splitforms.com
Get free key
The pillar guide · updated May 11, 2026

How to add a contact form to any website in 2026

The complete 2026 guide to shipping a working contact form on any website — the seven elements every modern form needs, the four ways to handle submissions, copy-paste HTML you can use today, spam protection that doesn't make visitors prove they're not robots, and platform-specific setup for Webflow, WordPress, Squarespace, Framer, Carrd, Shopify, Next.js, React, Astro, Svelte, Vue, and Nuxt.

TL;DR. A modern contact form in 2026 is three pieces: an HTML <form> element that collects fields, a hosted form backend that receives the POST and emails you the data, and a honeypot input that blocks the easy bots. The fastest path is splitforms: free for 500 submissions/month, copy-paste HTML, no SDK, no server, no CAPTCHA, and Starter signed webhooks. Sign up at /login, paste the snippet below into any site, and you are receiving submissions in under 60 seconds.

1. What a working contact form needs in 2026

Most contact form tutorials online were written in 2014 and it shows. They tell you to use mailto:links, or to install a WordPress plugin that hasn't been updated since the Trump administration, or to spin up a PHPmail() script that gets blocked by every modern host. In 2026 the bar is higher and the toolset is better. A working contact form needs seven things, and you should not ship one without all of them.

  1. A real submit handler. Either a hosted form backend, a serverless function, or your own server. Not a mailto:link — those open the user's desktop email client (which 60% of visitors do not have configured) and lose the submission silently when it fails.
  2. HTML5 input types. type="email", type="tel", type="url". Mobile keyboards switch based on these. Using type="text" for an email field is a 2026 mobile UX bug.
  3. Accessible labels. Every input gets a<label for="...">. Placeholder text is not a label. Screen readers will skip unlabeled inputs entirely.
  4. Spam protection.A honeypot at minimum, plus rate limiting and ideally an AI classifier. We'll cover the layered approach below.
  5. Email delivery from a high-reputation sender. If your notification email comes from noreply@yourdomain.com without SPF/DKIM/DMARC, expect 30–50% spam-folder rate. Hosted backends fix this for you.
  6. A real success state.Either a thank-you page redirect or an inline confirmation. Forms that submit silently cause people to submit twice and email you support tickets about the "broken form".
  7. A submission record. Email is fine for notification but bad for archival. You want a searchable dashboard with CSV export so a lead from six months ago is not buried in your inbox.

The fastest way to check all seven boxes is a hosted form backend. The minimum-viable version of this guide is: write 18 lines of HTML, paste them into any site, and splitforms handles the other six elements for you. For the long version, read on.

2. The four ways to handle form submissions

There are exactly four mainstream approaches in 2026 to getting data out of a contact form and into your hands. Each has a specific niche and a specific way of failing. We'll cover them in order of complexity, from worst to best.

Option A: mailto: links

You set action="mailto:you@example.com" and call it done. Do not do this. About 60% of visitors are on devices without a default mail client configured, the form data becomes a body parameter the user has to manually click Send on, and spam bots scrape the address out of your markup. It works in zero real scenarios. Skip it.

Option B: Google Forms or Typeform embed

Quick, free, no backend. The downside is the form is hosted on someone else's domain in an iframe, branding is theirs, styling is constrained, and the "Powered by" chrome hurts perceived credibility on a professional site. Fine for an internal survey, bad for a public business contact page. See google forms vs typeform vs splitforms for the head-to-head.

Option C: Hosted form backend (recommended)

A service like splitforms gives you an HTTP endpoint. You write a normal HTML form, set its action to the endpoint URL, add a hidden access key, and you are done. Submissions arrive in your inbox, in a dashboard, in Slack, Discord, or any webhook destination you choose. Zero server code, zero deliverability work, zero spam infrastructure to maintain. This is the path this guide recommends and the rest of the document walks through.

