it doesn't like it will potentially block that for you. And services like CloudFlare as well, for example, have some other great software built in, such as they have a challenge page that will come up. Yes. And they've seen that sometimes. Yeah.

Yeah. And it'll say, Hey, I'm not too sure who you are. Please confirm you're a human. So it's just a constant battle, isn't it? They come up with a new way of doing things and someone else has to come up with a way of stopping it. Fortunately, we were talking just a minute ago, being lucky that we live in the day and age that we do.

There are some fantastic services out there. Yeah, help. Cut this down. It's

[00:12:07] Nathan Wrigley: never perfect, but yeah I guess that's it. It is a bit of tennis, isn't it? Constantly just trying to figure it out. An analogy would be how, if you were getting 12,000 emails spammer as a day, imagine that the postman came to your front door and literally pushed 12,000 letters through your door.

It, yeah. You're never gonna get through that, are you? And the same would be true. Yeah, so a really interesting topic. Obviously, if you are in any way, shape or form, building websites for yourself or for clients. This stuff, although it's perhaps not the hot topic, if it's super important.

So yeah. Thank you, mark. This is gonna be great.

[00:12:47] Mark Westguard: Yeah just very quickly, again, first of all we're gonna talk about preventing form spam. We'll go through some things like client side and the server side ways of preventing that. This slide deck I guess I'll probably make this available somewhere, but I put some links at the bottom of each page that link through to knowledge base articles and things like that as we're going through.

But thank you. First of all, just wanna talk about honeypot. First of all, a lot of people have heard about honeypot. So I thought, explain how that works. So on a form you've got your regular fields, maybe your first name, your last name is submit button, et cetera. What Honeypot does is it adds a field to that form that you cannot see.

So what we do is we move that honey pot field outta the way, and from your perspective, it just looks like a normal form. From a bots perspective, they actually see that honey pot filled. So basically on the server we are expecting to make sure that honey pot filled has to be blank. It hasn't been filled out.

A bot will come along. It'll see that honey pot filled and it'll try and fill that out. Cause nine times outta 10, a bot will just go on, go onto your form, fill out every filled with some data because it doesn't see what through a browser. It doesn't realize that honey pot's actually off the screen and we want that to be blank.

Therefore, the server receives a value in that honey pot field and the server will go, Nope, I'm not gonna accept that email submission. To set that up in WS form is very easy. You just go to form settings. And then you go to spam and then you just check Honey Pot and it does it for you. So very simple to set that up.

You don't have to add any fields or anything like that to get that working, but that's roughly how Honey Pot Works. Can I ask you a

[00:14:35] Nathan Wrigley: question about that? Is that basically some sort of, is that c s it's being hidden, pushed off the side by c s and do the people who, you know, the robot.

Software creators. Do some of them look for that? They're taken into a account, the fact that it's c s and also when you create the form Yep. Does it utilize the same, I don't know, classes and things wrapped around that form label. In other words, would it be possible to know to create a bank of WordPress form plugins?

And this is gonna be the honeypot class for WS form and this'll be the other ones and so on. Yeah.

[00:15:10] Mark Westguard: So we don't use classes on that honeypot fill. We actually use inline styles to move it. Okay. Now, yeah, some bots are gonna be clever enough and go, hang on a minute, they've moved this off the screen.

Something's going on with starting on this. This is not a foolproof method. Okay. It's just one method. That you can use. Now, the other thing you have to be careful of, and this is for all form plugs. It's not just Ws form. Make sure that Honey Pot field is accessible as well. But what I mean by that is if you use like lighthouse for example, to check if your site is accessible and you've got a good accessibility score some Holly Pop fields, if they're not coded correctly, can cause problems with accessibility because that form can still be considered as being on the page.

And that can cause problems for people that are maybe using the keyboard to navigate. Oh, yeah. So we've made sure that the Honey Pot field is accessible and doesn't really. Come into play when you're filling in that form out. So that's honey. Okay. A knot. I wanna talk about knots quickly. So what a, what ANOT does, it's a number used once.

So what we do is we can put a special code or called a hash. On the form. And when the form is submitted, we check that hash. And if that hash is valid, we allow the form to be submitted. So NS is a, is actually a process that's used by WordPress. You are actually using ns. You don't realize that when you're using the admin.

So whenever you submit something on the admin, there are NS flying around to check that those admin requests that are coming in. Are in fact legitimate. And they're basically used to legitimize requests and make sure that the request that's coming in is what we want. For example, if a bot were to come on, take your form, and then try and submit it over and over again, over a period of three days, eventually Thatnot is gonna not work and they can no longer submit that form.

Now, the term n is weird in WordPress because NS is in WordPress. Are not used once they, they don't expire. Once they've been used, they actually expire over a period of time. And it's weird the way it works. They they expire between well after 12 to 24 hours. And the reason for that is if you set a knot up at, say, 1:00 AM that knot will actually be live all the way through to midnight, so it could last for 23 hours, right?

