Spam submissions and bot activity can significantly compromise the quality of your email list, increase bounce rates, and damage your sender's reputation.
To help prevent this, we’ve added support for Google reCAPTCHA — a widely adopted tool that protects your online forms from automated abuse without introducing unnecessary friction for legitimate users.
This guide explains how to turn on and configure Google reCAPTCHA on your forms, the benefits it provides, and how it works within your store environment.
Benefits of Enabling reCAPTCHA
Enabling reCAPTCHA offers several advantages for email marketers and store owners:
1. Improved Data Integrity
Automated bots can flood forms with fake email addresses or junk data. ReCAPTCHA prevents most of these submissions from reaching your database.
2. Improved Deliverability
Reducing invalid and non-human signups helps maintain a high sender reputation with email service providers, improving the likelihood that your campaigns land in inboxes.
3. Reduced Fraud Risk
Some bots are used to exploit signup forms for fraud or abuse. ReCAPTCHA adds an additional layer of security to mitigate these risks.
4. Invisible User Experience
The implementation uses invisible reCAPTCHA v2, which operates in the background. It will only prompt the user if the interaction is deemed suspicious, maintaining a seamless experience for genuine visitors.
Setup Process
Step 1: Enable reCAPTCHA in your Omnisend form
Navigate to the form builder for the form you want to protect.
In the right-hand panel, locate the Behavior settings → Audience section.
3. Find the Verification subsection → check the box labeled Enable reCAPTCHA.
4. Click the Set up reCAPTCHA button. This will open a modal window prompting you to input your Google credentials.
Step 2: Register your site with Google reCAPTCHA
To generate the required credentials (site key and secret key), follow these steps:
Visit the Google reCAPTCHA Admin Console. Click Get started from there.
Log in with a Google account.
Under Label, enter a descriptive name (e.g., “Store name newsletter form”).
Select the reCAPTCHA type:
Choose reCAPTCHA v2
Then select Invisible reCAPTCHA badge
Under Domains, enter your domain name (e.g., mystore.com). Do not include https:// or path names — just the root domain.
Accept the reCAPTCHA terms of service.
Submit the form. Google will generate a Site Key and Secret Key for you.
Copy Site & Secret keys generated and return to the Omnisend form builder.
These keys authorize your forms to interact with Google's verification service.
Do not include https:// or path names in the domain field — just the root domain. Make sure to remove any / at the end of the domain name as well.
Step 3: Complete the setup in your Omnisend form
Return to the form builder where the reCAPTCHA modal is still open.
Paste the Site Key you obtained during the Google reCAPTCHA setup into the corresponding Site Key field.
Then, enter the Secret Key into the Secret Key field in the same manner.
Click Finish to complete the integration.
If the keys are valid, you will see a confirmation message stating that “reCAPTCHA is now connected to your form.”
How reCAPTCHA Works
Once configured, reCAPTCHA is integrated into your form with no visible challenge unless suspicious behavior is detected. Visitors will typically not see any additional input fields or checkboxes unless their activity triggers Google's fraud detection algorithms.
A small reCAPTCHA badge may appear in the lower right-hand corner of the page to indicate that protection is active. This complies with Google’s requirement to inform users about the presence of reCAPTCHA and links to its privacy and terms of service.
Under normal circumstances, reCAPTCHA works invisibly in the background and does not interrupt the user experience. However, if Google’s system identifies potentially suspicious activity, for example:
Private browsing/incognito mode (no cookies/session context)
High-frequency form submissions
Suspicious IP addresses (e.g., VPNs, proxies, or known bot networks)
Emulated or automated browsers
Lack of user interaction signals (like mouse movements or clicks)
Then the user will be prompted with a challenge, such as selecting images matching a category (e.g., "Select all images with a bus").
This is expected behavior and serves as a defense mechanism against bot submissions. It does not indicate a misconfiguration or bug in your setup.
FAQ
Do I need to set up reCAPTCHA for every form individually?
No. Once you’ve configured reCAPTCHA and entered valid keys, the protection can be reused across all forms associated with the same domain. You can and should selectively enable or disable it per form.
What happens if I enter incorrect keys?
If your site key or secret key is invalid, the system will prevent you from completing the setup and show an error message. Make sure that:
The domain you entered on Google matches the domain where the form is published.
The keys are copied exactly as provided (no extra spaces or characters).
Can I switch to a different reCAPTCHA type (e.g., v3)?
At this time, the platform supports reCAPTCHA v2 with the Invisible badge only. Support for other versions may be added in the future.
Will reCAPTCHA affect the performance or speed of my form?
The reCAPTCHA script is lightweight and loads asynchronously. It should not noticeably affect the performance or load time of your form.
What should I do if users report issues submitting the form?
If legitimate users are being challenged repeatedly or blocked:
Confirm that your reCAPTCHA setup is using the correct domain and keys.
Check if third-party ad blockers or browser extensions are interfering.
Consider temporarily disabling reCAPTCHA to isolate the issue.
Contact our support team via in-app chat or at [email protected] if the issue persists.