UPDATE (1-12-2026)

Keap has updated the Google reCAPTCHA integration for webforms used within the Automation Builder to the latest supported version. This updated will improve bot detection, ensure ongoing compatibility with Google’s requirements, and maintain a seamless submission experience for real users without requiring manual configuration changes for Keap hosted forms.

There are actions you need to take in order to take advantage of this new security feature!

Important notes!

• If you’re using other third-party plugins alongside our forms, you may experience issues with lead submissions. For best results, we recommend using our forms on their own, or thoroughly testing them with any third-party tools you use.
• Submissions made in incognito/private browsing mode may occasionally be flagged, since these sessions can look similar to bot activity.

Hosted Version

If you are using the Keap-hosted version of the form, you just need to make sure the box is UN-checked to enable Google reCAPTCHA.

1. Open the automation and find the form you want to check
2. Click on Settings
   
3. In the "Spambot Detection" section, confirm that “Don’t use Google reCAPTCHA for spambot detection” is not selected.
   
4. If you made a change to the form, don't forget to republish your Automation.

Additional Customization

If you use the Code tab to copy HTML or JavaScript snippets to customize your form, there are a few steps to enable Google Enterprise reCAPTCHA:

1. Open the automation and find the form you want to check
2. Click on Settings
   
3. In the "Spambot Detection" section, confirm that “Don’t use Google reCAPTCHA for spambot detection” is not selected.
   
4. In the Code tab, click on HTML Code (unstyled)
   

5. To ensure your form has the upgraded Google reCAPTCHA you should see something like this in the html code: The end part is what you are looking for enterpriseRecaptcha.js

   <script type="text/javascript" src="https://<appID>.infusiontest.com/resources/external/recaptcha/production/enterpriseRecaptcha.js?b=<build-number>"></script>

   

6. Copy this section of code beginning with <script> and ending with </script> and place it in your website
7. Be sure to republish your Automation if you made any changes.

DISCLAIMER: Do not delete any scripts included in the Unstyled HTML snippet. Removing these scripts may cause the form to malfunction or stop working entirely. Users should apply custom styling around the existing code without removing any part of the provided snippet.

Update FAQs

Do I have to update my web forms?
Yes, to enable bot protection, you must replace your existing form code with the new version.

Will my form look different?
You may need to restyle the new form code to match your website.

What if I don’t update my form?
Your form will remain vulnerable to spam bots.

Does this affect Public Forms?
No, this update is only for legacy web forms.

I use the Thrive Themes plugin and noticed that my web forms are not submitting. What can I do?
The following field <input type= "text" name= "inf-sbt" style=" display:none !important;"> was recently added as part of this update. It's a spambot hidden field that should not be filled out by customers.
Users can remove this field from the code, and the forms will no longer fail to submit when using the Thrive Themes plugin.

Will Google Enterprise reCAPTCHA block all spam bots?
No, Google reCAPTCHA Enterprise will not block all spam bots. While it offers advanced, AI-powered protection, sophisticated AI bots and human-operated "click farms" can sometimes bypass the system, meaning it is not a foolproof solution. 

Relying solely on reCAPTCHA Enterprise may not be sufficient for complete protection against sophisticated threats. Security experts recommend a multi-layered defense strategy: 

Implement Honeypots: Use hidden form fields that only bots will fill out to filter out automated submissions.

Monitor Analytics: Check your new contacts to identify and filter low-quality leads. 

List bombing occurs when an email address was submitted to your web form by someone other than the owner of the address and you unknowingly sent unsolicited email. While one or two instances will surely go unnoticed, this problem can become especially significant if it occurs in bulk.

The Cause: Subscription Bombing

The most prevalent cause for this is what’s known as “subscription bombing”, which is an attack designed to overload a recipient’s inbox with unsolicited email, thus rendering their inbox useless (imagine how useful your inbox would be if it received over 100 emails per minute). The attacker essentially weaponizes your marketing automation by using a script or bot to submit the email address of the target, or more often multiple targets, into as many web forms as possible.  The attacker then relies on your email automations or broadcasts to contribute to a barrage of unwanted emails aimed at their target - all without your knowledge.

The Impact: Greatly reduced email deliverability

Allowing your forms to be used as an attack vector to send unsolicited email, especially in significant volumes, negatively impacts your (and our) email sender reputation with mailbox providers (e.g. Gmail, Yahoo, etc.) and blacklisting providers (e.g. Spamhaus).  Because sender reputation is so critical to inbox placement, you are effectively held accountable for the all email that you send - including email sent because of a bot attack on your web form.

The Solution: reCAPTCHA and COI

• Use reCAPTCHA- Google’s reCAPTCHA is enabled by default on web forms created in Keap, but you will need to setup reCAPTCHA on your own if you use 3rd party web forms.
• Use Confirmed Opt-In (COI) AKA “Double Opt-In” (DOI) - When used correctly, a COI sequence will send no more than one email per form submission per recipient.  While this doesn’t completely stop you from unknowingly sending unsolicited email, it does help limit the amount of unsolicited email that you send, thus reducing the potential damage to your sender reputation. In this way, COI can help to prevent a subscription bombing attack from compounding.

Email industry experts and blacklist moderators agree: the best defense against subscription bombing is using both reCAPTCHA and COI. Remember, while Keap does not require the use of reCAPTCHA or COI, we do require that you obtain explicit permission to send email, and unsecured web forms provide the possibility for you to unknowingly violate that requirement.