If you set the knots at 1:00 PM it, it works so that you are in the second part of the day and that knots lasts for 11 hours. So all you need to know really is a knots lifespan is between 12 and 24 hours. And the reason I'm raising that is if you're gonna use ANOT on a form, Make sure that your cashing on your pay, on your site is not longer than say 10, 11, 12 hours, because otherwise you're gonna start gettings that become stale in those cash results.

Now we actually disableds by default because we get so many issues with cashed nonsenses. A lot of hosting these days just has ho cashing switched on everywhere. And they don't take into account and nos may be into ac be taken into account. So you need to enable this. And again, this is another this is a global setting in WS form.

You can go to settings, go to advanced, and then just check a box to say enable nos. The way NSS work is they're a combination of different things. They have a time element to them, which is obviously, when it was set, it has an action and the action determines What that knot is being used for.

NS are also tied to individual users as well. So if you have a user that's logged in, that knots can only be used by them and nobody else. And there's also a random seed in there to make thatnot random. So that's Nazis. And yeah, again, to enable that, you can just go to WS form, go to settings, and enable that setting if you want.

[00:19:03] Nathan Wrigley: Good point about the caching though. So if you're experiencing problems with your forms and you've got nuances enabled, that might be a good first place to Yeah, to

[00:19:10] Mark Westguard: check. Absolutely. Yeah. Yeah. All right, so let's just have a quick demo and we'll look at some of these spam features. So I'm going to change what I'm sharing.

Okie doke. We'll go back to there. There we go. Okay, good. Yeah, so I just wanna quickly show you the settings for these. So if we go to form settings at the top right here. So this is just a basic contact task form that we've created. We'll go to form settings and then we'll go to spam here to the spam folder.

Here's human presence. And this is basically an AI system for detecting whether or not the person on your site is a human or not. It's a third party service and there's information here about how to set that up if you want to. So what'll happen is when the form is shown, human presence will run.

It'll determine whether or not it's a human or not. And if it's not a human, it'll stop that form. B, it's a bit, it's as simple as that. And they actually have, the nice thing about human presence is if you're just running one site, I believe they just give you a free site to play with so you can try that service out.

Akismet can be enabled on forms. So Akismet you may be familiar with, it's actually a WordPress product. And what Akismet does is we send the form submission. Through to Akima, and then they check it for spam, spammy words. And then if it finds that there's spam on a particular submission, we then flag that as spam and you can decide whether or not you want to accept that submission or not.

If you wanna enable Honey Pop, you can just check that box there as simple as that. And then WS form does all the work for you. So very simple to switch that on. Now, some spam systems return a spam. What's the right word for it? Like a score to score? Yeah. Yeah. So zero is basically no spam. A hundred is blatant spam.

And you can actually control the level at which you think something spam here. We leave that at 50 by default, but if you find that you are getting. Too much spam. You can bring that down a little bit. If you find that it's blocking too much, you can increase it.

[00:21:24] Nathan Wrigley: With that in mind, I, is it better to start with it lower and ramp it up so that at least the submissions are getting through?

Yeah. And you can start to detect, okay, there's too much here, and then you can just slowly move that dial up towards a, yeah.

[00:21:36] Mark Westguard: Mid. Yeah. In general, when I create a form, I enable honeypot and I put Cloudflare's turns style on there for me. That's usually enough. Yeah. If you need to introduce some other stuff, then yeah, you could bring this down and then, or, bring it up and then slowly bring it down yeah.

To, to whatever level that you want. So let's talk about the captures quickly. So add captures very simple. You can just go down to the spam protection section on the toolbox here in WS form. And if you want to add a CloudFlare turnstile for example, all you gotta do is just direct that onto your form.

And that's pretty much it. Now there are two keys that are associated with these captures, and I'll show you how those are set up. So if we go to settings in WS form, we go to the spam protection tab. You just basically enter your keys in here and then no matter how many different forms you've got, these keys will then be used on all of those forms.

Now, some of the captures, you may want to have different captures for different forms. For example, CloudFlare Turnal, you can actually set up different captures for different forms on your site, and then you can monitor those individually. So if we go back to the form that we were on, let's refresh this.

So we've got our one on there. So when I click on turnstile field settings, edit the setting, you'll see it's gonna default, the global settings, right? But you can type in your own key in there if you want to, so you can override it. But by having them as global settings, it just makes it easier. If you've got lots and lots of forms, it'll just copy it to all of them.

If we preview that, you'll see how that looks. So it's very simple. It just, Nice thing about CloudFlare is it just immediately says success most of the time. There's no challenge there. And that's it. It's as simple as that to set that up. There are different flavors of captures as well.

