Configuring Sender Click Authorization for Contact Form 7

Sender Click Authorization for Contact Form 7

Sender Click Authorization (SCA) for Contact Form 7 protects your site from spam and fake submissions by requiring senders to verify their email address before the form is delivered. With a simple verification click, only real, authorized messages reach you — keeping your inbox clean and your leads trustworthy.

• Product Page|
• Demo|
• Release Notes|
• Documentation

Buy on WPPluginRepo.com

This guide covers every tab and option in the Sender Click Authorization (v25.8.15) admin screens and explains how the flow works with Contact Form 7 (CF7).

Path: WP Admin → Settings → Sender Click Authorization
Tabs: Pending Verifications · Settings · Templates

How the verification flow works (at a glance)

1. User submits a CF7 form.
2. The plugin intercepts the mail, stores the submission in wp_sca_pending_submissions, and emails a verification link to the sender.
3. The sender clicks the link → the plugin replays CF7 mail using the stored data and then deletes the pending row.
4. Expired pending rows are pruned automatically (hourly cron).

Defaults

• Timeout: 24 hours
• Blocked domains: includes your site’s domain by default
• Pruning: hourly via WP-Cron (sca_cleanup_event), with a small status log

Tab: Pending Verifications

A live list of every submission awaiting a verification click.

Columns

• ID – DB row id
• Form ID – CF7 form id the submission belongs to
• Email – sender’s email captured from the form
• Created At – timestamp when the submission was held
• Verification Key – unique token tied to the verification URL

Row Actions

• View – opens a detail view with:
  • ID, Form ID, Email, Created At, Verification Key
  • Submission Data (all captured CF7 fields rendered as a read-only list)
• Send Now – immediately sends the stored submission without requiring the click (admin override), then removes it from the queue
• Delete – removes the pending item (it will not be sent)

Bulk Tool

• Delete All Pending Submissions – clears the queue (nonce protected, with confirm)

Tip: Use “View” to eyeball suspicious patterns; if a spammy domain keeps showing up, jump to Settings → Blocked Domains to add it.

Tab: Settings

1) Timeout (hours)

• Field: Timeout (hours)
• Option key: sca_timeout_hours
• What it does: Controls how long a pending verification stays valid. After this window, the verification link expires and the pending row is deleted on next prune or click.
• Default: 24 (min 1)

2) Delete Data on Uninstall

• Field: Delete Data on Uninstall (checkbox)
• Option key: sca_delete_on_uninstall
• What it does: When you click Delete on the Plugins screen (the uninstall flow), all plugin data is removed:
  • the wp_sca_pending_submissions table
  • all SCA options (settings, templates, colors, blocked domains, logs)
• Recommendation: Keep off in production unless you truly want a clean uninstall.

3) Delete Data on Deactivation

• Field: Delete Data on Deactivation (checkbox)
• Option key: sca_delete_on_deactivation
• What it does: If enabled, simply deactivating the plugin drops the SCA table and deletes all SCA options immediately.
• Recommendation: Usually off; this is mostly for development/reset scenarios.

Blocked Domains

This section lets you add/remove domains that cannot be used in the email field (e.g., example.com).

• Default value: your site’s host (e.g., yourdomain.com) is pre-added on first activation.
• Add a domain:
  • Field: Block Domain → enter domain only (no @, no protocol), e.g., gmail.com
  • Click Block Domain
• Current Blocked Domains: shows each domain with a Remove button (nonce-protected).

What blocking does:
During CF7 validation, if the sender’s email domain matches a blocked domain (case-insensitive), validation fails with a clear message:

“Email addresses from the domain X are not allowed.”

Tip: Use this to prevent submissions from your own domain or from throwaway providers you don’t want to accept.

Pruning Jobs (Status)

Shows the last run of the hourly cleanup task.

• Last Run (UTC)
• Status (Success/Failed)
• Records Pruned (count of rows older than the current timeout)

If you never see a run here, verify that WP-Cron is enabled or set up a system cron that calls wp-cron.php.