Option D: Your own backend

A Next.js API route, an Express server, a Cloudflare Worker, a Lambda. You get full control and full responsibility — that means writing your own validation, your own honeypot logic, your own email-sending integration with a transactional provider, your own DKIM and SPF setup, your own bounce handling, and your own dashboard. For a high-traffic data-sensitive application this can be the right call. For a contact form on a marketing site, it is overkill and a maintenance liability. See Next.js 15 server actions vs a hosted form backend for the honest comparison.

ApproachSetupSpam handlingCost
mailto:1 minuteNoneFree
Google Forms / Typeform5 minutesProvider-managedFree / $25+/mo
Hosted form backend60 secondsBuilt-in, no CAPTCHAFree / $5/mo
Your own backend4–8 hoursYou build it$0–$50/mo + your time

3. The basic HTML contact form, line by line

Here is the smallest production-ready contact form. Eighteen lines, no JavaScript required, works in every browser back to IE11 (not that anyone cares about IE11 in 2026), and posts to the splitforms endpoint. Replace YOUR_ACCESS_KEY with the value from your dashboard.

<form action="https://splitforms.com/api/submit" method="POST">
  <input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />

  <label for="name">Name</label>
  <input id="name" type="text" name="name" required />

  <label for="email">Email</label>
  <input id="email" type="email" name="email" required />

  <label for="message">Message</label>
  <textarea id="message" name="message" rows="5" required></textarea>

  <!-- Honeypot: hidden from humans, irresistible to bots -->
  <input type="checkbox" name="botcheck" style="display:none" tabindex="-1" />

  <button type="submit">Send message</button>
</form>

Reading line by line: action is the URL submissions POST to. method="POST" is mandatory — never use GET for a form that takes user input, as it will leak the data into URLs and browser history. The hidden access_key input is how the backend knows which account the form belongs to. Therequired attribute triggers browser-native validation and prevents the form from submitting until the user fills the field. The honeypot botcheck input is hidden via inline CSS and made unfocusable with tabindex="-1", so a keyboard user never tabs into it. Bots that fill every field indiscriminately trip it, and splitforms drops their submission.

For a deeper template gallery with validated states, error messaging, multi-step variants, and Tailwind versions, see html contact form code: copy-paste in 2026 and the /forms/html framework page.

4. Connecting the form to email delivery

Once the form is in your page, the next question is where submissions actually go. With splitforms the answer is: your inbox, instantly. The 60-second setup is:

  1. Visit splitforms.com/login and create an account with email + password. No credit card.
  2. Copy your access key from the dashboard. It looks like a random 32-character string.
  3. Paste the access key into the hidden access_key field of your form (see the snippet above).
  4. Submit a test entry. The submission shows up in the dashboard within a second and an email arrives in the account inbox within 5–30 seconds.
  5. Optionally wire up additional destinations — Slack, Discord, Google Sheets, Notion, Airtable, Zapier, HubSpot, or any signed HTTP webhook. All free.

That's it. No SMTP, no transactional email account, no SPF/DKIM/DMARC records on your domain, no bounce monitoring. splitforms uses its own high-reputation sending domain with proper alignment, sets the visitor's email as the Reply-To header so you can reply directly from your inbox, and emails arrive in the primary inbox rather than the spam folder. The full no-friction walkthrough is at add a contact form to your site in 60 seconds.

5. Form validation that actually helps users

Validation happens in three places: in the browser before submit, on the server after submit, and in the UI to tell the user what went wrong. You need all three. Browser-side validation prevents the obvious mistakes (empty required fields, malformed email addresses) without a round trip. Server-side validation catches everything the browser missed, including malicious payloads from scripts that bypass the form entirely. UI feedback turns "something is wrong" into "your phone number needs an area code".

HTML5 native validation

These attributes do real work and cost zero JavaScript:

  • required — blocks submit if empty.
  • type="email" — validates the @ sign and TLD shape.
  • minlength / maxlength — character bounds.
  • pattern — a regex the value must match.
  • inputmode — controls the mobile keyboard (numeric, decimal, email, tel).