So for example, with CloudFlare Turnstile, you can actually make that invisible so the user doesn't even see that process. And it just looks like a regular form. Same with recapture with Google. So if we add a recapture to the form, Generally, you don't want two of them on a page, obviously, but I notice

[00:23:47] Nathan Wrigley: you nestling them above the submit button.

That seems to be the default place to put 'em on.

[00:23:51] Mark Westguard: Yeah. Yeah. Generally just put it as the last thing the user has to potentially deal with. Now, recapture will usually throw up a challenge, but they do have an invisible version as well, so we support version two. And version two invisible.

So if you are using a version two key, they do have an invisible version of that you don't really see on the form. And then version three is an invisible version. So you can choose which of those that you want to use on your page. H capture is very similar to recapture. It's just supposedly less intrusive and it's more it doesn't want, it doesn't take as much data from the user apparently.

So it's, it's just another flavor of recapture that people tend to like. I find H capture to be a little bit slower than recapture. Okay. And some of the challenges can be a little bit. Clunky. But my personal favorite is CloudFlare Te. I've had no trouble with it. They're

[00:24:51] Nathan Wrigley: all free, right?

There's no,

[00:24:53] Mark Westguard: they're all free. Yeah. Yeah. All free services. Even the new CloudFlare TE is free as well. Yeah, that's the nice thing about them. But you know why recapture exists, right?

[00:25:02] Nathan Wrigley: It's for their all time. Oh, I know. It's the typical program so that they know what their photos are for. Yeah, exactly.

It's quite cynical really, isn't it?

[00:25:10] Mark Westguard: That's why it's free. Yeah. So when you are clicking on those road signs and bridges and cars and bikes, you're actually feeding their Artificial intelligence systems for the autonomous vehicle program, but also

[00:25:21] Nathan Wrigley: it helped in Google Photos algorithm to figure out Yes what things were, if I yeah.

Show, show me pictures that I've taken of hippopotamus. That's right. Many of those, but at least it knows what it is. I often used to get asked what this number is. So it used to show me a number, which was clearly That's right. Yeah. From his front door or something like, like that, and yeah, that's right.

Yeah. It's become a little bit less intrusive, but it's still of all of them. I feel that, that has the capacity to make me throw rocks at the screen, right? Yeah. Just, do you know what I mean? It's just, okay I've shown you all the motorbikes and I've gotta show you more motorbikes and now some more motorbikes and more motorbikes, and I'm never quite convinced which bit of the traffic light.

Is the actual traffic light is the post part of the traffic light or the cable or, anyway, yeah,

[00:26:10] Mark Westguard: Yeah. I know what you mean. It's, and again, that's, I keep going on minute, that's why I like to turn star, because it just doesn't do that. Doesn't do that. Yeah. Yeah. It's doing something to detect if you're a human or not.

I'm assuming it's checking for mouse movement and things like that, or maybe touch events. I

[00:26:26] Nathan Wrigley: think there is a bit of that because if you stay still and don't interact in any way, the. There is a definite pause, and then as soon as you start interacting with the mouse, it figures something's going on there, doesn't it?

Yeah. Yeah. Can I just ask you one question? If you go back to the human presence, you mentioned that the form didn't get submitted. Now does that mean that if you use human presence, the submit button is disabled until you've got something back from them?

[00:26:51] Mark Westguard: It actually shows a message, so it'll say spam detected, and then it won't submit.

So yeah, that's basically the way that works. Okay. Yeah their plugin does all the work itself in the background and we basically query it and then we get a yes or no back. It's as simple as that. Okay. And then we show a message if yeah, if we're not gonna submit that form. Okay. Thank you.

Yeah. Yeah, actually going back to H capture, if you want some comedy h capture actually shows some amazing stuff, there's a squirrels which images show squirrels swimming through a lake and things like that. Oh, wow. It's very specific. Yeah.

[00:27:29] Nathan Wrigley: Good luck with that. Yeah.

That's an otter. Clearly. It's an otter. Heck, you

[00:27:34] Mark Westguard: linking. Yeah. Use that data for something else. I don't, I dunno what it's, yeah. Okay, so let's talk about validation. On a form as well. Very basic validation is things like using an email filled for an email address. Believe it or not, we do have some users that will add a text filled for everything.

And they'll use that for an email address, use an email filled for an email address because it'll validate the email address and make sure the email is correct. There are other things that you can do, fields as well, and I'll use a text field as an example here, but if you go into the advanced tab, We do have things like setting restrictions on minimum characters, maximum characters and things like that.

You've also got input masks as well, so if you've got a specific thing that you want people to type in, such as a postcode or social security number. Or anything like that, you can actually set up some quite elaborate input masks. We do have a knowledge base about how that works, but that can be

[00:28:31] Nathan Wrigley: used useful.

So that fill prefills the field with like placeholders and hyphens and things like

[00:28:35] Mark Westguard: that where That's right. Yeah, that's right. Yeah. So you kinda get a little mask like disappearing. And then you can then, yeah. You have to check that. That's correct. Pattern matching is actually a part of.

