Akismet is an anti-spam service provided by Automattic (the same developer as WordPress). The service is free for personal websites, although you still need to setup an account and get an API key. For more info, see Spam filtering with Akismet | Contact Form 7.

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a type of test to determine whether a user is a human or bot. You need CAPTCHA to block automated bots. Contact Form 7 supports two CAPTCHA services: reCAPTCHA from Google, and Turnstile from Cloudflare. Review both and configure one of them.

By setting up an anti-spam service and a CAPTCHA service, you are in a good position to defend against bots and spammers. There are still good practices you must follow when you setup your forms, but your foundation is strong.

You may need to configure an external SMTP server (email server) if you are sending a lot of automated emails. Many hosting companies put a daily limit on emails sent through their servers. Remember that an autoresponder with CF7 will send two emails per contact: the email to you, and the email to the user. If your daily limit is 50 emails, then you will be blocked after 25 form submissions.

You don’t need to do anything special with CF7 when you configure an external SMTP server. CF7 uses a standard WordPress API to send the emails. When you setup an external SMTP server, that API will automatically use your external server. However, you do need to select an external mail service, and then select a plugin to use that service.

We prefer the FluentSMTP plugin because it is free and open source, and supports many popular third-party email services including Microsoft 365. To get started, visit https://fluentsmtp.com/. If you use Microsoft 365, we have a guide at How to send WordPress emails through Microsoft 365 with FluentSMTP.

Refer to the CF7 documentation at https://contactform7.com/docs/.

For each form, you can configure one or two emails. The first email is sent to you in response to the form submission. This email is required. The second email is optional and can be used for any purpose. To make an autoresponder, you will send the second email back to the user.

Scroll down on the mail tab page and turn on Use Mail (2).

For example, if your form defines the user email as [your-email], then put this tag into the To box. You must include opening and closing square brackets.

Avoid putting any user-submitted data in the subject line (and other fields as well). This stops a spammer from using your anonymous form to send malicious information to an arbitrary email address. Our contact form sends [_serial_number] in the subject line to give it a unique tracking number (this data is not user-supplied and is safe to send back to the user).

A common header is Reply-To: email@example.com.

Be careful about sending user-supplied data back to the user. A spammer could enter their target victim’s email address with a message. It is safest to avoid any user-supplied fields, as they represent a potential attack vector.

If you check this option, lines with shortcodes that collapse to empty lines will be automatically deleted. This can make the email look better.

Check this box if you are using HTML tags in your email body.