We use a variety of different techniques to reduce and protect your forms from spam.

TL;DR

  1. Make sure you've enabled Detect spam using submission data and manually mark things you consider spam. It will learn!
  2. Consider using Google reCAPTCHA, v3 is invisible to the user!
  3. We do support a honey field, ask support for the field name to send.
  4. Use javascript to set a hidden field to a unique value and disregard any submissions that are the default value.

Detect spam using submission data

If you enable it, we'll check the form submissions against millions of other similar spam comments and flag things appropriately. If we miss one, you can manually mark it as spam and we'll use that in future detections. It might take a couple of samples before we're all trained up, but this has been an effective solution for us.

Detect spam using Google's reCAPTCHA

Additionally, you have the option to integrate Googles reCAPTCHA solution into your forms. You'll need to create a key on Google's site and then enter the information in our system for us to validate the responses. 

We're looking for a form input named 'g-recaptcha-response' which is the default for the normal reCAPTCHA ui. If you're using the hidden reCAPTCHA then you'll want to set the response token to a hidden field of that name so we can process it on the server side.

Honey Field

In the past the idea of a honey field was popular, this is a hidden field that a normal user wouldn't see but a spam bot would fill in and we could guess that the submission was spam. Over time this has become a less reliable indicator and we generally don't recommend it. If you feel strongly about enabling it, please reach out to support and we can share the details around implementing it in your form. 

Detect spam by validating data sent to FormKeep

One last approach we've seen be successful relies on observation that the spam bots do not run the javascript on your pages. So set a form field to XXXX and using javascript set it to a randomized value (something that will be unique each time). Then use the Detect spam by validating data sent to FormKeep feature setting the validation to unique. If the javascript doesn't run, then the value will always be XXXX and it will be marked as spam. 

Most people use the Detect spam by validating data sent to FormKeep feature to only accept form submissions from an email once, but it's handy in this case as well.

We've seen all kinds of spam and we've built many layers of defense over the years to help protect you from unwanted data. Occasionally, a persistent spammer might slip through our radar.  If that happens, please reach out to us and we'll take care of it personally.

Below is a short sample of HTML / JS to enable Google's reCaptcha v3

<!-- following the v3 instructions https://developers.google.com/recaptcha/docs/v3

    1. create an reCAPTCHA_site_key key for version 3 of reCaptcha
    2. copy the script sections into the <head> of your page
    3. replace the reCAPTCHA_site_key with the actual value from the google site
    4. Update your Spam Settings on your formkeep.com form to include the reCAPTCHA Secret Key and reCAPTCHA Domain
    5. replace 'exampletoken' with your actual form token
    6. add the hidden input field id="g-recaptcha-response" to your real form
-->

<html>
<head>
<script src="https://www.google.com/recaptcha/api.js?render=reCAPTCHA_site_key"></script>
<script>
grecaptcha.ready(function() {
    // the action: value doesn't matter, it's just a string (see the docs)
    grecaptcha.execute('reCAPTCHA_site_key', {action: 'contact_form'})
    .then(function(token) {
        // this is the important part, store the token so it gets sent back to us
        document.getElementById('g-recaptcha-response').value = token;
    });
});
</script>
</head>

<!-- set your formkeep form token in the action='' here -->
<form accept-charset="UTF-8" action="https://formkeep.com/f/exampletoken" method="POST">
  <input type="hidden" name="utf8" value="✓">
  <label for="email-address">Email Address</label>
  <input type="text" id="email-address" name="email">
  <!-- also important is to include the hidden element with the id
    (so it can be found by the js above, and name so formkeep can see it -->
  <input type="hidden" id="g-recaptcha-response" name="g-recaptcha-response">
  <button type="submit">Submit</button>
</form>
</html>
Did this answer your question?