• I - Question: How I can make sure only my website can do the Web-to-Lead/Case POST to my Salesforce Org?
  • Answers:
    1. Never expose your Org-Id to the world!
    In the web-to-lead/case code generated by Salesforce you have hidden-field with name="oid". In your website server-side code generate the value of this hidden-field.
    
    Example in jsp:
    
    <input type=hidden name="oid" value="<%= myOid %>" >
    Make use of the X-Frame-Options HTTP response header: to indicate a browser should not be allowed to render Web-to-Lead/Case page in your website in a frame, iframe or object
  • 2. Make the web-to in 2-step process
    1. Collect all the fields of web-to form and POST them to your local server endpoint (say: https://myserver.com/web-top/step1.jsp)
    2. Using the collected form fields, do POST to Salesforce endpoint (servlet: https://webto.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8) in your server-side code

• II - Question: How I can route all emails through my own email servers to avoid the appearance of 'email spoofing' forgeries?

  ---

  Answer: Enable Email Relay as explained here to:
  
  • Route all email through your own email servers to avoid the appearance of 'email spoofing' forgeries.
  • Store copies of all email as required by government regulations in various industries.
  • Apply existing content filters to scan messages for data and content not approved for company email.
  • Run outbound email through antivirus software before sending it to customers.
  • Automatically add data, such as company-wide disclaimers, at the bottom of email messages.
  • If you looking for SMTP authentication with username/password, here is the doc Set Up Email Relay