Why Using Gmail for My Contact Form Wasn't a Good Idea
Posted on
When building the contact form for a friend's website, we decided to send the notification emails using Gmail and SMTP.
It seemed like the perfect fit for a small personal site without huge amounts of traffic:
- It's free
- It has a high sending limit of 500 emails per day
- It's easy to setup
- It's intuitive to use for the client
So we set it up and it worked perfectly as expected... until today.
What went wrong
Today we got a message from a potential customer: The contact form displayed an error and she couldn't submit her message.
A view at the logs revealed, that the messages couldn't be sent due to an authentication error. It turned out, Google had decided to preemptively block our SMTP request. Instead, it wrote us a critical security warning message, stating that a non-Google app was hindered to log in.
So why did it happen? Since we used SMTP to authenticate, our server was considered a "less secure app". Less secure apps are apps, that authenticate themselves with a password instead of OAuth.
Therefore we activated less secure app access to our Google account when we had first set up the site. This setting was automatically deactivated by Google because we didn't receive a contact message for a few weeks.
Because less secure apps can make your account more vulnerable, Google will automatically turn this setting off if it's not being used.
— Google Account Help
So the fix was simple. We logged into the Google account, went to the settings, and turned less secure app access back on. Staying with Gmail still won't prevent the issue from happening again, but for now, we decided to simply submit a message ourselves, if no customer does so in a given week.
My takeaways
When building sites I have simple priorities:
- I want my customers to succeed. Therefore, the contact/ordering process needs to be as streamlined as possible. It would be highly resentful, if a customer, who already pressed the "submit" button, decided not to order, because of a technical failure.
- After deployment, I want to keep the needed service as minimal as possible. Servicing consumes time and money. Additionally, unexpected incidents like this outage create pressure on me and the website owner. Especially if the reason is still to be determined.
Both of these points were failed by our Gmail setup. Therefore I'll look for other alternatives in the future. It's probably best to use an email service, which offers automated mail delivery by design. Some examples could be Sendgrid or the Amazon Simple Email Service.
Lastly, it somewhat bothered me, that a customer had to contact us (on a way separate from the contact form) to inform us, that the form was broken. If she hadn't informed us, we probably wouldn't have noticed it by ourselves. Although it isn't necessary for the small sites I run, this incident has sparked my interest in application monitoring solutions, so... Maybe it's time to learn something new ✨.