My blog built with Hugo
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

42 lines
3.4 KiB

title: "Handle HTML Forms Through Email With MailyGo"
date: 2020-07-30T22:28:28+01:00
draft: false
thumbnail: v1596144141/2020/mailygo.png
categories: [Blog, Web Development]
tags: [Forms, Golang, MailyGo]
summarize: true
You may have already notice the [contact form](/contact) on this blog. Until recently, it was handled by Netlify and used a [serverless function]( to send an email both to me and the submitter. This worked fine, but was far from ideal because I had to trust the data to a third party (Netlify).
As I was already running a server (with Nextcloud and Mastodon), I looked for a self-hosted solution and found [MailyGo]( from Jan-Lukas Else. A small tool written in Go that allows send HTML forms through email. Exactly what I was looking for!
I just needed to tailor it a little bit to my use case. A good challenge as this was my first time working with Go. Keep that in mind and be kind when you review my code, please!
So, there's the list of changes I made:
- [Created the ability to add text to the beginning and end of the email message](;
- [Created the ability to send an email to the submitter too](;
- [Created the ability to add text to the beginning and end of the email message sent to the submitter](;
- [Created the ability to use specifics fields for Name, Subject and Message](
### Fighting Spam
When a form is placed online it's a matter of time until it get some bots' attention and being targeted with spam. To fight it, the original version of MailyGo already used an honeypot field, a spamlist and integrated Google Safe Browsing to check URLs. And that seemed enough.
But I didn't want to use any third party, even less Google! And unfortunately the honeypot field and spamlist alone shown insufficient.
I got some bots sending a particular field (submit) that wasn't part of the form. And so, I [created a denylist](, a list of fields names that MailyGo will look for and, if present, mark the submission as spam.
I too got bots that *grabbed* the URL of MailyGo and posted a submission directly to it, bypassing the form. To prevent this, I [created the ability to use a token]( to assure only the submissions that come from the form are handle by MailyGo. This token can be any combination of letters and numbers. If a `TOKEN` is defined on configuration, MailyGo will look for a field named `_token`. If this field doesn’t exist or its value doesn’t match the one defined on configuration the submission will be marked as spam.
I'm using this set of solutions for more than a week now with zero spam. Seems enough. At least for now!
An that's it, [my fork of MailyGo](!
A big thanks to Jan-Lukas Else. Follow his [blog]( and know [more of his projects](