Tab: Templates

Verification Email Template

• Field: Message (plain text)
• Option key: sca_verification_email_message
• Default: Dear [your-name], Please click the following link to verify and send your contact form submission:

[verification_url]

This link will expire in [timeout_hours] hours. If not verified, your submission will be deleted. Thank you, [_site_title]

Placeholders available:

• [your-name]
• [your-email]
• [_site_title]
• [_site_url]
• [verification_url] (required – this is the unique link)
• [timeout_hours]

Subject line (fixed by code, not editable here):
Verify Your Contact Form Submission for {SITE_HOST_IN_UPPERCASE}
(e.g., example.com → EXAMPLE.COM)

Deliverability tip: configure SMTP on your site so this email actually lands in the inbox.

Post-submit Message Template

• Field: Message (HTML allowed)
• Option key: sca_post_submit_message
• Default HTML: <strong>ACTION REQUIRED:</strong><br /><br /> Please check your email to verify your email address (<strong>[your-email]</strong>). Once verified, your form submission will be sent. If your email address is not verified within [timeout_hours] hours, the form submission will be deleted and not sent.
• Placeholders available:
  • [your-name], [your-email]
  • [_site_title], [_site_url]
  • [verification_url] (included for flexibility; not required to show)
  • [timeout_hours]

Front-end behavior:
When a submission is intercepted, this HTML is injected below the form container and the form is hidden automatically. Styles are applied inline from the color settings below.

Style controls

• Post message background color (sca_post_bg_color) – default #f6ffed
• Post message border color (sca_post_border_color) – default #c3e6cb

Note: Colors are sanitized via sanitize_hex_color. If a value is empty/invalid, defaults are applied.

What the plugin does behind the scenes (important behavior)

• Interception point:wpcf7_before_send_mail
  • The plugin sets $abort = true, stores the submission, and sends the verification email instead of the CF7 mail.
• Finding the email field:
  • The plugin scans CF7 tags to find the first field with basetype === 'email'. That field’s value becomes the recipient for the verification email and the blocked-domain validator.
• Blocked domain validation:
  • Runs on wpcf7_validate_email and wpcf7_validate_email*
• Verification URL:
  • Looks like: https://yoursite.com/?sca_verify={uuid}&form_id={id}
  • On click, the plugin:
    1. Confirms the pending row exists and hasn’t expired.
    2. Reconstructs the CF7 mail from the saved data (replacing CF7 mail tags like [your-name], [your-email], etc.).
    3. Temporarily removes the interceptor and calls wp_mail() with CF7’s original mail settings.
    4. Deletes the pending row.
    5. Responds with: “Your submission has been verified and sent. You can now close this page.”
• Headers / From behavior:
  • If the form included your-email and it’s a valid email, the plugin adds a From: {your-email} header to the delivered mail.
• Pruning:
  • Hourly task deletes rows older than {timeout_hours} and logs a small status record in sca_prune_log.

Recommended setup

1. Timeout → start with 24–48 hours depending on your audience.
2. Blocked domains → keep your site’s domain; add any abuse-heavy domains you see in the queue.
3. Verification email → keep plain text, short, and with the click link visible.
4. Post-submit HTML → keep it clear and assertive; remind the user to check spam.
5. SMTP → ensure your site’s email sending is authenticated (SPF/DKIM) for deliverability.
6. Cron → verify pruning runs hourly (Pruning Jobs panel should populate).

Troubleshooting

• No email received
  • Verify SMTP, check spam, ensure CF7 has a valid email field in the form.
• “Invalid or expired verification link.”
  • Link was used already, the record was pruned, or the timeout elapsed. Increase Timeout (hours) if users are slow to click.
• Form not hiding after submit
  • Ensure your theme loads jQuery (the script that injects the post message uses jQuery).
• Mail headers look off
  • Check CF7 mail settings; SCA maps all CF7 tags into the mail template and adds a From: header from your-email if present.

Safe uninstall/deactivation strategies

• Keep Delete Data on Deactivation off in production (prevents accidental data loss).
• Use Delete Data on Uninstall only when you truly want a clean removal from the Plugins → Delete flow.
• Before removing data, export any pending items you might need (e.g., copy from the table view).