For richer validation (matching passwords, conditional required fields, async checks like "is this email already on the newsletter"), you reach for JavaScript or a library. The 2026 picks are documented in the best React form library in 2026 and the best Next.js form library in 2026.

Tailwind users: the peer and invalid: modifiers make styling error states almost trivial. See Tailwind CSS form validation for the copy-paste pattern.

6. Spam protection without making humans suffer

reCAPTCHA in 2026 is a tax on your conversion rate. Cloudflare published numbers in 2024 showing reCAPTCHA v2 challenges dropped form completion by 8–14% on commercial pages. v3 is invisible but it sends a score back to Google and you have to make the accept/reject decision yourself, which means writing spam-handling logic anyway. Worse, modern LLM-based bots defeat reCAPTCHA challenges with embarrassing reliability. The whole category is past its sell-by date.

The modern stack is three layers, none of which the human user sees:

  1. Honeypot field. A hidden input that bots fill and humans cannot. Catches 60–80% of automated spam with zero friction and zero false positives. The minimum bar. See honeypot vs reCAPTCHA.
  2. Rate limiting and IP reputation. The backend rejects abusive senders before the submission reaches your inbox. splitforms layers this transparently.
  3. AI content classifier. A language model scores message text for spam likelihood. Catches the sophisticated stuff (SEO link-drops, fake job offers, business-email-compromise probes). False positives go to a Spam tab rather than being deleted. The full mechanics are in AI-powered form spam detection.

The complete 2026 playbook is at form spam protection: the complete 2026 guide with side-by-side data, and stop contact form spam: 5 methods compared has the raw numbers. If you must use a CAPTCHA, the reCAPTCHA alternatives in 2026 roundup covers Turnstile, hCaptcha, and the rest.

7. File uploads, multi-step forms, conditional fields

Once your basic form works, three upgrades cover 90% of the advanced asks.

File uploads

Add enctype="multipart/form-data" to the <form> and include an <input type="file">. Constrain accepted types with accept=".pdf,.png,.jpg" and impose a server-side size limit. splitforms handles upload storage, virus scanning, and includes a download link in the notification email. Full walkthrough: how to add file uploads to any contact form.

Multi-step (Typeform-style) forms

One question per screen, progress bar, smooth transitions. The pattern is six divs with a Next button each and a single hidden form that gathers state. Conversion on long forms improves measurably when split into steps because each step feels like a small commitment rather than a wall of inputs. Template at /form-templates/multi-step-form.

Conditional fields

Show or hide inputs based on prior answers — e.g. only ask for a company name if the user selects "Business inquiry" from a routing dropdown. Implemented with a few lines of JavaScript that toggle a hidden attribute on the relevant fieldset. Keeps the form short for the common case and detailed for the niche case.

8. Styling your form (CSS, Tailwind, frameworks)

Form styling in 2026 is in a good place. Browser default form controls finally render consistently across Chromium, Firefox, and Safari. You can ship a form with zero CSS and it will look acceptable. With 30 lines of CSS you can ship a form that looks bespoke.

The basic checklist for handwritten CSS: set a max-width on the form so single-column layouts don't stretch uncomfortably on large screens, use display: grid; gap: 12px on the form element for clean vertical rhythm, make inputs and the submit button at least 44px tall for tap-target compliance, and use :focus-visible rather than :focusfor keyboard-only focus rings so mouse users don't see a halo on every click.

Tailwind users have it easier: Tailwind CSS form validation covers the peer and invalid: patterns for inline error states. For component libraries, every React framework has a forms primitive — shadcn/ui, Radix UI, Mantine, Chakra, MUI. They all wrap the same standards-compliant form elements, and they all post the same way to a hosted backend. The styling layer is independent of the submission layer.