HTML five. It's an attribute on the fields, and that again, is where you can use, where you can use a regular expression. Now, again, we've said this on every episode, we're not gonna go into regular expressions. No thanks. Way of making sure that the data is correct. Now, some of these things are client side only checks.

And some of them are actually checked on the server side as well. So we do some server side stuff. So if the bot does try to submit the information, then we'll check it on the server side as well. Even setting fields as required can be, a way of validating data on the client side.

So there's some ideas, around validation on the form. Your recaptures your turn, install your H captors the spam measures that we've got. We've got the hu, we've got the human presence, the achi, the honeypot option. Use them as much or as little as you want to use. I would recommend with a new form, go with the basics and then.

If you start to cspan coming through, ramp it up. If you start to use some of the third party services, like the server side stuff, like maybe Clean talk for example, bear in mind that some of those services make a API requests off to a third party server, and that can slow down form submission. U use these ly and only use them, as and when you feel that you need them.

Okay, so that's some of this fan measures that we have in That's great. Ready on the comprehensive. Lovely. So let's carry on. Okay, so let's talk about improving email deliverability. So what we're talking about here is getting that email from the site to you. And this is probably our number one support question.

And I would imagine it's probably the number one support question for other form plugins as well. Now we do have a lot of information in our knowledge base about this, but I wanna run through some of the key things now when you sign up. For hosting that has WordPress on it. Nine times out of 10, it's gonna just send emails directly from that server and try and get it to the recipient without anything in between to try and improve that process.

So the default way of sending an email in WordPress is that you're gonna submit the form. A form plugin is gonna take that form submission, and it's gonna push it through to a function called WP Mail. Now, WP Mail is a PHP function. It's actually a wrapper for a library called PHP Mailer. And PHP mail is just an, it's an open source piece of code for sending emails.

And the WP Mail function makes it super easy for a WordPress developer to send an email. You can specify the two, address, the subject line, the message. You can add what are called headers. And headers are used for things like setting the from address. You can also set up tracking headers and things like that.

And then you can also send attachments with that as well. So it's a nice and easy way of doing it. The problem is that when WP used. Nine times outta 10, it's not gonna get to the other end, and there are various reasons for that. A lot of email packages that you are using now have different measures in place.

We're going to those in a moment that it expects to see in order for that email to be received and actually sent onto the recipient. And if you are using WP Mail alone nine times outta 10, our email's not gonna get there. And that's when we get a support ticket saying, my form's not working. It's not sending emails, and it's not a WS form issue.

It's actually up an upstream issue with getting the email to the user. The first thing we would recommend doing is installed an SMTP plugin. And what an SMTP plugin does is rather than using P H P mailer, WP Mail will be routed to an SMTP service to send that email, and an SMTP provider can provide much more efficiency on getting that email to the intended recipient.

So what we would recommend you do is go into the plugin entry, do a search for smtp, and then pick an SMTP plugin that you'd like to look off. Here's an example of one post smtp. Not recommending it, it's just, one that, yeah, that pops up. It's one of the top ones that come up. It's a very SMTP plugin, and what that plugin will do is it'll plug into one of many different SMTP providers.

So there are several out there. I personally use Amazon S ses. Which is Amazon's simple email service. But there are plenty of others out there that are sometimes a little bit easier to use. Amazons SES is quite involved. But things like SendGrid are a good one. Malcolm is a good one. Also if you've got an existing email provider like Gmail or Office 365, you can actually use that to send the email through as well.

But some of the nice things about some of these SMT pre providers is that they will provide you with things like logging and stuff like that. So you can identify issues with your with your email sending. So the way an SMTP provider works is the form is completed that gets sent to the form as before.

The SMTP plugin intercepts that email, and it will then be sent onto the SMT P provider, either as an SMTP request. Smtp, by the way, stands for Simple Mail Transfer Protocol. Or it'll do it using an api. So SMTP is a. Very old standard. I think it's sixties, seventies when it was invented.

I forget the actual year, but it's because it's so old it's widely used. It's very simple to use, but it doesn't have much in the way of making sure the emails received by its recipient. There's generally nothing that comes back. Sometimes you'll get a message saying, there's been a transient delivery failure.

An email provider along the way will kindly send you a message back saying, sorry, we couldn't get it to you. But TP itself doesn't have any. It's not very reliable in terms of actually getting a message to the superior. It just sends, now, if you're using an API with an SSTP provider, they can actually provide information back to sstp plug and say, Hey, there was a problem sending email.

So the benefits of using an SMTP provider, you've probably got some logging there so you can see if emails are getting through. Okay. If there's any problems they can actually queue and retry sending emails as well. So if there is a problem getting that email out, they'll queue it up and they'll try and.

