Contact Form 7 validates each uploaded file against a set of rules. The plugin checks the file type, size, and the server environment before attaching the file to the email. If any rule fails, the form returns an error message and stops the upload.
The default file‑type list includes only common image, audio and video formats. When a user tries to upload a zip, svg, or other unsupported extension, the plugin rejects the file. The same happens when the file exceeds the limit set in the shortcode or the PHP configuration.
Server settings also influence the process. PHP directives such as upload_max_filesize and post_max_size define the maximum size the server will accept. If these values are lower than the limit defined in the form, the upload never reaches Contact Form 7. The temporary upload directory must be writable; otherwise the move operation fails and the file disappears.
Security layers add another barrier. ModSecurity rules or security plugins may block multipart/form‑data requests or specific MIME types. When a rule triggers, the request ends with a 403 or 500 status before Contact Form 7 can handle the file.
Email delivery can hide the problem as well. The file may be stored correctly but the outbound mail server rejects attachments that exceed its size limit. The email arrives without the attachment, giving the impression that the upload failed.