Configuring Sender Click Authorization for Contact Form 7

This guide covers every tab and option in the Sender Click Authorization (v25.8.15) admin screens and explains how the flow works with Contact Form 7 (CF7).

Path: WP Admin → Settings → Sender Click Authorization
Tabs: Pending Verifications · Settings · Templates

How the verification flow works (at a glance)

User submits a CF7 form.
The plugin intercepts the mail, stores the submission in wp_sca_pending_submissions, and emails a verification link to the sender.
The sender clicks the link → the plugin replays CF7 mail using the stored data and then deletes the pending row.
Expired pending rows are pruned automatically (hourly cron).

Defaults

Timeout: 24 hours
Blocked domains: includes your site’s domain by default
Pruning: hourly via WP-Cron (sca_cleanup_event), with a small status log

Tab: Pending Verifications

A live list of every submission awaiting a verification click.

Columns

ID – DB row id
Form ID – CF7 form id the submission belongs to
Email – sender’s email captured from the form
Created At – timestamp when the submission was held
Verification Key – unique token tied to the verification URL

Row Actions

View – opens a detail view with:
- ID, Form ID, Email, Created At, Verification Key
- Submission Data (all captured CF7 fields rendered as a read-only list)
Send Now – immediately sends the stored submission without requiring the click (admin override), then removes it from the queue
Delete – removes the pending item (it will not be sent)

Bulk Tool

Delete All Pending Submissions – clears the queue (nonce protected, with confirm)

Tip: Use “View” to eyeball suspicious patterns; if a spammy domain keeps showing up, jump to Settings → Blocked Domains to add it.

Tab: Settings

1) Timeout (hours)

Field: Timeout (hours)
Option key: sca_timeout_hours
What it does: Controls how long a pending verification stays valid. After this window, the verification link expires and the pending row is deleted on next prune or click.
Default: 24 (min 1)

2) Delete Data on Uninstall

Field: Delete Data on Uninstall (checkbox)
Option key: sca_delete_on_uninstall
What it does: When you click Delete on the Plugins screen (the uninstall flow), all plugin data is removed:
- the wp_sca_pending_submissions table
- all SCA options (settings, templates, colors, blocked domains, logs)
Recommendation: Keep off in production unless you truly want a clean uninstall.

3) Delete Data on Deactivation

Field: Delete Data on Deactivation (checkbox)
Option key: sca_delete_on_deactivation
What it does: If enabled, simply deactivating the plugin drops the SCA table and deletes all SCA options immediately.
Recommendation: Usually off; this is mostly for development/reset scenarios.

Blocked Domains

This section lets you add/remove domains that cannot be used in the email field (e.g., example.com).

Default value: your site’s host (e.g., yourdomain.com) is pre-added on first activation.
Add a domain:
- Field: Block Domain → enter domain only (no @, no protocol), e.g., gmail.com
- Click Block Domain
Current Blocked Domains: shows each domain with a Remove button (nonce-protected).

What blocking does:
During CF7 validation, if the sender’s email domain matches a blocked domain (case-insensitive), validation fails with a clear message:

“Email addresses from the domain X are not allowed.”

Tip: Use this to prevent submissions from your own domain or from throwaway providers you don’t want to accept.

Pruning Jobs (Status)

Shows the last run of the hourly cleanup task.

Last Run (UTC)
Status (Success/Failed)
Records Pruned (count of rows older than the current timeout)

If you never see a run here, verify that WP-Cron is enabled or set up a system cron that calls wp-cron.php.

Tab: Templates

Verification Email Template

Field: Message (plain text)
Option key: sca_verification_email_message
Default: Dear [your-name], Please click the following link to verify and send your contact form submission:

[verification_url]

This link will expire in [timeout_hours] hours. If not verified, your submission will be deleted. Thank you, [_site_title]

Placeholders available:

[your-name]
[your-email]
[_site_title]
[_site_url]
[verification_url] (required – this is the unique link)
[timeout_hours]

Subject line (fixed by code, not editable here):
Verify Your Contact Form Submission for {SITE_HOST_IN_UPPERCASE}
(e.g., example.com → EXAMPLE.COM)

Deliverability tip: configure SMTP on your site so this email actually lands in the inbox.

Post-submit Message Template

Field: Message (HTML allowed)
Option key: sca_post_submit_message
Default HTML: ACTION REQUIRED: Please check your email to verify your email address ([your-email]). Once verified, your form submission will be sent. If your email address is not verified within [timeout_hours] hours, the form submission will be deleted and not sent.
Placeholders available:
- [your-name], [your-email]
- [_site_title], [_site_url]
- [verification_url] (included for flexibility; not required to show)
- [timeout_hours]

Front-end behavior:
When a submission is intercepted, this HTML is injected below the form container and the form is hidden automatically. Styles are applied inline from the color settings below.

Style controls

Post message background color (sca_post_bg_color) – default #f6ffed
Post message border color (sca_post_border_color) – default #c3e6cb

Note: Colors are sanitized via sanitize_hex_color. If a value is empty/invalid, defaults are applied.

What the plugin does behind the scenes (important behavior)

Interception point:wpcf7_before_send_mail
- The plugin sets $abort = true, stores the submission, and sends the verification email instead of the CF7 mail.
Finding the email field:
- The plugin scans CF7 tags to find the first field with basetype === 'email'. That field’s value becomes the recipient for the verification email and the blocked-domain validator.
Blocked domain validation:
- Runs on wpcf7_validate_email and wpcf7_validate_email*
Verification URL:
- Looks like: https://yoursite.com/?sca_verify={uuid}&form_id={id}
- On click, the plugin:
  1. Confirms the pending row exists and hasn’t expired.
  2. Reconstructs the CF7 mail from the saved data (replacing CF7 mail tags like [your-name], [your-email], etc.).
  3. Temporarily removes the interceptor and calls wp_mail() with CF7’s original mail settings.
  4. Deletes the pending row.
  5. Responds with: “Your submission has been verified and sent. You can now close this page.”
Headers / From behavior:
- If the form included your-email and it’s a valid email, the plugin adds a From: {your-email} header to the delivered mail.
Pruning:
- Hourly task deletes rows older than {timeout_hours} and logs a small status record in sca_prune_log.

Recommended setup

Timeout → start with 24–48 hours depending on your audience.
Blocked domains → keep your site’s domain; add any abuse-heavy domains you see in the queue.
Verification email → keep plain text, short, and with the click link visible.
Post-submit HTML → keep it clear and assertive; remind the user to check spam.
SMTP → ensure your site’s email sending is authenticated (SPF/DKIM) for deliverability.
Cron → verify pruning runs hourly (Pruning Jobs panel should populate).

Troubleshooting

No email received
- Verify SMTP, check spam, ensure CF7 has a valid email field in the form.
“Invalid or expired verification link.”
- Link was used already, the record was pruned, or the timeout elapsed. Increase Timeout (hours) if users are slow to click.
Form not hiding after submit
- Ensure your theme loads jQuery (the script that injects the post message uses jQuery).
Mail headers look off
- Check CF7 mail settings; SCA maps all CF7 tags into the mail template and adds a From: header from your-email if present.

Safe uninstall/deactivation strategies

Keep Delete Data on Deactivation off in production (prevents accidental data loss).
Use Delete Data on Uninstall only when you truly want a clean removal from the Plugins → Delete flow.
Before removing data, export any pending items you might need (e.g., copy from the table view).