This article covers how to enable Google Enterprise reCAPTCHA on Keap™ web forms, including configuration steps for hosted forms and custom HTML forms, and how subscription bombing attacks affect email deliverability and sender reputation. This article does not cover how to create web forms or configure Confirmed Opt-In sequences. For help with Confirmed Opt-In, see how to set up a Confirmed Opt-In sequence in Keap.

Google reCAPTCHA Update for Keap Web Forms

Keap has updated the Google reCAPTCHA integration for web forms used within the automation builder to Google reCAPTCHA Enterprise — the latest supported version. This update improves bot detection, ensures ongoing compatibility with Google's requirements, and maintains a seamless submission experience for real users. Keap-hosted forms do not require manual code changes to benefit from this update, but custom HTML forms require additional configuration steps as described in the sections below.

Important: If third-party plugins are used alongside Keap web forms, form submission issues may occur. Test all third-party tool integrations thoroughly after enabling the updated reCAPTCHA. Submissions made in incognito or private browsing mode may occasionally be flagged as suspicious because private browsing sessions can resemble bot activity.

How to Enable Google reCAPTCHA on a Keap-Hosted Form

For Keap-hosted forms, Google reCAPTCHA Enterprise is enabled by confirming that the spambot detection setting is active. Follow these steps to verify the setting.

1. Open the automation in the Keap automation builder and locate the web form to configure.

2. Select Settings on the form.

   

   The screenshot above shows the Keap automation builder with a web form and the Settings button visible. Selecting Settings opens the form settings panel where the Spambot Detection section is located.

3. In the Spambot Detection section, confirm that the Don't use Google reCAPTCHA for spambot detection checkbox is not selected. Google reCAPTCHA Enterprise is active when this checkbox is unchecked. If the checkbox is selected, deselect it to enable reCAPTCHA.

   

   The screenshot above shows the Spambot Detection section in the Keap web form settings panel. The checkbox labeled "Don't use Google reCAPTCHA for spambot detection" must be unchecked for Google reCAPTCHA Enterprise to be active. An unchecked checkbox in this section means reCAPTCHA is enabled.

4. If any changes were made to the form settings, republish the automation to apply the changes.

How to Enable Google reCAPTCHA on a Custom HTML Form

For forms where the HTML or JavaScript code has been copied from the Code tab for custom styling or embedding on an external website, follow these additional steps to verify the Google Enterprise reCAPTCHA script is present in the form code.

Warning: Do not delete any scripts included in the unstyled HTML snippet. Removing scripts may cause the form to malfunction or stop working entirely. Apply custom styling around the existing code without removing any part of the provided snippet.

1. Open the automation in the Keap automation builder and locate the web form to configure.

2. Select Settings on the form and confirm that the Don't use Google reCAPTCHA for spambot detection checkbox in the Spambot Detection section is not selected — following the same steps as the hosted form configuration above.

3. Select the Code tab in the form editor, then select HTML Code (unstyled).

   

   The screenshot above shows the Keap web form editor with the Code tab selected and the HTML Code (unstyled) option visible. Selecting HTML Code (unstyled) displays the full form code including the Google Enterprise reCAPTCHA script.

4. In the HTML code, locate the Google Enterprise reCAPTCHA script. The script reference to look for is enterpriseRecaptcha.js and it appears in a line similar to the following:

   <script type="text/javascript" src="https://<appID>.infusiontest.com/resources/external/recaptcha/production/enterpriseRecaptcha.js?b=<build-number>"></script>

   

   The screenshot above shows the Keap web form HTML code with the Google Enterprise reCAPTCHA script tag visible. The presence of enterpriseRecaptcha.js in the script source URL confirms the form is using the updated Google Enterprise reCAPTCHA version. If the script is not present, update the form code by copying the current HTML code from the Code tab and replacing the existing code on the website.

5. Copy the full script tag beginning with <script> and ending with </script> and place it in the correct location in the website code.

