Working email, working delivery, working thank-you

I've spent twenty years rescuing small business websites, and I can tell you the single most common broken thing on them: the contact form. The form looks fine. The customer fills it out. They click submit. They see a "thank you" message. The customer thinks they've contacted the business. The business never receives the message.

This happens on something like 30% of small business websites we audit. It's almost always a different cause each time — a stale email address, a spam filter eating everything, a third-party form service that stopped routing, a SMTP credential that expired, a "thank you" page that's hardcoded to show regardless of whether the form actually sent.

This piece is about what makes a contact form work, what breaks it, and the silly small amount of effort it takes to do it right.

What "working" actually means

A working contact form does five things, in order:

1. The submission reaches a working inbox. Not a black hole, not a deprecated address, not a spam folder. An inbox the business actually reads.
2. The submission is from a real customer, not a bot or a probe.
3. The customer is told whether the submission succeeded — honestly, based on whether it actually did, not optimistically.
4. The customer is told what to expect next — when they'll hear back, how, from whom.
5. There's a record of the submission, in a place the business can search later, so a misplaced enquiry can still be found.

Most small business contact forms do one or two of these well, sometimes three. Almost none do all five.

We've designed our form handling around getting all five right, every time, on every site we ship. Here's what each one means in practice.

1. The submission reaches a working inbox

The hardest part. When we set up a customer's contact form, the routing is verified — we send a test submission to the address the customer gave us, and we wait for the customer to confirm they received it before the form goes live. No site goes live with an unverified contact route.

This sounds obvious. It's not. The standard pattern on most website builders is: customer types an email address into a settings page, the platform takes the email at face value, and the form starts sending submissions to that address. No verification step. If the customer typoed the address, or moved providers, or the address now bounces, the form silently breaks.

Our verification step takes 30 seconds and saves a lot of trouble.

2. The submission is from a real customer

We use a few defences, each one mild:

• Honeypot fields — invisible form fields that bots tend to fill in. If they're filled in, the submission gets quietly dropped. Real users never see the fields.
• Rate limiting — submissions per IP per hour are capped. Genuine prospects don't fill the form fifty times in an hour; spammers do.
• Email validation — the address format has to look real. We don't reject submissions on this alone, but we flag suspicious ones for review.
• Subject-line and body filtering — submissions with obvious spam markers (cryptocurrency offers, link-shortened URLs, identical content from multiple IPs) get quarantined.

We don't use CAPTCHA. CAPTCHA degrades the customer experience for real users to defend against an attack vector that's mostly solved by the simpler measures above. The legitimate customer is never asked to identify traffic lights.

3. The customer is told whether the submission succeeded — honestly

If the form genuinely sent — the SMTP server accepted it, the queue confirmed it — we show a success message. If anything in that path fails, we show an error. The customer gets a chance to retry, copy their message, or use the email address directly.

The standard pattern of "always show 'thanks for your message!' regardless of whether it sent" is a small hostile act. It tells the customer their message was received when it wasn't. They walk away thinking they've contacted you.When they don't hear back in a week, they conclude the business is unresponsive — when actually the business never got the message.

We don't do that. A failed submission shows a failure state. Annoying for the 0.1% of customers who hit a transient error; honest for everyone.

4. The customer is told what to expect next

The success message on a ThemeSmith form says, by default: "Thanks. We'll reply within one working day."

That sentence does three things:

• It commits to a timeline. The customer knows when to expect the reply.
• It signals what kind of business they're dealing with. A working day is a small-business pace; an instant reply would be a chatbot pace; a five-day reply would be an enterprise pace.
• It removes the "did my message even send?" anxiety. The customer has a mental endpoint for the wait.

Customers respond differently to "Thanks!" versus "Thanks. We'll reply within one working day." The latter creates a small contract, and most customers value the contract. The former is hollow.

5. There's a record

Every submission is stored in the database, indexed by date and email, searchable by the business owner from their dashboard. Even if the email goes missing, the submission isn't lost.

This is the failsafe for cases where the email path itself fails. SES bounces, the inbox spam-foldered, the customer typoed their own email and the auto-reply bounced — none of these matter if the submission is in the database. The business owner can find it, reply directly, and recover the relationship.

We made this part of our architecture deliberately. Email-only contact forms have a 5-15% mysterious-loss rate that we've measured on rescued sites. Database-backed forms with email as well have effectively 0%.

The honest weakness

The infrastructure I'm describing — verified routing, multi-layer spam defences, SMTP error handling, database persistence, dashboard surface — is real engineering. A solo freelancer building a Wix site for a small business doesn't ship this. They wire up the Wix form, hand over the keys, and move on.

It costs us real platform engineering effort to do all five of these things every time. The cost is partly amortised across customers (we built it once, every customer benefits), but the initial investment is non-trivial. A pure cost-minimisation approach would do less of this and let some submissions fall through.

We've decided that's a poor trade. Contact forms are the interface to the business — they're the moment a real prospect tries to reach out. A failed contact form is a lost customer, and a lost customer is much more expensive than the engineering effort of doing the form well.

What this means if you're not on us

If you've got a small business website on someone else's platform, three quick checks:

1. Send a test submission to your own form, from a different device, using a different email address. Did it arrive in your inbox? In your spam folder? At all?
2. Check the email address the form is wired to. Is it still active? Is it monitored? Is it the right address?
3. Reply to a recent submission. Does the reply succeed? Are you sure the customer's email is real?

If any of these fail, your form is broken — quietly, in the way that costs you customers without you knowing. Fix it today.It's the highest-value 20-minute job you can do for the business.

If you're on us, this is already done. That's part of what the £15/mo pays for.