Domains & Spam
html.contact expects normal website forms to submit from trusted source domains. Source checks, spam screening, honeypots, quotas, and rate limits work together before a message reaches your inbox.
Allowed domains
Section titled “Allowed domains”Add the exact hostnames that should be allowed to post to your form.
Examples:
example.comwww.example.comcontact.example.com
If both example.com and www.example.com serve the form, add both. If you test from a preview URL, add that exact preview hostname while testing.
When a browser submits a form, html.contact checks Origin and Referer against the form’s allowed domains. Submissions from other domains can be rejected before email delivery.
Source headers are useful abuse signals, but they are not cryptographic proof that a request came from a website. Keep server-side posts off for normal website forms.
Server-side posts
Section titled “Server-side posts”Server-side posts allow trusted server or curl requests that may not include browser source headers.
Leave this setting off for normal website forms. Turning it on means website allowlisting can no longer prove that a post came from your site, so the submission relies more heavily on server-side spam checks, rate limits, and quotas.
Server-side spam screening
Section titled “Server-side spam screening”html.contact screens obvious junk before delivery. The screening includes domain checks, automated spam screening, payload limits, rate limits, quotas, and honeypot checks.
Rejected submissions are separated from the main inbox so you can review them without polluting normal leads.
Honeypot fields
Section titled “Honeypot fields”You can add a hidden field for basic bot detection. Keep it empty in normal browser submissions.
<input type="text" name="_gotcha" tabindex="-1" autocomplete="off" hidden>If a bot fills the honeypot, the submission is rejected.
Rate limits
Section titled “Rate limits”Public form submissions use source-based rate limits before rejected attempts are stored. Limits are designed to slow repeated automation without changing the normal browser form setup.
When a limit is hit, html.contact returns:
{ "ok": false, "error": { "code": "rate_limited", "message": "Too many submissions. Please try again shortly." }}CAPTCHA
Section titled “CAPTCHA”The default html.contact snippet does not require CAPTCHA or Turnstile code.
If you want a browser challenge, add your own CAPTCHA service on your site before posting to html.contact. Do not paste service-specific CAPTCHA fields into the default html.contact snippet unless your own site handles that service.