We noticed that JavaScript is disabled in your browser. We suggest enabling it for a better experience.
We noticed you're using an older version of Internet Explorer. We suggest you update to the latest version for a better experience.
Skip to main content

Preventing OpenForms emails being filtered by your spam and spoof protection

By default, OpenForms sends notification, reminder and other emails from the address noreply@openforms.com using Amazon SES. 

OpenForms has taken best-practice anti-spoofing measures to authenticate emails sent from this address.

As a result, recipients’ automated email security systems can be confident that emails sent from noreply@openforms.com have legitimately originated from OpenForms, rather than an unauthorized or malicious third party.

If you choose to send OpenForms emails from a domain matching your organization details instead of openforms.com, it is important to take your own anti-spoofing measures to authenticate the legitimacy of that domain. In some regions, you may be legally obliged to do so.

Authenticate outgoing emails (Anti-spoofing)

OpenForms supports the following anti-spoofing methods when sending emails on behalf of custom domains:

- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
- Domain-based Messaging Authentication, Reporting and Conformance (DMARC)

Here’s how to implement each measure.

We recommend following security best practice and implementing DMARC on top of both SPF and DKIM. 

Sender Policy Framework (SPF)

Instruct your domain name administrator or IT staff to add the following Amazon SES entries to your SPF record:
  • ip4:
  • ip4:

Example:  v=spf1 ip4: include:_spf.example.com ~all

These network addresses are allocated to OpenForms for the sole purpose of delivering messages for our OpenForms platform. 

DomainKeys Identified Mail (DKIM)

Submit a support request or send us an email letting us know you’d like to update your DKIM configuration, including the details of your domain name. 

For example, if you’d like OpenForms to send notification, reminder, and other emails from noreply@exampledomain.com, you’ll need to specify exampledomain.com. 

We will provide DNS records to be updated by your domain name administrator.

Domain-based Messaging Authentication, Reporting and Conformance (DMARC)

 We recommend following best practice by configuring DMARC to utilize both SPF and DKIM. Your DMARC configuration must also be configured to use a "relaxed" policy.

DMARC & SPF Alignment 

The OpenForms team will need to configure a custom mail from header so emails sent by OpenForms meet the domain alignment requirements of DMARC and SPF.

Submit a support request or send us an email letting us know you’d like to update your DMARC configuration.

You will need to nominate a subdomain, one not used for any other purpose, including sending or receiving emails. For example, if you are configuring DMARC for the domain xyz.com, you could nominate the subdomain mail.xyz.com, if it is not being used for any other purpose.

This subdomain will be used to create a custom mail from header for emails sent by OpenForms on your domains behalf.

 We will provide additional DNS records to be updated by your domain name administrator. These new DNS records can take up to 72 hours to be verified. Once in place and verified, your DMARC and SPF configuration should be "aligned". 

Prevent OpenForms emails being filtered as SPAM

OpenForms attempts to send emails in a reliable and timely manner. You can help ensure that you receive OpenForms emails in the following ways:

  1. Ensure you have verified all email addresses associated with your forms.
  2. Check your Junk Mail settings. Your email software or service will have features for managing SPAM or unsolicited email senders.
Was this helpful?