Spam-resistant contact form architecture
The Spam Problem, Explained

Why Does My Business Website Get So Much Spam?

If your contact form floods your inbox with fake Russian SEO pitches, crypto offers, and bot-generated nonsense, your site is not broken.
It was built without the right defenses.
Here is what is actually going on, and how a real pipeline shuts it down.

Get a Free Audit
The Root Cause

The Real Reason Your Form Is Flooded

Most platforms ship a contact form as a checkbox feature, not as a hardened endpoint.
Three structural problems do most of the damage.

Your Form Endpoint Is Public

Any tool that scans the web can find your contact form URL in seconds. Bots maintain massive databases of known Wix, WordPress, and Squarespace form endpoints. Yours was added to that list the day you launched.

Plugin-Based Protection Is Reactive

Akismet, reCAPTCHA, and the various WordPress security plugins fight spam after it arrives at your form. That is filtering, not prevention. Sophisticated bots already know how to defeat or bypass these tools.

Shared Sender Reputation

Your form replies leave from an IP shared with thousands of other sites, some of which send actual spam. Gmail and Outlook silently downgrade your replies to spam folders. The leak goes both ways.

The Fix

How a Real Pipeline Stops Spam

Every form on every site we build runs through this same six-layer defense.
None of it is a plugin.
All of it is in the foundation.

1. CSRF Token Rotation

Every form submission must include a token signed with HMAC SHA-256 and tied to a 60 minute expiry. A bot that scrapes your form and replays it an hour later gets a 403. A bot that does not request a token first gets nothing at all.

2. Origin and Referer Allowlist

The handler rejects any POST that did not come from the site itself. Cross-origin submissions, the easiest path for distributed bots, get blocked at the door before any business logic runs.

3. Cloudflare Turnstile

A privacy-respecting CAPTCHA that runs invisibly for real users and blocks headless browsers and scripted clients. No squinting at traffic lights, no five-image grids, no third-party cookies.

4. IP Rate Limit

Five submissions per hour per IP, keyed by SHA-256 hash and aggregated to /64 for IPv6 so an attacker cannot rotate the lower 64 bits. A single bot trying to flood you gets rejected after the fifth attempt for the next 55 minutes.

5. Honeypot Field

An invisible field that real humans never see and bots cannot resist filling in. CSS positioned off-screen, never display: none (which modern bots ignore). A non-empty honeypot is an instant silent rejection.

6. Postmark API Transport

Replies go out through Postmark's dedicated transactional infrastructure over HTTPS, not shared SMTP. SPF, DKIM, and DMARC are all aligned. Your reply hits the inbox, not the junk folder, every time.

Side By Side

Typical Wix Form vs Aegis Pipeline

What you actually get out of the box.

Typical Builder Form

  • Public endpoint indexed by bot databases
  • One CAPTCHA plugin, sometimes
  • No rate limiting at the handler level
  • No honeypot
  • Shared SMTP sender reputation
  • Replies often land in spam folders
  • Spam plugin invoiced separately

Aegis Secure Pipeline

  • HMAC-signed CSRF token, 60 minute expiry
  • Origin and Referer allowlist enforced server-side
  • Cloudflare Turnstile bot defense
  • IP rate limit, 5 per hour, IPv6 aware
  • CSS-hidden honeypot field
  • Postmark dedicated transactional sender
  • All of it included, no add-ons

Spam Pipeline: Common Questions

Can I just install Akismet or a CAPTCHA plugin?
Plugins help, but they treat spam as something to filter after it arrives.
The real problem is that your form endpoint is publicly callable from anywhere.
A plugin is a strainer downstream of an open fire hose.
The pipeline we describe above shuts the hose off upstream.
CSRF tokens, origin checks, and rate limits reject bot submissions before any plugin logic runs, so the form never sees the spam in the first place.
What is a honeypot field?
A honeypot is an invisible form field that real humans never fill in because they never see it.
Bots fill in every field they find, so a submission with a non-empty honeypot is almost always a bot.
We hide ours with CSS positioning, not display: none, because modern bots ignore display: none fields.
Done right, a honeypot catches a meaningful percentage of low-effort spam without ever showing the user a CAPTCHA.
Why does Postmark matter for spam?
Spam goes two directions.
Bots send you spam, and your replies to real leads can land in their spam folders.
Wix and most shared hosts send mail from IP addresses shared with thousands of other sites, including some that send actual spam.
Inbox providers downgrade those IPs.
Postmark sends from dedicated transactional infrastructure with a clean reputation, SPF, DKIM, and DMARC all aligned.
Your reply lands in the inbox, not the junk folder.
How much does this anti-spam pipeline cost extra?
Zero.
It is the default on every site we build.
Tier 1 includes the full hardened PHP pipeline, dedicated Postmark routing, and Turnstile bot defense.
There is no add-on tier or premium plugin.
If a contact form leaks spam to your inbox, we did not build it.

Want to Know Where Your Site Leaks?

Run a free audit and we will show you where your current site is exposed.
That includes header gaps, missing SPF/DMARC, and visible form endpoints.
It also checks security headers your platform forgot to set.

Run My Free Audit Ask a Question