splitforms.com
Get free key
NO CAPTCHA · 95–99% OF SPAM BLOCKED

A spam-free contact form without a single CAPTCHA.

splitforms keeps your contact form spam-free with a layered, server-side defense — a hidden honeypot, a time-trap, IP rate limiting, AI content scoring, and an account-wide blocklist. Typical sites block 95–99% of spam before it reaches the inbox, and your visitors never have to find a fire hydrant. Paste the HTML below into any site (HTML, React, Next.js, WordPress, Webflow, Carrd — anywhere) and submissions arrive clean.

Get your free access key Test your form for spam holes

No credit card. No reCAPTCHA cookies. GDPR-clean. Every spam layer is included free on all 500 submissions/month.

95–99%
of spam blocked
5
layers of defense
0
CAPTCHAs shown
<50ms
to filter a submission

The spam-free contact form, in HTML

This is the whole form. The two hidden fields do the work: the botcheck honeypot catches bots that fill every input, and the _start_time time-trap rejects anything submitted in under two seconds. Replace YOUR_ACCESS_KEY with your key and paste it anywhere — no CAPTCHA, no scripts to configure.

spam-free-contact-form.htmlHTML · honeypot + time-trap
<form action="https://splitforms.com/api/submit" method="POST">
  <input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />

  <input type="text"  name="name"    placeholder="Name"    required />
  <input type="email" name="email"   placeholder="Email"   required />
  <textarea           name="message" placeholder="Message" required></textarea>

  <!-- 1. Honeypot — hidden from real users, bots fill it in -->
  <input type="checkbox" name="botcheck" style="display:none" tabindex="-1" autocomplete="off" />

  <!-- 2. Time-trap — submissions faster than 2s are auto-rejected -->
  <input type="hidden" name="_start_time" value="" />
  <script>
    document.currentScript.previousElementSibling.value = Date.now();
  </script>

  <button type="submit">Send message</button>
</form>

Submitting from a React/Next.js app or another SPA? Send the same fields over fetch() with botcheck: "" (kept empty) and _start_time set on mount — see the React & Next.js spam guide.

Five layers, zero CAPTCHAs

No single trick stops every bot, so splitforms runs five together on every submission — in under 50 milliseconds, entirely on the server, with nothing loading in your visitor's browser.

Want the full breakdown? Read the complete form spam protection guide, the server-side checklist, or see how the AI content scoring catches human-looking spam.

Why spam-free shouldn't mean CAPTCHA

The reflex fix for form spam is to bolt on a reCAPTCHA. It works, but it taxes the wrong people: every legitimate visitor now has to prove they're human, image puzzles add friction that measurably lowers conversion, and screen-reader and low-vision users hit a wall. On top of that, reCAPTCHA sets Google cookies and runs third-party JavaScript in your visitors' browsers — a recurring GDPR headache for any site with EU traffic.

The insight behind a spam-free form is that the bot can convict itself without involving the user at all. A honeypot it fills, a timer it beats, an IP it floods from, a message that scores like spam — none of those require a single click from a real person. That removes 95–99% of spam invisibly, and keeps the page GDPR-clean because nothing third-party ever loads.

If you still want a challenge for a high-value or heavily-targeted form, you can layer reCAPTCHA, hCaptcha, or Cloudflare Turnstile on top — it's just no longer the thing standing between you and a clean inbox. For the full argument and the trade-offs, see contact form without CAPTCHA and honeypot vs reCAPTCHA. Prefer a challenge? Compare the best CAPTCHA options.

Spam-free, on your stack

Platform-specific guides and deep dives on every layer of the defense. Same access key, same protection, wherever your form lives.

How splitforms handles security →Spam protection feature →Free contact form →
✦ stop the spam today

Generate a free access key, paste the snippet, and your contact form is filtering spam on the very next submission — no CAPTCHA, no plugin, no waiting for a model to warm up.

Get free access key →

Spam-free contact form FAQ

What makes a contact form "spam-free"?

A spam-free contact form filters out automated and low-quality submissions before they reach you, so your inbox only shows real messages. splitforms does this with a layered server-side defense — honeypot, time-trap, IP rate limiting, AI content scoring, and an account-wide blocklist — that runs on every submission in under 50ms. Typical sites stop 95–99% of spam at the edge. No form is 100% spam-proof forever, but layered filtering removes the overwhelming majority with no work on your side.

Does it use a CAPTCHA or reCAPTCHA?

No. There is no CAPTCHA, no reCAPTCHA checkbox, and no "select all the traffic lights" puzzle. The defense is entirely server-side, so your visitors never get challenged and your conversion rate doesn't take the hit that CAPTCHAs cause. If you specifically want a CAPTCHA you can still add reCAPTCHA, hCaptcha, or Turnstile on top, but it isn't required to stop spam.

How much spam does it actually block?

Typical sites block 95–99% of spam before it ever reaches an inbox or webhook. The honeypot alone catches roughly 85% of the cheap, high-volume bots; adding the time-trap and the AI content-scoring layer lifts that to the 95–99% range. It works on the very first submission — there is no model warm-up and no script to load.

Is spam protection included on the free plan?

Yes — every layer (honeypot, time-trap, IP rate limit, content scoring, account-wide blocklist, and the Spam folder) is included on the Free 500-submissions/month plan. There is no upsell for spam filtering. Paid plans add notification delivery features and higher submission limits, but the filtering itself is identical at every tier.

Will it ever block real visitors (false positives)?

It's tuned to avoid that, and the edge cases are handled: the honeypot is aria-hidden and tabindex=-1 so screen readers and keyboard users skip it; back-button re-submits and password-manager autofill are accounted for; and slow legitimate forms (job applications, long surveys) can raise the time-trap threshold per form. On the rare occasion something real is filtered, it lands in the dashboard's Spam folder and you recover it in one click — which also trains the filter so similar messages aren't flagged again.

Does it work on WordPress, Wix, Webflow, React, and plain HTML?

Yes. The filtering is server-side, so it doesn't care what rendered the form. Anywhere you can paste HTML — a WordPress Custom HTML block, a Webflow embed, a Carrd element, a Squarespace code block — the spam-free form works without a plugin. For React, Next.js, Vue, or any SPA that submits via fetch(), send an empty botcheck field and a _start_time timestamp and the same protection applies.

Is it GDPR-compliant?

Yes. Because there's no Google reCAPTCHA, there are no reCAPTCHA cookies, no device fingerprinting, and no third-party JavaScript executing in your visitors' browsers — three of the most common GDPR headaches with CAPTCHA-based spam protection. Notification emails are sent from a warmed, SPF/DKIM/DMARC-aligned sender so they land in the inbox rather than a spam folder.

What about sophisticated bots and AI-written spam?

That's exactly why the defense is layered rather than a single trick. A honeypot is blind to headless-browser bots and human-looking, AI-generated messages submitted through the real form — so the AI content-scoring layer analyzes the message itself, and the account-wide blocklist learns from every "mark as spam" click. No system stops a determined attacker writing a bot for your specific form, but layered filtering plus one-click blocking keeps even that under control.

✻ ✻ ✻

A clean inbox in 60 seconds.

500 submissions a month, free. Honeypot, time-trap, rate limiting, and AI scoring on every one — no CAPTCHA, no plugin, no credit card.

Get your free access key →Read the spam guide