Try and send it again. They also use these wonderful little technologies here, which I'm not gonna go into in detail here. But D A D K, IM and spf. So these are different authentication protocols and methods that are used with emails. So that when the email is received by the client, sorry, the, the recipient, their system, they're able to check that email has come from somebody that is authorized to send that email.

So usually in general, the way it works is there's a key maybe in a header or something which the key is then sent back to the source domain to say, Hey, did this come from you? And if it does, then it allows the email through. Now these are all things that don't happen if you don't have that SMTP provider in place.

And. The, the more of these things that you can implement and a lot of these SMTP providers will implement this for you. You may have to do some DN s set up to get it working, but it's a relatively straightforward process to get that working. Alright? So that's, using a plugin to improve deliverability.

There are also things you can do in terms of making sure that when you're sending an email out from a form that it's configured correctly. Now these are the recommended settings that we put out there for a form. So in WS form let's go back to here. If we go to actions and we look at a send email action, let's just make this a bit bigger so we can see it.

I'll zoom in a bit. You have these different settings here. You've got the, from email address, you've got the from display name that's optional. And then you've got where the email is going to and a display name for that as well. Again, that's actually optional, and then you've got the reply to field as well.

So I'll just run through those and show what those mean. Now you're from email address when you are working with a SSTP provider, I know I keep saying that Marcus generally going to be. Authorizing a domain or an email address. So basically your you have authorized the use of this email address to allow it to send emails out from your server and that email address, you want to keep the same all the time.

So don't put in there maybe the user's the email address of the user that's filled out your form. Keep that consistent. The display name, you can set that to anything that you want. So that can be the user's name, it could be a company name, anything that you need. One thing just to bear in mind with that, and we've come across this, is that some of those S N T P plugins don't like display names.

There is a standard out there, which WP Mao actually. The function actually abides to which is where you basically combine an email address and a display name together. Some, we found that some SMTP plugins don't abide to that rule, which is really strange given that they're an email plugin.

But just bear that in mind. So if you find an email's not sending, that can sometimes be the reason. If you remove the display name, it may work. We've reported that to quite a few of them, and they have actually fixed it, which is great. The two address can basically be anybody. So that would be an email to you to get an acknowledgement, or it could be an email to the customer to say, Hey, thanks for your inquiry.

So there's two ways you can do that. On the two address, you could literally just put in, your email address. You can actually use variables in here, ws form variables. So by default, we actually set that to admin email address. Another way you can do it is if somebody is filling out that form and you want to send an email to them, you can get that ID there.

So 9 74. If I go into actions and go to send email, if I wanna send it to that email address, I can dynamically insert that in here and put hash. And 9 74. So yeah, the two address can be anything you want. You can send to multiple email addresses with I, with WS form, so you can actually put in, I could send one to me as well.

Now, if you've got maybe a sales team, you may have three people, perhaps. You might have a, you might have B, and you may have, oh, you might have c. Yeah. Yeah. You may wanna send that to all three people and say, Hey, work out who's gonna get that. You can also do what's called round robin, so if you click on round robin here, you can actually set it so that it will send to each of these people equally.

So A will get it, then B will get it, then C we'll get it,

[00:40:13] Nathan Wrigley: get it. Just, I think this is worth exploring actually, just for a few moments. Yeah. Cause this is cool. So let's say that I've got, let's say they've got sales team. There's 10 people in that team. Yep. What you are saying is that, One person, one will get it a proportion of the time.

Person two will get it. Another proportion of the time. You could say everybody gets it 10% or, I don't know. The first employee is working twice as many days, so they should get 20% instead of 10%. That kind of thing.

[00:40:43] Mark Westguard: Yeah. So by default it's set to auto, so it'll split it equally between them. But you could put in here 50%.

25%. 25%. Perfect. And then this person will get it twice as much as these. Yeah. And is that's

[00:40:56] Nathan Wrigley: just a straight up. It's doing it in some kind of iteration. It's doing two to a, then one to B, one to C, then back to the top two to A one to B, or is it

[00:41:07] Mark Westguard: More Yeah there's an algorithm behind an algorithm.

Algorithm, yeah. So it's not precise. So it won't be 2 1, 1, 2, 1, 1. Yeah. What it does is it reassesses every time it sends, so what it's gonna do, it's gonna go. Okay. This person has received one email. These have received none, so maybe I should send this person one. Got it. And I'll send this one. Oh, and this one, he's got some capacity, so I'll send him that again.

Now we're back to zero again. Got it. Got through the cycle again. Yeah. Yep. Yeah, it's entirely up to you how you set this round. Rob it up. But that's pretty for people. Yeah, it's good for teams, that are using this. You can switch that on and off very easily. You can also CC people.

So that's basically the carbon copy field that you see on an email. This enables you to add multiple ccs and you can also do a bcc, which is blind carbon copy. So if you're not familiar with that, What that'll do is it'll send it to another recipient, but anybody on the tool or CC won't be aware that it has been sent to that blind carbon copy person.

