How does FormKeep protect from spam?

How does FormKeep protect from spam?


  1. Make sure you’ve enabled Detect spam using submission data and manually mark things you consider spam. It will learn!
  2. Consider using Google reCAPTCHA, v3 is invisible to the user!
  3. Add a blank hidden field using the Honey Field Name, if a bot fills it in, we’ll mark it as spam.
  4. Use javascript to set a hidden field to a unique value and disregard any submissions that are the default value.

This can all be found in the Form Settings->Spam tab.

Detect spam using submission data

If you enable it, we’ll check the form submissions against millions of other similar spam comments and flag things appropriately. If we miss one, you can manually mark it as spam and we’ll use that in future detections. It might take a couple of samples before we’re all trained up, but this has been an effective solution for us.

Detect spam using Google’s reCAPTCHA

Additionally, you have the option to integrate Googles reCAPTCHA solution into your forms. You’ll need to create a key on Google’s site and then enter the information in our system for us to validate the responses.

We’re looking for a form input named ‘g-recaptcha-response’ which is the default for the normal reCAPTCHA ui. If you’re using the hidden reCAPTCHA then you’ll want to set the response token to a hidden field of that name so we can process it on the server side.

Honey Field

In the past the idea of a honey field was popular, this is a hidden field that a normal user wouldn’t see but a spam bot would fill in and we could guess that the submission was spam. Over time this has become a less reliable indicator and we generally don’t recommend it, but you can get the field name specific to your form from the Form Settings->Spam page.

Detect spam by validating data sent to FormKeep

One last approach we’ve seen be successful relies on observation that the spam bots do not run the javascript on your pages. So set a form field to XXXX and using javascript set it to a randomized value (something that will be unique each time). Then use the Detect spam by validating data sent to FormKeep feature setting the validation to unique. If the javascript doesn’t run, then the value will always be XXXX and it will be marked as spam.

Most people use the Detect spam by validating data sent to FormKeep feature to only accept form submissions from an email once, but it’s handy in this case as well.

We’ve seen all kinds of spam and we’ve built many layers of defense over the years to help protect you from unwanted data. Occasionally, a persistent spammer might slip through our radar. If that happens, please reach out to us and we’ll take care of it personally.

<!-- following the v3 instructions

    1. create an reCAPTCHA_site_key key for version 3 of reCaptcha
    2. copy the script sections into the <head> of your page
    3. replace the reCAPTCHA_site_key with the actual value from the google site
    4. Update your Spam Settings on your form to include the reCAPTCHA Secret Key and reCAPTCHA Domain
    5. replace 'exampletoken' with your actual form token
    6. add the hidden input field id="g-recaptcha-response" to your real form

<script src=""></script>
grecaptcha.ready(function() {
    // the action: value doesn't matter, it's just a string (see the docs)
    grecaptcha.execute('reCAPTCHA_site_key', {action: 'contact_form'})
    .then(function(token) {
        // this is the important part, store the token so it gets sent back to us
        document.getElementById('g-recaptcha-response').value = token;

<!-- set your formkeep form token in the action='' here -->
<form accept-charset="UTF-8" action="" method="POST">
  <input type="hidden" name="utf8" value="✓">
  <label for="email-address">Email Address</label>
  <input type="text" id="email-address" name="email">
  <!-- also important is to include the hidden element with the id
    (so it can be found by the js above, and name so formkeep can see it -->
  <input type="hidden" id="g-recaptcha-response" name="g-recaptcha-response">
  <button type="submit">Submit</button>

Didn't find what you were looking for?