The short answer
Yes, a contact form needs a backend — and no, you almost certainly don't need to build one.
Those two statements confuse a lot of people, so let's be precise. A "backend" in this context means any code running on a server that receives the form data after the visitor clicks submit. HTML and CSS run entirely in the visitor's browser. The browser can draw your form, check that the email field looks like an email, and even animate the submit button — but it cannot send you an email, and it cannot save the message anywhere. Browsers are deliberately built that way; if any web page could silently send email from your machine, the internet would be unusable.
So when the visitor clicks submit, the data has to travel to a server. The real question is whose server:
- A server you build and run — an API route, a server action, a PHP script, a Lambda function.
- A server your platform provides — WordPress plugins, Wix, Squarespace, and Netlify Forms all bundle one.
- A hosted form backend — a service whose entire job is receiving form posts. You point your form's
actionattribute at its URL and it handles the rest.
If you're new to the third category, start with what is a form backend — this post assumes the basics and focuses on the decision.
What the backend actually does for a form
It's tempting to think the backend's job is just "forward the message to my inbox." That's the visible 20%. Here's the full job description of a production-grade form handler:
- Receive the POST request. Parse
application/x-www-form-urlencodedormultipart/form-data(the latter if you accept file uploads), handle CORS if the form posts via JavaScript, and respond with something sensible. - Validate and sanitize. Browser validation is a UX nicety, not a security control — anyone can POST directly to your endpoint with curl, skipping your HTML entirely. The server must re-check everything.
- Filter spam. An unprotected form endpoint gets discovered by bots within days. You need at least a honeypot field, rate limiting per IP, and ideally content-level classification, or your inbox becomes a landfill.
- Store the submission. Email is a delivery channel, not a database. If the notification email bounces or lands in spam, a stored copy is the difference between a recoverable lead and a silently lost one.
- Send the notification email. This is the hardest part to get right. Sending email that reliably reaches an inbox means an SMTP provider, SPF, DKIM, and DMARC records, and correct From/Reply-To handling — see why contact form emails go to spam for how deep that rabbit hole goes.
Every item on that list is solved, boring, undifferentiated work. That's precisely why hosted form backends exist as a category: thousands of sites need the identical five steps, and none of them gets a competitive advantage from reimplementing them.
When a hosted endpoint is enough (most of the time)
A hosted form backend is the right call when the form's job is "get this message to a human, reliably." That covers a surprisingly large share of all forms on the web:
- Contact forms on portfolios, agencies, restaurants, and local businesses
- Quote and consultation requests
- Waitlist and early-access signups
- Feedback and bug-report forms
- Job application forms (with file uploads)
- Event RSVPs
The setup is one attribute. You write your form exactly as you would anyway, then point it at the endpoint:
<form action="https://splitforms.com/api/submit" method="POST">
<input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />
<input type="text" name="name" required />
<input type="email" name="email" required />
<textarea name="message" required></textarea>
<button type="submit">Send</button>
</form>That's a complete, working contact form. The endpoint receives the POST, runs spam filtering, stores the submission in a dashboard, and emails you — with the deliverability plumbing already done. It works identically on a static HTML page, a Next.js app, Webflow, or a site generated by an AI tool, because it's just standard HTML form submission. If you want a head start on the markup itself, the HTML form generator and the contact form template produce copy-paste-ready forms.
The economics are hard to argue with: splitforms is free for 500 submissions a month with 2 forms, and Pro is $5/month for 5,000. A contact form that gets 1,000 genuine messages a month is a business with bigger problems than form infrastructure.
When you genuinely need your own backend
There are real cases where you should write the handler yourself. The honest list:
- The form is product logic, not communication. A checkout form, an account-settings form, or anything where the submission must create or mutate records in your database — ideally inside a transaction with other writes. A third-party endpoint can forward you the data via webhook, but if the write has to be atomic with your own state, own the handler.
- Custom authorization. Forms behind a login where the server must verify the session and connect the submission to a user account.
- Strict data-residency or compliance boundaries. If a regulator or enterprise contract says form data may not transit third-party processors, that decision is made for you. (For garden-variety GDPR compliance, a processor with a DPA is normal and fine — see our GDPR form guide.)
- Heavy custom workflows on the hot path. If the response the visitor sees depends on real-time logic — inventory checks, pricing calculations, dedupe against your CRM — the handler needs to be yours. (If the workflow can run after intake, a webhook from a hosted backend covers it without custom code.)
If you're in one of those buckets and you're on Next.js, our comparison of server actions vs a hosted form backend walks through what building it properly involves — including the parts people forget, like retries and spam.