So if you wanted to send an acknowledgement to the customer and also receive that yourself, but they don't see that they, you've received that or you don't want your email address to appear so they can reply to it, you can add that as a BCC reply to. Now this is quite a useful field. Yeah. And what the reply too does is it enables you to determine where a email will go if someone clicks reply.

So going back to the from address there, because we will always wanna send the email from an address that's authorized so that it will get through to the recipient by setting the, sorry, just it's all right. Forward one. By sitting the reply two field, you can determine that the email will go back to a particular email address as opposed to your authorized email address that you're sending from.

So just to give you an example of that, if you are sending an email to a customer, for example, you've maybe put in the two field, maybe hash filled. 74, that's where we want that to go to. To this email address. If they reply, rather than go into your black blogging email address or the approved email address that we've set up, you maybe want that to go to your sales team, for example.

My whatever you may wanna put in there. If you are receiving an acknowledgement from a customer to yourself, then you would probably want me email to go to you. So maybe that would go to the way around, wouldn't it? An email address and a reply to would go that field.

Yeah. There, yeah.

[00:43:46] Nathan Wrigley: So this is when you are looking at the email in your email client gmail or whatever it is, when you click, when you received that email and have read it. When you click the reply button, it's going to whatever it says in that field. Got it. Yeah.

[00:43:57] Mark Westguard: So again, these fields is quite important to make sure that the emails are received both to you and to your customers.

And this, these are the, probably the most critical ones is the from address, making sure that's authorized and a reply to, just to make sure that if a reply occurs, then it comes back to you as well. Otherwise, when the hit reply, it's gonna go back to whatever email address is set up on the song, on the from address.

Again, there's information about that in our knowledge base. If you go to knowledge base slash email notifications, dash not dash working then there's all of this information is in there. We've got quite a few things in there about How to improve deliverability.

[00:44:35] Nathan Wrigley: Just one quick thing on that. I think Gmail for example, I think their current sending limit because they don't have an infinite supply they're sending limit, I think it's something like 200 a day.

So typically that's gonna be fine, right? Yep. But if you are running a major e-commerce, Stored, that's probably not the best solution because it's gonna cap out a 200 and your account's gonna get flagged. So yeah, give that a bit of

[00:45:01] Mark Westguard: thought. Yeah, absolutely. Yeah, that's very true. Some of these S M T P providers will give you a free amount every month.

Yeah. But you can go over that, in which case I think you can upgrade to a paid account. I think,

[00:45:14] Nathan Wrigley: I think Amazon, s e s I think each email is something like 1000th of a US sent. It's maybe not that, but it's akin to that, it's, yeah. Adjacent. It's

[00:45:23] Mark Westguard: ridiculously cheap. Yeah.

Yeah. I don't even notice, personally I don't notice it. Some sites send tens of thousands of emails every hour, so it becomes more of a concern. But yeah, most of these services are very inexpensive, as you say. Yeah. And well worth investing in just some other potential issues before we wrap up.

One of the things that we find with Ws form is sometimes people won't hit the magic publish button on the form, so let's just talk about that quickly. The editing process in Ws form is such that you can play around with the form as much as you want without impacting the live version of the form on the site.

So that enables you to preview it and test, maybe different layouts, different features without impacting the live site. When you're ready to put the form live, you hit the publish button up here. We've had a few instances where people have made changes to Ascend email setting here they've hit saving close and they expect that to work.

You've actually gotta hit that publish button, so make sure that publish button has been clicked. To make sure any changes are actually cuz basically everything on this form is in draft state until you hit publish. So if you edit conditional logic, If you edit actions, if you meet, change anything on the form, that's all put in reserve until you hit that published button.

So that's that's a, can I ask a

[00:46:43] Nathan Wrigley: question about the UX of that? If I've done a load of major changes and then I try to close that window down. Yeah. Prior to publishing, do I get some kind of notification saying, whoa,

[00:46:53] Mark Westguard: it actually saves it all for you. Oh, good.

[00:46:56] Nathan Wrigley: Yeah, it's not published. The changes are saved.

The state is saved, but that's Right. Publish.

[00:47:01] Mark Westguard: But it hasn't been published. Got it. Yeah. It's all saved. Yeah. So what actually happens when you click the publish button in WS form, it actually compiles the form into a single J s O packet. Which makes rendering of the form on the front end very quick.

So when you actually render a form on your website, it's one database query to get the whole form. So when I then make changes, so if I drag another field onto this, you'll notice that the publish button will become live because it's detected some changes. Yeah. So all the changes are stored on the server in the database.

But when I hit that published bar, it then publish it to publishes that form to a different location. And that's what's actually used on your live site. So enables you to do as much work as you want on the form, and if you go away for a cup of tea and close this down and then come back again. You can carry on editing it.

It will retain where you currently are, so you won't lose any data.

