How to Prevent Bots From Spamming Your Email Signup Forms

When adding public signup forms to any website, one of the main problems you'll encounter is bot attacks.

This is when an automated script (bot) fills out your form with fraudulent emails or irrelevant information. Over time, this has the potential to degrade the integrity of your email list and deliverability. Bots don't open emails!

Why am I being targeted?

TL;DR: It probably isn't targeted at you specifically.

Just like the Google Search bot will crawl your website eventually if you are getting traffic and backlinks, it's likely that eventually, so will one of these signup bots. Especially if your website contains certain properties deemed desirable by whomever is conducting the attack.

How do I stop the fake spam email signups?

By default, most email marketing platforms (including Audienceful) will refuse signups from certain spam email addresses/IPs. However, chances are you'll need extra protection. Bot scripts are constantly evolving to evade common detection methods.

Luckily, this problem is almost as old as the internet, so there's many solutions. Here's what we recommend:

Add our honeypot field

In our default signup form code, we include an invisible honeypot field. This field is invisible to humans, so if any data is added to it, we reject the signup.

Make sure this field is included in your forms (here's a guide for adding it to custom Webflow forms). We absolutely recommend doing this even if you've never been targeted by a bot attack since it has zero effect on user experience.

Enable double opt-in

Double opt-in requires the user to click a link in an email before they get subscribed to your list. This is a strong deterrent against bots, since most bots aren't sophisticated enough to do this (some are...).

This is also a fantastic way to ensure only high quality emails are entering your list, as it also prevents typos, bounces, invalid emails, and low engagement subscribers. Here's how to enable double opt-in on your forms.

However, using double opt-in by itself without also using another protection method is still a risk, as the double opt-in emails themselves can hurt your deliverability if sent to thousands of fake email addresses.


The honeypot should solve the most common forms of bots. However, in the case of a particularly nasty one, the next step is to implement a CAPTCHA on your forms. This reveals if the visitor to your website is an actual human, using either passive signals or active methods like a quick puzzle.

Google offers a service called reCAPTCHA that you can integrate into your site for free, and there's also many 3rd party options that will likely integrate with whatever website platform you are using.

While this can slightly degrade user-experience (in the case of an active puzzle), you can be sure your signups are authentic this way.

Add Cloudflare to your website

By adding a free service like Cloudflare, you can prevent all bot traffic on your website, and significantly cut down on the ability for bots to even crawl your websites to find your forms.

Already been hit? Use an email list verifier

If you're already been hit by a bot attack and are now unsure how many of your email signups are legitimate, we recommend exporting your email list as a CSV and running it through an email list verification service, then re-uploading the cleaned list.

Note: If you search Google you'll find hundreds of these services, however the quality of them can vary dramatically. We typically recommend and their Bulk Verifier service.

February 2, 2024
Published via Audienceful