How we tested: 30 days, 12,400 submissions
We ran a single contact form on a SaaS landing page for 30 days with each method behind a feature flag. Total: 12,400 form submissions, of which roughly 8,200 were spam (manually labeled afterward by reading every message). Traffic skewed North America and Western Europe; the form had three fields (name, email, message).
The numbers below come from that test plus published vendor data. Where we cite a percentage, assume ±5% variance based on your specific traffic mix and the spam-bot meta of the moment. Spam techniques evolve fast.
1. Honeypot fields
A honeypot is a hidden form field that real humans never see or fill in, but naive bots — which fill every input they find — happily populate. If the field is non-empty on submit, you drop the request silently.
Setup time: 30 seconds. Add one input.
<input
type="checkbox"
name="botcheck"
style="display:none"
tabindex="-1"
autocomplete="off"
/>Spam blocked in our test: 73% of all spam attempts. False positives: 0 (no human can fill a display:none field with no tab stop). Conversion impact: none. GDPR: clean — no third-party scripts, no tracking, no consent needed.
Where it fails: sophisticated bots that render the page in a real headless browser and skip non-visible inputs. Roughly 27% of the spam in our test came through this route.
2. Google reCAPTCHA v3
The default for the last decade. v3 is invisible — Google fingerprints the visitor and returns a 0.0–1.0 score that you decide to accept or reject.
Setup time: ~15 minutes (Google account, key registration, two script tags, server-side verification).
Spam blocked: 79% in our test (down from ~95% two years ago — bot farms have caught up). False positives: ~3% of legitimate users get flagged at the standard 0.5 threshold. Conversion impact: -2 to -8% in published case studies; you also lose users who block Google scripts. GDPR:messy. Italy's DPA has fined sites for using reCAPTCHA without consent banners; same direction in Germany and France.
Page weight cost: ~120KB of JavaScript loaded on every page that includes the reCAPTCHA script (Google recommends loading it everywhere, not just on form pages).
3. hCaptcha
The privacy-positioned reCAPTCHA alternative. Same UX (image challenge or invisible scoring), but doesn't feed Google's ad graph and offers EU data residency.
Setup time: ~15 minutes. Spam blocked: 81% in our test. False positives:~5% (slightly higher than reCAPTCHA — hCaptcha's scoring is more conservative). Conversion impact: -3 to -10%. GDPR:hCaptcha publishes a DPA, supports EU data centers, and is the only major CAPTCHA provider that's actively GDPR-friendly out of the box.
The biggest knock: hCaptcha's image challenges (when shown) are noticeably harder than reCAPTCHA's. If you ship hCaptcha, configure it to invisible mode and only show the challenge on high-risk submissions.
4. Cloudflare Turnstile
The newcomer that's eating both reCAPTCHA's and hCaptcha's lunch. Turnstile is free, invisible by default, and uses Cloudflare's network telemetry instead of behavioral fingerprinting.
Setup time: ~10 minutes. Spam blocked: 89% in our test — the highest of any single method we tried. False positives: ~1% (lowest of any CAPTCHA we tested). Conversion impact: -1% or less. GDPR: clean — no cookies, no cross-site profiling, EU data residency available.
Tradeoffs:Cloudflare-dependent. If your site isn't on Cloudflare, Turnstile still works but you lose some of the network-level signals. Also: Cloudflare-blocked countries (parts of Asia, Russia) get worse pass-through.
5. AI classifier (Akismet / OpenAI moderation)
The heavy hitter for high-volume forms. An AI classifier reads the actual message content and scores it for spam likelihood. Two flavors:
- Akismet — the WordPress veteran. Trained on billions of comment-spam samples. ~$10/month for small sites.
- OpenAI moderation API + custom prompt— DIY version. Pass the message to a small model with "is this spam?" in the prompt. ~$0.0001 per submission.
Spam blocked: 95-99% in our test (varies by spam type — Akismet excels at link spam, AI excels at spammy-but-grammatical sales pitches). False positives: ~2-4%, mostly sales emails from real humans that look promotional. Conversion impact: 0 — runs server-side, invisible to users. GDPR: depends on provider; Akismet is fine, OpenAI requires a DPA review for EU traffic.
splitforms includes AI classification on Pro and the 4-Year plan — we trained a small model on 4M labeled form submissions specifically (not blog comments, not chat) which catches spam the generic providers miss.