9. Mobile UX and accessibility

Around 60% of contact form submissions on most marketing sites come from mobile devices in 2026. If your form is painful on mobile, you are losing more than half your leads. Five non-negotiables:

  • Use correct type attributes so the keyboard switches modes. Email gets the @ key, tel gets the numeric pad, url gets the slash key.
  • Use autocompleteattributes so iOS and Android offer to fill name, email, and phone from the user's contact card. This single change is worth a few percentage points of completion rate.
  • Make tap targets 44×44px or larger. Buttons that are 32px tall get mis-tapped at a measurable rate on touch screens.
  • Every input needs a real <label>. Screen readers announce labels; they ignore placeholders. Placeholders also vanish on focus, so users with short-term memory issues lose the field name mid-type.
  • Test the form with keyboard navigation only. You should be able to Tab through every field, hit Enter on the submit button, and complete the form without touching the mouse. If you can't, neither can a screen reader user.

For richer accessibility patterns — error messaging linked with aria-describedby, live regions for submission status, focus management after submit — the WAI Forms tutorial is the canonical reference and splitforms's default markup follows it.

10. Platform-specific contact form guides

The HTML form is the same everywhere, but each platform has its own way to inject HTML into a page. Here are the tutorials for the most common builders:

Pre-built embed pages for the most common platforms also live under /forms/webflow, /forms/wordpress, and /forms/carrd.

11. Framework-specific contact form guides

If you are building in a modern JS framework, the form is a component and the submission is a fetch call. The mechanics differ slightly per framework, but the splitforms endpoint accepts the same POST regardless. The tutorials:

The async submission pattern looks identical across frameworks — capture FormData, append the access key, fetch the endpoint, render a success state. Here's the vanilla JS version (works in any framework):

<form id="contact" onsubmit="return submitContact(event)">
  <input name="name" required />
  <input name="email" type="email" required />
  <textarea name="message" required></textarea>
  <button>Send</button>
</form>

<script>
async function submitContact(e) {
  e.preventDefault();
  const data = new FormData(e.target);
  data.append("access_key", "YOUR_ACCESS_KEY");
  const r = await fetch("https://splitforms.com/api/submit", {
    method: "POST",
    body: data,
  });
  if (r.ok) e.target.innerHTML = "<p>Thanks — we'll be in touch.</p>";
  return false;
}
</script>

12. Testing your contact form before launch

A contact form that silently fails is worse than no form at all — the visitor leaves thinking they reached you, you never learn they tried, and the lead is gone. Run through this ten-item checklist before pushing live:

  1. Submit a real entry. Confirm the email arrives within 30 seconds.
  2. Confirm the submission appears in the splitforms dashboard.
  3. Trip the honeypot manually via DevTools and confirm the submission is silently rejected.
  4. Submit with an empty required field. Browser should block.
  5. Submit with a malformed email. Browser should reject.
  6. Open the form on a real mobile device. Confirm email keyboard appears for the email field.
  7. Tab through the form. Every field should focus in order; Enter submits.
  8. Resize the browser to 320px wide. Form must not horizontally overflow.
  9. Disable JavaScript and try to submit. The form should still POST (no JS dependency for core submit).
  10. Reply to the notification email. The reply should go to the visitor, not to no-reply.

For automated end-to-end coverage, see how to test form submissions without sending real emails — covers Playwright, Mailtrap, and splitforms test mode.

13. Common contact form mistakes (and how to avoid them)

The same handful of mistakes show up on contact pages across every industry. Here are the most expensive ones — expensive because each costs you measurable conversion or measurable support load.

  • No success state. The visitor hits submit, the form clears, and nothing else happens. Most users assume it failed and submit again. Always show a thank-you message or redirect to a confirmation page.
  • Too many required fields. Every extra required field drops completion 4–7 percentage points. Make everything optional except name, email, and message.
  • Using mailto:. As covered above. Skip it.
  • Reply-To set to your own address.You hit Reply on a notification and the message goes to yourself instead of the visitor. Always set Reply-To to the submitter's email — splitforms does this by default.
  • No spam protection. Public forms get spam. Inevitable. The honeypot takes 60 seconds to add and eliminates the bulk of automated junk.
  • No mobile testing. The form looks fine on your laptop and is a nightmare on a 375px iPhone. Test on real mobile, not Chrome DevTools mobile emulation.
  • Auto-redirect to a page that doesn't load fast. If your /thank-you page takes 4 seconds to load, the user may navigate away before it arrives and assume the form failed. Make sure the success page is light.
  • Hidden CAPTCHA traps that break legitimate users. Aggressive bot-detection settings reject real submissions from people on VPNs, mobile carriers with shared IPs, or older browsers. Tune for false positives.