Your four options, compared honestly
| Option | Setup time | Ongoing cost | Best for |
|---|---|---|---|
| mailto: link | 1 minute | $0 | Nothing. Fails for most visitors; no record, no spam filter. |
| Hosted form backend | ~5 minutes | Free–$5/mo | Contact, quote, waitlist, feedback — any "message to a human" form. |
| Platform built-in (Wix, Squarespace, Netlify Forms) | ~5 minutes | Bundled, but tight caps | Sites that will never leave that platform. Forms break if you migrate. |
| Custom backend (API route, server action, Lambda) | Hours to days | Hosting + email provider + your time | Forms that are product logic: database writes, auth, compliance. |
One nuance worth flagging on the platform built-ins: they couple your forms to your host. Netlify Forms only works on Netlify; the day you move to Vercel or Cloudflare, every form breaks. A hosted backend is host-agnostic — the action URL doesn't care where the page is served.
The 30-second decision checklist
Answer these in order. The first "yes" gives you your answer:
- Does the submission need to write to your own database atomically, or run behind your auth? → Build your own handler.
- Does a contract or regulator forbid third-party processors for this data? → Build your own handler.
- Is it a contact / quote / waitlist / feedback / application form? → Hosted form backend. Done in five minutes, including spam protection and a submissions dashboard.
- Not sure? → Start with the hosted endpoint. You can always graduate to custom code later; the form HTML doesn't change, only the action URL does. Going the other direction — un-building a custom backend you're tired of maintaining — is the painful path.
The trap to avoid is building a custom handler "because it's just a few lines." The receiving part is a few lines. Deliverability, spam, storage, and retries are the other 95%, and they arrive as production incidents, one at a time, over the following year.
FAQ
Can a contact form work with just HTML and no backend at all?
No. HTML can render the form and validate inputs in the browser, but the moment the user clicks submit, the data has to travel somewhere — and that somewhere is always a server. If the form's action attribute points at nothing, the browser just reloads the page and the message is gone. The only question is whose server receives it: one you built, one your host provides, or a hosted form endpoint you point the form at.
Is a mailto: action a real alternative to a backend?
Not in practice. A mailto: action doesn't send anything — it asks the visitor's computer to open their default email app with a pre-filled draft. On machines without a configured mail client (most work laptops, many phones, almost every public computer), nothing happens and the visitor assumes your form is broken. You also get no spam filtering, no record of the message, and no way to confirm anything was sent. Treat mailto: as a last resort link, never as a form handler.
What does a form backend actually do that the browser can't?
Five things, all of which require code running on a server: it receives the POST request, validates and sanitizes the data, filters spam (honeypots, rate limits, content classification), stores the submission so it can't be lost, and sends the email notification via SMTP. Browsers deliberately can't send email or write to a database directly — that's a security boundary, not a missing feature. Some server somewhere has to do this work for every form on the internet.
When should I write my own backend instead of using a hosted endpoint?
Write your own when the form is genuinely part of your product logic: submissions need to create records in your own database inside a transaction, trigger multi-step workflows you control, enforce custom authorization, or stay inside a specific compliance boundary your lawyers have defined. For a contact form, quote request, or waitlist — where the job is 'get this message to a human reliably' — custom code is usually over-engineering you then have to maintain forever.
Do Next.js server actions or API routes count as a backend?
Yes — that's exactly what they are: backend code that happens to live in the same repository as your frontend. A Next.js API route or server action gives you a place to receive the POST, but you still have to write the validation, the spam filtering, the storage, and the email-sending (which means configuring an SMTP provider, SPF, and DKIM yourself). Frameworks remove the deployment friction of a backend, not the work inside it.
Are hosted form backends safe to use for business-critical forms?
A good one is safer than a hastily built custom handler, because the failure modes that lose leads — emails silently going to spam, the server falling over, spam flooding your inbox — are exactly what a form backend specializes in. Look for stored submissions (so a lost email isn't a lost lead), real spam filtering, and webhooks so you're not locked in. The data does pass through a third party, so check the provider's privacy posture if you handle sensitive categories of data.
How much does it cost to skip building a backend?
Often nothing. splitforms handles 500 submissions per month free with 2 forms, and the Pro plan is $5/month for 5,000. Compare that against custom-backend costs: a server or serverless function to host, a transactional email provider, DNS records to maintain, and the hours to build and debug all of it. For most sites the hosted option is cheaper at every scale that matters — see the full cost breakdown in our contact form pricing guide.
Ready to skip the backend? Get a free splitforms access key and have a working form in five minutes.
Keep reading: what is a form backend, where form submissions go, what a contact form costs, and the splitforms docs.