6. Republish the automation if any changes were made to the form settings.

What Is Subscription Bombing and How Does It Affect Your Email Deliverability

Subscription bombing — also called list bombing — occurs when an automated script or bot submits an email address that does not belong to the attacker into as many web forms as possible. The attacker uses marketing automation systems to flood the target's inbox with unwanted emails. The business whose web form is used in the attack unknowingly sends unsolicited email to the target address.

When web forms are used as an attack vector to send unsolicited email in significant volumes, the sending business's email sender reputation is damaged with mailbox providers such as Gmail and Yahoo and with email blacklisting providers such as Spamhaus. Because sender reputation directly affects inbox placement, the sending business is held accountable for all email sent from its account — including email triggered by a bot attack on its web forms.

How to Protect Your Web Forms Against Subscription Bombing

Email security experts and blacklist moderators recommend using both Google reCAPTCHA and Confirmed Opt-In (COI) together as the most effective defense against subscription bombing:

• Google reCAPTCHA — Google reCAPTCHA is enabled by default on web forms created in Keap. For third-party web forms hosted outside of Keap, reCAPTCHA must be configured separately. See the Google reCAPTCHA product page for setup guidance.

• Confirmed Opt-In (COI) — Also known as Double Opt-In (DOI), a COI sequence sends a confirmation email to the address submitted on the form. The contact must select the confirmation link in the email before being enrolled in further communications. A correctly configured COI sequence sends no more than one email per form submission per recipient — limiting the damage caused by a subscription bombing attack even if the bot bypasses reCAPTCHA.

Additional protective measures include implementing honeypot fields — hidden form fields that only bots will fill out, which can be used to filter automated submissions — and monitoring new contact records to identify and remove low-quality or suspicious leads.

Keap does not require the use of reCAPTCHA or Confirmed Opt-In, but does require that explicit permission is obtained before sending email to any contact. Unsecured web forms create the risk of unknowingly violating this requirement through a bot attack.

Frequently Asked Questions

What does this article cover?

This article covers how to enable Google Enterprise reCAPTCHA on Keap web forms, including configuration steps for hosted forms and custom HTML forms, and how subscription bombing attacks affect email deliverability and sender reputation. For help with Confirmed Opt-In, see how to set up a Confirmed Opt-In sequence in Keap.

Do I need to update my web form code?

For Keap-hosted forms, no code changes are required — confirming the Spambot Detection setting is sufficient. For custom HTML forms where the form code has been copied from the Code tab and embedded on an external website, the form code must be updated to include the enterpriseRecaptcha.js script to enable Google Enterprise reCAPTCHA bot protection.

Will the form look different after updating the code?

The updated form code may require restyling to match the existing website design. Apply custom styling around the existing code without removing any scripts from the provided HTML snippet — removing scripts may cause the form to malfunction or stop working.

What happens if I do not update my custom form code?

Custom HTML forms that are not updated to include the Google Enterprise reCAPTCHA script remain vulnerable to spam bot submissions. Without the updated bot protection, automated bots can submit the form freely, which may trigger unwanted automation sequences and damage email sender reputation over time.

Does this update affect Public Forms in Keap?

No. The Google Enterprise reCAPTCHA update applies only to legacy web forms used within the Keap automation builder. Public Forms are not affected by this update.

My web forms are not submitting when using the Thrive Themes plugin. What should I do?

A hidden spambot detection field — <input type="text" name="inf-sbt" style="display:none !important;"> — was added to Keap web forms as part of the reCAPTCHA update. This field is not intended to be filled in by visitors and is used for bot detection only. The Thrive Themes plugin may interfere with this hidden field and cause form submissions to fail. To resolve the issue, remove this specific hidden field from the form code. Removing only this field will not affect form functionality and will allow forms to submit correctly when using the Thrive Themes plugin.

Will Google Enterprise reCAPTCHA block all spam bots?

No. Google reCAPTCHA Enterprise provides advanced AI-powered bot detection but does not block all spam bots. Sophisticated AI bots and human-operated click farms can sometimes bypass reCAPTCHA. Using Google reCAPTCHA Enterprise alongside Confirmed Opt-In and honeypot fields provides a more comprehensive defense against subscription bombing than reCAPTCHA alone.