More debugging in contact form not working? 8 common causes (and fixes) and CORS error on form submission — complete fix guide.

14. Why your contact form emails go to spam

The most-reported problem with self-hosted contact form setups in 2026 is "the form works but the emails go to spam". There are exactly three root causes, and the fix for each is well understood.

  1. Missing SPF / DKIM / DMARC. Without authentication, Gmail and Outlook treat the mail as suspicious and route it to spam. Either configure all three on your sending domain or use a hosted backend that pre-aligns them.
  2. From header impersonating the visitor. Setting From:to the visitor's email makes it look like the message is forged. Use From: notifications@yourdomain.com and put the visitor's email in Reply-To: instead.
  3. Low-reputation sending IP. Your $5/month VPS sending SMTP from a fresh IP is starting at zero reputation, and spam filters punish that. Transactional providers (Postmark, Resend, SendGrid) maintain high-reputation pools — and splitforms uses one for you.

The complete diagnostic with header inspection examples is at why your contact form emails go to spam (2026 fix), and the Gmail-specific gotchas (App Passwords, OAuth) are at how to receive contact form submissions in Gmail.

15. Getting started with splitforms in 60 seconds

All of the above is the textbook version. The 60-second version is: head to splitforms.com/login, create a free account, copy your access key, and paste the snippet from section 3 into any HTML page on your site. You will have a working contact form before the kettle boils.

The free plan gives you 500 submissions/month, 2 forms, the dashboard, and the spam filtering stack with no credit card. Starter adds notification emails, CSV export, and webhook integrations (Slack, Discord, Zapier, Notion, Airtable, HubSpot, Google Sheets) for $1/month. If you outgrow the free cap, Pro is $5/month for 5,000 submissions and the $59 3-year plan delivers 15,000/month over 36 months. The full pricing table is at /pricing, comparisons against the major competitors are at splitforms vs Formspree, splitforms vs Web3Forms, vs Getform, and vs Netlify Forms.

For a visual builder rather than writing markup directly, there is /html-form-generator. For full API documentation see /docs, and for help see /faq.

Read the deep dives

This page is the hub. Each link below is a standalone tutorial with copy-paste code for a specific scenario.

Read the deep dives18
Landing pages worth bookmarking10

Frequently asked questions

What is the fastest way to add a contact form to a website in 2026?

The fastest path in 2026 is a hosted form backend like splitforms. You write a plain HTML form, point its action attribute at the backend's submit URL, paste in a free access key, and submissions arrive in your inbox within seconds. There is no PHP, no Node server, no SMTP setup, and no plugin. The whole process from sign-up to first working form takes about 60 seconds. The same HTML works on static sites, Webflow, Carrd, WordPress, Squarespace, Framer, Shopify, Next.js, React, Astro, Svelte, Vue, Nuxt, and Hugo — anywhere a browser can render a form element.

Do I need a backend or server to handle contact form submissions?

No. The whole reason hosted form backends exist is that you do not need to run a server to receive submissions. A plain HTML form posts to an external endpoint, the endpoint stores the submission, fires off an email notification, and optionally forwards to webhooks. Your website itself can be a static HTML file on S3, GitHub Pages, Cloudflare Pages, or a Webflow export — no Node, no Express, no PHP, no SMTP, no cron jobs. This is the modern approach and it is dramatically simpler than self-hosting any of it.

How do I add a contact form without coding?

