RizzForms
Get Started
Menu

Spam prevention

RizzForms provides multiple layers of protection to keep spam submissions out of your inbox and your data clean.

Honeypot fields

A honeypot is a hidden form field that real users never see or fill in. Bots that auto-fill every input will trigger it, and RizzForms marks the submission as spam.

Add a field named _hp (or its alias _gotcha) and hide it with CSS: 

<form action="https://forms.rizzness.com/f/your-token" method="POST"> <!-- Honeypot: hidden from humans, visible to bots --> <div style="position: absolute; left: -9999px;" aria-hidden="true"> <input type="text" name="_hp" tabindex="-1" autocomplete="off"> </div> <label for="email">Email</label> <input type="email" id="email" name="email" required> <label for="message">Message</label> <textarea id="message" name="message"></textarea> <button type="submit">Send</button> </form>

How it works: If the _hp or _gotcha field contains any value, the submission is flagged as spam. The field value is truncated to 50 bytes and stored for audit purposes, but the submission does not trigger notifications or plugin deliveries.

Tip: Use position: absolute and left: -9999px rather than display: none. Some sophisticated bots skip fields with display: none, but will still fill in off-screen inputs.

Turnstile CAPTCHA

Cloudflare Turnstile provides an invisible, privacy-friendly challenge that stops automated submissions without annoying real users.

To enable Turnstile:

  1. Open your form settings in the RizzForms dashboard.
  2. Toggle Turnstile CAPTCHA on.
  3. Add the Turnstile widget to your HTML form: 
<!-- Add the Turnstile script --> <script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script> <form action="https://forms.rizzness.com/f/your-token" method="POST"> <label for="email">Email</label> <input type="email" id="email" name="email" required> <!-- Turnstile widget --> <div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY"></div> <button type="submit">Send</button> </form>

RizzForms verifies the Turnstile token server-side. Submissions that fail verification are rejected before storage.

Rate limiting

Each form endpoint allows 60 submissions per minute per IP address. This prevents brute-force spam floods.

  • When the limit is exceeded, RizzForms returns a 429 Too Many Requests response.
  • The limit resets after one minute.
  • Legitimate users submitting a single form will never hit this limit.

Rate limiting is always active. No configuration needed.

Keeping notification emails out of spam

The sections above focus on preventing spam submissions to your forms. This section addresses a different problem: making sure RizzForms notification emails reach your inbox instead of your spam folder.

RizzForms sends from two address patterns on forms.rizzness.com:

  • [email protected] — submission notifications and account emails
  • {token}[email protected] — the Reply-To address when email proxy is enabled. Each submission gets a unique token address so replies thread back correctly. The address looks different on every notification, but always comes from forms.rizzness.com.

The safest approach is to allowlist the entire domain forms.rizzness.com so both address patterns are covered. Select your email provider for step-by-step instructions: