Time to read: 2 minutes
When building the contact form for a client's website, we decided to send the notification emails using Gmail and SMTP.
It seemed like the perfect fit for a small personal site without huge amounts of traffic:
So we set it up and it worked perfectly as expected... until today.
Today we got a message from a potential customer: The contact form displayed an error and she couldn't submit her message.
A view at the logs revealed, that the messages couldn't be sent due to an authentication error. It turned out, Google had decided to preemptively block our SMTP request. Instead, it wrote us a critical security warning message, stating that a non-Google app was hindered to log in.
So why did it happen? Since we used SMTP to authenticate, our server was considered a "less secure app". Less secure apps are apps, that authenticate themselves with a password instead of OAuth.
Therefore we activated less secure app access to our Google account when we had first set up the site. This setting was automatically deactivated by Google because we didn't receive a contact message for a few weeks.
Because less secure apps can make your account more vulnerable, Google will automatically turn this setting off if it's not being used.
— Google Account Help
So the fix was simple. We logged into the Google account, went to the settings, and turned less secure app access back on. Staying with Gmail still won't prevent the issue from happening again, but for now, we decided to simply submit a message ourselves, if no customer does so in a given week.
When building sites I have simple priorities:
Both of these points were failed by our Gmail setup. Therefore I'll look for other alternatives in the future. It's probably best to use an email service, which offers automated mail delivery by design. Some examples could be Sendgrid or the Amazon Simple Email Service.
Lastly, it somewhat bothered me, that a customer had to contact us (on a way separate from the contact form) to inform us, that the form was broken. If she hadn't informed us, we probably wouldn't have noticed it by ourselves. Although it isn't necessary for the small sites I run, this incident has sparked my interest in application monitoring solutions, so... Maybe it's time to learn something new ✨.