How does FormKeep protect from spam?


  1. Make sure you’ve enabled Detect spam using submission data and manually mark things you consider spam. It will learn!
  2. Create a Field Rule to check for invalid data.
  3. Consider using Google reCAPTCHA, v3 is invisible to the user!
  4. Add a blank hidden field using the Honey Field Name, if a bot fills it in, we’ll mark it as spam.
  5. Use javascript to set a hidden field to a unique value and disregard any submissions that are the default value.

Detect spam using submission data

How does FormKeep protect from spam?

If you enable it, we’ll check the form submissions against millions of other similar spam comments and flag things appropriately. If we miss one, you can manually mark it as spam and we’ll use that in future detections. It might take a couple of samples before we’re all trained up, but this has been an effective solution for us.

Letting us know which specific fields contain an email and which field contains a message or other user typed content can help us, but we’ll check all the data that’s being sent over even if you just let us take our best guess.

See the Form Settings->Spam tab for details.

Field Rules

How does FormKeep protect from spam? You can have the server check the values send to us. Rules like ‘if email is blank mark as spam’ are simple to setup. Or you can check for specific values or ip addresses if you’ve got a specific spammer hitting you.

See the Form Settings->Field Rules tab for details.

Detect spam using Google’s reCAPTCHA

Additionally, you have the option to integrate Googles reCAPTCHA solution into your forms. You’ll need to create a key on Google’s site and then enter the information in our system for us to validate the responses.

We’re looking for a form input named ‘g-recaptcha-response’ which is the default for the normal reCAPTCHA ui. If you’re using the hidden reCAPTCHA then you’ll want to set the response token to a hidden field of that name so we can process it on the server side.

Honey Field

In the past the idea of a honey field was popular, this is a hidden field that a normal user wouldn’t see but a spam bot would fill in and we could guess that the submission was spam. Over time this has become a less reliable indicator and we generally don’t recommend it, but you can get the field name specific to your form from the Form Settings->Spam page.

See the Form Settings->Spam tab for details.

Detect spam by validating data sent to FormKeep

How does FormKeep protect from spam?

One last approach we’ve seen be successful relies on observation that the spam bots do not run the javascript on your pages. So set a form field to XXXX and using javascript set it to a randomized value (something that will be unique each time). Then use the Detect spam by validating data sent to FormKeep feature setting the validation to unique. If the javascript doesn’t run, then the value will always be XXXX and it will be marked as spam.

Most people use the Detect spam by validating data sent to FormKeep feature to only accept form submissions from an email once, but it’s handy in this case as well.

We’ve seen all kinds of spam and we’ve built many layers of defense over the years to help protect you from unwanted data. Occasionally, a persistent spammer might slip through our radar. If that happens, please reach out to us and we’ll take care of it personally.

See the Form Settings->Field Validation for details.

<!-- following the v3 instructions

    1. create an reCAPTCHA_site_key key for version 3 of reCaptcha
    2. copy the script sections into the <head> of your page
    3. replace the reCAPTCHA_site_key with the actual value from the google site
    4. Update your Spam Settings on your form to include the reCAPTCHA Secret Key and reCAPTCHA Domain
    5. replace 'exampletoken' with your actual form token
    6. add the hidden input field id="g-recaptcha-response" to your real form

<script src=""></script>
grecaptcha.ready(function() {
    // the action: value doesn't matter, it's just a string (see the docs)
    grecaptcha.execute('reCAPTCHA_site_key', {action: 'contact_form'})
    .then(function(token) {
        // this is the important part, store the token so it gets sent back to us
        document.getElementById('g-recaptcha-response').value = token;

<!-- set your formkeep form token in the action='' here -->
<form accept-charset="UTF-8" action="" method="POST">
  <input type="hidden" name="utf8" value="✓">
  <label for="email-address">Email Address</label>
  <input type="text" id="email-address" name="email">
  <!-- also important is to include the hidden element with the id
    (so it can be found by the js above, and name so formkeep can see it -->
  <input type="hidden" id="g-recaptcha-response" name="g-recaptcha-response">
  <button type="submit">Submit</button>

Didn't find what you were looking for?