tool · checklist · 8 items
Updated May 12, 2026
Run this before you add another CAPTCHA, blacklist, or brittle honeypot to a production form.
Start with the contact-form guide, then copy a runnable example for Next.js or FastAPI.
Get a free API keyClassify the message text server-side before it reaches your inbox or CRM, set a hard-drop threshold and a separate review threshold, rate-limit by IP and email domain, and return the same success response for clean and blocked submissions. Add a CAPTCHA only as a fallback during real abuse spikes.
CAPTCHAs measurably drop legitimate conversion — typical drop-off is 5–15% for image puzzles and 1–4% for invisible challenges. For most contact forms that traffic is worth more than the bot-blocking benefit. Server-side text classification catches the same bots without the friction.
No, not by default. Store the spam probability, the action you took, request metadata (IP, timestamp, user agent), and a short truncated preview. Only store full bodies when your privacy policy explicitly allows it and your retention controls are in place.
Watch for sales-team complaints about junk leads, sudden CRM noise, deliverability issues, or bounce-rate spikes on auto-replies. If you can't measure it, sample 100 last-week submissions manually and label them — the false-negative rate will tell you immediately.