[00:47:55] Nathan Wrigley: I think we mentioned in episode one that you also get a history of changes made to the form system. Yeah. Bundle it up and, screw it up in some way. You can just NIPT back

[00:48:05] Mark Westguard: and that's per session so that if you do close down and come back, that will be lost.

We don't store every change because it would just be amount of data. Yeah. Nice. But yeah, we have if you go to undo here, you've actually got a, a. Log of everything that's happened on that form, and you can go back to any step that you want. So that's session based, but the actual editing of the form is all saved.

Yep. And you can come back to it at a. Yeah, remember that one. The other thing is sometime, and I have come across this, sometimes hosting providers are just not set up to send emails. Crazily. Yeah. And you may get this error saying could not instantiate malfunction. If that happens, contact your hosting provider and make sure they've got email sending set up.

On your hosting so you can actually send emails out. I'm quite surprised when that happens, but we do get it. Avoid sending emails from and to the same email address. So sometimes if you send an email from your. Personal email to your personal email, that can be class of spam. So that can sometimes block an email coming through.

So make sure that that you're not doing that. And also check your spam folder. So this is the last step, which is about, when that email does actually get through to that user. We've gone through all those steps. We've made sure you're not a bot. We've actually put everything in place we can do to get the email to the recipient.

At the end, that email client may look at that email and go, Nope, I'm not gonna show that to my user. I'm gonna put that in the spam folder. And there are so many reasons that could happen, even putting dear, and then their first name can be classed as spam, funnily enough, or quiet, and then their name can be classed as spam.

Certain words can be classed as spam. So if you've got even anything financial in that communication, that can sometimes be class of spam. So when you are sending emails out, And you are editing the the send email action. So let's go into that and we go to send email and we come down to where the actual message is here.

The content in here can be vital as to whether or not that email is received by a an email client. There are some services online that you can go to. You can actually copy and paste your email content. Into them and they'll check it to, to see whether or not it's considered spam or not. So you might wanna have a look at some of those.

But yeah, so this is this part here and your subject line as well could be critical to whether or not that email's gonna be received. Try and keep it, try and steer clear of like financial words. Anything to do with Bitcoin. Yeah. Don't put the word Bitcoin or Viagra or anything like that in your subject line or message, cuz you're gonna have trouble.

Now if you find that it is inadvertently going to to spam. Dan, Alan always keeps going to the next slide. If it does go into spam, then there are ways you can whitelist it in different email clients. So you could whitelist your from address just to make sure that those are coming through. And none of those do end up in spam.

And it, the o The other thing too, bear in mind is that when people are filling your form out, they're gonna be pulling all types of different content in the message box. So if you've got an inquiry field, That's gonna be taken into account on the client side when it's received. So what they're typing in that you can't control is gonna, may maybe class a spam.

So by whitelisting that from address, you can, remediate the issue of those potentially ending up in the spam box. There's

[00:51:37] Nathan Wrigley: services like MX Root, which will R o u t e, not r o t, which give you some, never gonna be not funny. Oh dear. It reminds me of Word Camp Asia and I was never there.

Still got you here.

[00:51:56] Mark Westguard: I always keep Nathan handy. It's always good to

[00:52:00] Nathan Wrigley: have cardboard cut out of Nathan on hand. Yeah. Services like MX Root will give you some sort of insight into whether or not you are passing the necessary tests. I must admit a lot of that is a bit of a mystery to me.

We had a presentation at the Page Builder Summit, all about Dki and SPF and all of that, and it was quite informative. Yeah. It's not an area which most people get into, and yet it can be, It's one

[00:52:24] Mark Westguard: of those things you set up and forget about, isn't it? Yeah. So you never really get into it that much or understand what you're doing but also a bit of a

[00:52:31] Nathan Wrigley: black hole in the, if you are clearly getting information sent into your contact form and you are sending out things that people should follow up on and nothing's coming back.

Definitely time to. Look at it, but the thing is, you can't be sure from the outset what, what is landing in people's inboxes. Yeah. Yeah.

[00:52:51] Mark Westguard: And it's a shame that we have to do all this really. Yep. And part of this is just because of that old specification for sending emails.

It never had any of this in it. So these are things that have been retro retroactively invented to try and circumvent those issues. So yeah, it's,

[00:53:08] Nathan Wrigley: It's a bit, it's interesting as well, because Because email constantly, everybody's predicting it's demise and it's doom. And yet my understanding is it is going strong.

It is still the best way of communicating with people. Yeah. Not everybody's on WhatsApp. Not everybody's using Signal or Messenger or whatever it might be. Yeah. Snapchat and things, but email, more or less, everybody's got one. I dunno if that'll. I don't know if that'll continue. The younger generation Oh, do seem to be a little bit like my kids don't go anywhere near email, but they seem to be able to communicate with everybody.

