avatar  


Recently viewed tickets

Log out

Security Policies for Sending Email From your Website

This article outlines the security policies and procedures that MUST be followed when sending emails from your website.

PLEASE NOTE: Failure to abide be these security policies may result in your website being abused or hacked. 

Website abuse can result in nuisance or malicious emails being sent to third parties.    In this instance we reserve the right to immediately block emails from your website and/or shutdown your website without prior notice.  
In such cases, you must repair your website and implement the appropriate security policies within 30 days.  You will then need to apply with your cloud provider's support team to have the block removed from your website.

Website Contact Forms

Below are the policies for implementing a secure contact or inquiry form on your website.

1. Website contact forms MUST have a sufficiently difficult CAPTCHA mechanism.  This ensures your website contact form cannot be abused by "bots", which is a computer script which can continually fill out your form.


2. Your website MUST have a valid and current SSL certificate to protect transmission of the site visitor's data.  All forms on your website should ONLY be accessible via a secure URL beginning with the prefix https://  To purchase an SSL Security Certificate please contact your cloud hosting provider.


3. You must NEVER design your website contact form so that it sends form content to the email address typed into the form without first verifying the email address!   

This functionality encourages attackers to use your form as an effective SPAM relay whereby they can enter any third-party email address into the form and their own content in other fields which may include malicious website URLS and have this content sent to other recipients without their permission.  NEVER email your inquiry form content to the email address typed into your contact form without first validating the inquiry!

4. If possible you should restrict an internet visitor or remote IP address from being able repeatedly fill out the same form within a short time period (eg. 1 hour or 1 day).  Repeated attempts to fill out a contact form and generate emails in short succession should be blocked so that your website cannot be abused by attackers to generate large amounts of email.


5. You must design your contact form to send email with a From Header address attached to your website.  Eg. webform@yourwebsitedomain.com.au.  This inquiry email should then only be emailed to the persons responsible for handling the inquiry.  You can set the REPLYTO Header on the email to allow the recipient to reply to the actual inquirer.

6. Consider if there are more effective ways to receive your website inquiries other that via email.  For example, could your website use an API to directly enter inquiries into your sales management system?  Alternatively could your employees login directly to your website to manage customer inquiries?

SMTP Relay and DNS Settings


Below are the correct technical settings and procedures to follow when relaying email from your website.

1. When sending email from your website you must either use the default relay settings attached to the ordinary PHP Mail function if using PHP.   Or if you are setting the SMTP relay server manually in your software you must use the server settings below:


SMTP Server: webrelay.mailsolutions.com.au
Port: 25
Authentication: None
Encryption: No Encryption or Implicit TLS (StartTLS)


2. If sending email from your website you should have an appropriate SPF (Sender Policy Framework) and DMARC DNS records created for your domain which will identify our mail systems as authorized to send email on behalf of your domain.  The correct example record is below, however if you send email from other internet service providers you may require additional include: entries.  Please contact your DNS hosting providers support team to implement this record if you are unsure.


SPF
Type: TXT
Hostname: yourwebsitedomain.com.au
Value: v=spf1 include:mailsolutions.com.au -all

DMARC

Type: TXT
Hostname: _dmarc.customerdomain.com.au
Value: v=DMARC1;p=reject;aspf=s

Bulk Email Marketing Mail Policies


1. You must NOT use your website to generate bulk email marketing campaigns without written permission from your cloud hosting provider. 

The emails generated from your website should be in the normal course of your business operations in communicating with your customers, suppliers and third party agents.   This can include for example a regular newsletter of validated and approved email recipients provided you are sending less than 5000 emails per month.

If you believe your direct email marketing requirements may exceed 5000 emails a month, please contact your provider so we can provide you with an appropriate service to meet these requirements.


Creation date: 16/09/2021 10:59 AM (james.pearce)      Updated: 19/10/2021 12:29 AM (james.pearce)
Knowledge base articles for customers to assist with managing their internet, email and IT cloud based services.