Our contact form mails don't deliver, log says 'header injection'
Header injection is an attack where input adds extra headers. Mail servers block it, including accidental whitespace in your script.
Try this first
- 1Check your form script: strip \r and \n from any input that goes into headers
- 2Use a mail library (PHPMailer, Symfony Mailer) rather than building headers by hand
- 3Read the mail server error log, look for 'invalid header'
- 4Test with a payload containing newlines to confirm the filter works
When to bring us in
On old legacy forms: replace with a modern library, faster than fixing.
See also
- Our emails land in spam for some recipientsAlmost always an SPF, DKIM, or DMARC setting that is wrong or missing, or a sender name that mimics a well-known brand.
- Someone reports receiving phishing emails "from us"Read: spoofing. Someone is abusing your sender name, not necessarily your actual mailbox.
- An email bounces (NDR): delivery failedThe NDR text usually states the exact reason. Reading it is step one.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.