Yeah. They're all, maybe that'll change when they, whatever. Yeah. But it'll change probably when they get to the workplace and that's just, yeah. They got

[00:53:50] Mark Westguard: just one other thing to Yeah. Please to add at the end. Don't rely on email a hundred percent. Make sure that you've got a safe submission.

Action on your form. Now. Every form you create in Ws form, other than post management forms, which we're gonna talk about next week, have a save to submission action on them. And what that does is it will save the form data and then that's accessible within submissions here. So you've got that as a backup.

So make sure that you are using other meth, other methods for saving that those form submissions. And this saves submissions is something that's built into WS form. In fact, if you're using our light edition, We include that with the light edition. Some form plugins don't actually save submissions on the the plugin version.

Nice. So as includes that do you limit

[00:54:37] Nathan Wrigley: the number of days that it's held there, GDP and all that?

[00:54:41] Mark Westguard: Yep. Yeah, so you can actually do auto expire submissions and you can choose how many days you wanna keep those. You can switch that off and just keep everything if you want. But that's, yeah, just a nice little feature.

You can go into the submissions. Let's just create one and show you quickly, let's. Create contact us form and we'll go to preview and we'll use the Debub consult to submit that populate and submit. And then we'll go back to submissions. And there you go. You can actually view the submissions in here.

This gives you a log of all the fill that were filled out. It also shows you what actions will run when that submission was made. You can actually see the send email action here. Yeah, it shows you. The settings that we use to send that email. So you can use this to debug email sending, and it'll also, if you click the I icon here, it'll show you whether or not that email was sent successfully.

And if there was a problem sending that email, it'll actually show you the error message. Now if you find that an email hasn't gone you can actually click this rerun again icon here, and it will actually send that email out again to that user. You can rerun actions with WS form to do that, you could also export this data.

So if you've got say, a thousand entries in here and you wanna export those nice to an Excel spreadsheet or two numbers, or Google Sheets, you can click export CSV and it'll create an export for you. And then you've got a CSV file of all your submissions as a backup. So there you go.

[00:56:12] Nathan Wrigley: Thank you. I want you to say the words eye icon.

Like a pirate.

Dunno why, I dunno why that came into my head. Yeah, there you go. Look, WP Builds joins forces with Mr. Westguard. Ws form 20% off. There's the link, WP form, and then if you use the code WP Builds, you're gonna get 20% off any edition. And I think it's fair to say where three shows in.

You are probably by now figuring out that this is a fairly robust solution, but we're only halfway through. We've done form building basics, interactive forms, all the spam and what have you today. And then next week we're onto form, sorry, custom field plugin integrations. So all of the different ways that you can integrate your custom forms for, is that gonna be where you're touching on things like creating posts and creating users and stuff like

[00:57:09] Mark Westguard: that?

Correct. Yeah. Nice. So we very deeply integrated in with. Advanced custom fields, a c F pods, MeBox jet engine and tool set. So you can use WS form in conjunction with those custom fill plugins to create posts, to edit posts. And it also works with user functions as well. So you can actually use those custom fill plugins to add custom fields to users.

So maybe like an avatar image or whatever. And yeah, you can basically use those custom fill plugins to modify users and posts and we'll go through that next week.

[00:57:46] Nathan Wrigley: Yeah, if you've never done that before, tune in next week. Cuz it really, it changes the game on what you can suddenly get your website to do.

All of a sudden you can get user submitted content that could become and you would like, the way

[00:57:56] Mark Westguard: WS form does that. It's it's very clever cause it builds forms for you. And it saves an awful lot of time.

[00:58:03] Nathan Wrigley: We'll be back next week. I appreciated that. That was a really nice episode. Thank you for those people who joined in.

I'm sorry I didn't raise any of the the comments on the screen. But thank you to Peach, Neil, Michelle, Atif, and Marcus. For making comments. Really appreciate it. But we'll be back this time next week. 3:00 PM Wednesday. What'll that be? The 24th or something like that of May. Something like that. Yeah, something like that.

Add seven to 17. Ooh. Yeah. Tha Thank you John. He says Thank you Nathan and Mark. Thank Mark. I just sit here and allow Mark to explain all this wonderful stuff. We'll be back next week. Take it easy guys.

[00:58:43] Mark Westguard: Bye. Take care. Thanks. Bye.

Please leave a comment…

Filter Deals

Filter Deals


  • Plugin (2)
  • Lifetime Deal (1)
  • SaaS (1)

% discounted

% discounted

Filter Deals

Filter Deals


  • WordPress (37)
  • Plugin (34)
  • Admin (29)
  • Content (18)
  • Design (11)
  • Blocks (6)
  • Maintenance (6)
  • Security (5)
  • Hosting (3)
  • Theme (3)
  • SaaS app (2)
  • WooCommerce (2)
  • Lifetime Deal (1)
  • Not WordPress (1)
  • Training (1)

% discounted

% discounted



WP Builds WordPress Podcast



WP Builds WordPress Podcast
%d bloggers like this: