Spam Filtering

Your time is limited, so we want to make sure the only submission data that hits your inbox is sent by humans, not bots.


Spam filtering is the hardest part of operating a form service. Everyone has a different tolerance for spam they are willing to sort, or expect to be filtered for them. There will always be some percentage of false positives with any spam filtering system. We filter spam in order to protect our email sending reputation, this is what enables us to land emails in your inbox instead of your spam folder.

We recommend the following techniques to ensure you review all false positives

  • Webhooks can be configured to trigger regardless of the spam status of a submissions.
  • Configure reminders to review your spam folders often.
  • Enable spam summary emails within your form settings (coming soon)


All our forms are protected by Cloudflare's Web Application Firewall (WAF). This is our first line of defense against submissions originiating from the dark web, and known bots.


To accurately assess the legitimacy of your form's submission content, we use Junkbox — an intelligent API solution that provides automatic protection and stops spam content from reaching your inbox. As a machine learning spam filter, its constantly training and evolving to be better at what it does.

Google reCAPTCHA

Google reCAPTCHA can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.

Basin supports both click and invisible reCAPTCHA. Choose and use one only.
Step 1 — Add script tag to your page

You must add the following script tag somewhere outside of your form code and before the closing head tag. If you place it inside the form div, then reCAPTCHA won't initialize.

<script src="" async defer></script>
Step 2 — Add reCAPTCHA div to your form code

Your reCAPTCHA must contain the same sitekey as shown in the code snippet below. If you use a different sitekey, reCAPTCHA will not work.

<div class="g-recaptcha" data-sitekey="6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy"></div>
Step 3 — Enable 'Require Valid reCAPTCHA response'

This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful reCAPTCHA.

Setup invisible reCAPTCHAOptional

If you'd rather not having the default styling of the reCAPTCHA conflict with your form's style, you can hide it instead using the code snippet below. Remember to keep the data-sitekey as shown.

function onSubmit(token) {
<form id="invisible-recaptcha-form">
<button class="g-recaptcha" data-sitekey="6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy" data-callback='onSubmit' data-badge="inline">Submit</button>
Hide Google's attribution badgeOptional

If you want to hide Google's attribute, you can use the CSS below. Simply include it anywhere outside of your form tags, or to your custom stylesheet.

.grecaptcha-badge {
display: none;


This technique can be used to add an additional layer of protection. By including a hidden field in your form for spam bots to fill out, the submission will be ignored when a value is entered and submitted.

A custom honeypot field name can be specified within your form settings.

<form accept-charset="UTF-8" action="" method="POST">
<input type="hidden" name="_gotcha">