Comparison table
The stack we recommend
For a low-traffic marketing site (under ~500 submissions/month): honeypot only. Zero cost, zero UX impact, zero third-party scripts, blocks the vast majority of automated junk.
For a real product with form traffic (500-5,000 submissions/month): honeypot + Cloudflare Turnstile. ~98% blocked, < 1% false-positive rate, GDPR-clean. This is what most splitforms customers run.
For high-volume forms (5,000+ submissions/month, lots of business-direction spam): honeypot + Turnstile + AI classifier. Layered defense; the classifier catches the human-typed spam that gets past Turnstile.
splitforms ships honeypot, time-to-submit, and AI scoring by default on every form. If you point your form at https://splitforms.com/api/submit, you get all three on day one. We added Turnstile support as a one-line opt-in in the dashboard.
Honest limitation: no spam defense gets to 100%. Whatever method you ship, plan to mark a handful of false negatives as spam manually. The dashboard's "mark as spam" button feeds back into the classifier — that's how you keep block rates climbing over time.
Tech support and troubleshooting
Five spam-defense issues that account for almost every "why is junk still in my inbox":
- Spam still arriving despite Turnstile — Token verification is missing on the server. Confirm /siteverify returns success: true before saving the submission.
- Honeypot blocks real users — Browser autofill filled the hidden field. Use a name like 'botcheck' that autofill ignores, and add autocomplete='off' tabindex='-1' aria-hidden='true'.
- AI classifier flags legitimate inquiries — Threshold is too aggressive. Log scores for a week, then set the cutoff at the 95th percentile of confirmed-good messages.
- Sudden spam spike from one country — Add an edge geo-block for the offending region or rate-limit it harder. Don't ban globally for a regional bot wave.
- reCAPTCHA tanks conversion — v2 challenges drop completion 5-15%. Switch to Cloudflare Turnstile or hCaptcha — both invisible-by-default for ~99% of humans.
splitforms ships honeypot, time-check, Turnstile pass-through, and an AI classifier on by default — see the splitforms docs and API reference for the full filtering pipeline. Account questions live in the splitforms FAQ.
Frequently asked questions
What is the most effective way to stop contact form spam?
A layered approach beats any single technique. Start with a honeypot field (free, invisible, blocks 60-80% of spam). Add a time-to-submit check. Then layer Cloudflare Turnstile or an AI classifier on top for the remaining 20-40%. splitforms ships honeypot, time-check, and AI scoring out of the box.
Does Google reCAPTCHA still work in 2026?
It works against unsophisticated bots but its block rate has dropped to roughly 70-85% as bot farms increasingly use real human solvers ($1-2 per 1,000 challenges) and headless browsers with stealth plugins. reCAPTCHA also leaks visitor data to Google, has known GDPR issues in the EU, and adds 1-3 seconds of page weight. Most teams should use Cloudflare Turnstile instead.
Is a honeypot field enough on its own?
For a low-traffic site, often yes — honeypot alone blocks 60-80% of spam with zero UX impact. As volume grows, sophisticated bots (and human spam farms) start submitting through real browsers and bypass honeypots. Layer in Turnstile or AI classification once your inbox starts seeing junk.
Will CAPTCHAs hurt conversion rates?
Yes, measurably. Industry data shows reCAPTCHA v2 (the 'select traffic lights' challenge) reduces form completion 5-15%. reCAPTCHA v3 is invisible most of the time but still adds friction for ~3% of legitimate users. Cloudflare Turnstile passes ~99% of humans without a challenge — the lowest false-positive rate of any major option.
Are AI spam classifiers worth it?
For high-traffic forms (5,000+ submissions/month), yes. A small classifier trained on form text catches obviously-spammy submissions that bypass CAPTCHAs (real humans hired through Mechanical Turk-style farms). For low-volume sites, honeypot plus Turnstile gets you 99%+ at zero cost.
Is reCAPTCHA GDPR-compliant?
Not by default. reCAPTCHA loads Google scripts that profile visitors across the web; the Italian DPA has fined sites for using it without explicit consent. If you serve EU traffic, prefer Cloudflare Turnstile (no cross-site profiling) or hCaptcha (privacy-focused, GDPR-friendly with EU data centers).
Next steps
- Stop bots before they reach your inbox — read receive form submissions by email.
- Fan out clean leads to chat — Slack or Discord.
- Sign and verify webhooks — send form data to a webhook.
- Compare with hosted alternatives — splitforms vs Formspree.