Can someone explain why the IT dept thinks that sending form mail from their website via smtp connection using a specific email account credentials (iffice365) for their domain and the ip address of the website included in the domain spf should be classed as an important security issue and we should find an alternative method of sending the form mail?

have you tried.... asking them?

@tosensei of course, he has no clue, he just spouts words like ‘cyber issues’ and No MFA enabled. What is he on about?

@helloworld tell them that you need 12 billion in funding to research on a captcha+MFA resolver to avoid the security issue. Budget for the implementation will be clear after the research ends in 6 years.

See how it goes.

But to be fair to them, there are indeed some security issues if you use the username and password for this. You need to store it somewhere in the env vars, and it might be accessible to people who really shouldn’t have access to the email. Security teams prefer OBTK (One Butt To Kick) in case of issues, and this ain’t it.

It’s better to use a clientID/secret/token method.

For example, with google you need to set up a project, take the token, and use that.