If you are on a no-code platform like Webflow, Carrd, Squarespace, or Framer, you can paste the splitforms HTML snippet into an embed block and you are done — no coding. If you want zero markup contact at all, splitforms also offers a hosted form builder at /html-form-generator where you drag fields, click Publish, and copy a script tag. For platforms like WordPress, Shopify, or Wix that have a Custom HTML or Embed widget, the same paste-and-go workflow works — the HTML is the same regardless of where you drop it.

Is the splitforms contact form really free?

Yes, the free tier is 500 submissions per month, every month, with 2 forms and no credit card. It is not a trial that converts after 14 days. It is a permanent free plan with the dashboard and spam filtering included. Starter is $1/month when you want webhook destinations and CSV export. Pro is $5/month for 5,000 submissions, and the $59 3-year plan delivers 15,000 submissions per month for 36 months of access. Most personal sites, portfolios, and small business pages stay on free indefinitely.

How do I stop spam on a contact form without using reCAPTCHA?

Layer three things. First, a hidden honeypot input — bots fill every field, including invisible ones, and you reject any submission where the honeypot is non-empty. Second, server-side rate limiting per IP so a script cannot brute-force your endpoint. Third, an AI classifier that scores message content and quarantines obvious spam to a separate tab rather than blocking submissions outright. splitforms ships all three on every plan. Visitors never see a CAPTCHA challenge, conversion rates do not drop, and false positives are reviewable in the dashboard.

Why are my contact form emails going to the spam folder?

Almost always one of three causes. The sending domain lacks SPF, DKIM, or DMARC records, so receiving mail servers flag the message as unverified. The From header is set to the visitor's email address instead of an authenticated sending domain, which breaks alignment. Or the notification volume from a low-reputation IP looks bursty and triggers spam heuristics. splitforms sends from a high-reputation domain with proper alignment and uses Reply-To for the visitor's email, which fixes all three. The full diagnostic is in /blog/why-contact-form-emails-go-to-spam.

Can I add file uploads to my contact form?

Yes. Add an input of type file to your form and change the enctype attribute to multipart/form-data. With splitforms Storage connected, the current limit is 5 files per submission at 10 MB each, with private storage and signed download links. You should still restrict accepted MIME types so users cannot upload arbitrary executables. /blog/how-to-add-file-uploads-to-contact-form walks through the markup and server-side validation with copy-paste code.

Does the same contact form work on Webflow, WordPress, and Shopify?

Yes. The HTML is identical across platforms because every modern site builder includes an embed block that accepts raw HTML — Webflow's Embed component, WordPress's Custom HTML block, Shopify's Custom Liquid section, Squarespace's Code block, Carrd's Embed element, and Framer's Code component all render the same form markup. You write the snippet once, paste it wherever, and the form behaves the same in every environment. There is no per-platform SDK to install or maintain.

How do I test my contact form before launch?

Do four things. Submit a real test entry and confirm the email lands in the configured inbox within 30 seconds. Trip the honeypot manually by populating the hidden field in DevTools and confirm the submission is rejected. Submit with a missing required field and verify the browser blocks it. Open the form on a mobile device and check that the keyboard switches to email mode on the email input and numeric mode on phone inputs. /blog/how-to-test-form-submissions-without-real-emails has a Playwright recipe for automating these checks.

What fields should a contact form include in 2026?

The minimum useful set is name, email, message, and a single-purpose dropdown if you need to route inquiries (Sales, Support, Press). Anything beyond that hurts conversion measurably — every extra required field cuts completion rate by about 4–7 percentage points. Phone numbers should be optional. Company names, job titles, and country pickers belong on demo-request forms, not general contact forms. If you need rich qualification data, route the lead through a multi-step form with progressive disclosure rather than a single long screen.

Ready to ship?

Add a working contact form to your site in 60 seconds.

Free for 500 submissions/month, every month. No credit card. Paste 18 lines of HTML, get email notifications. Webhooks, spam filtering, and the dashboard included.

Get a free access key →See the free plan