You can protect your Signup Forms from spam bots and fake signups by enabling Google reCAPTCHA. This guide explains how to enable and configure reCAPTCHA in Omnisend.
reCAPTCHA runs automatically in the background for legitimate visitors. It only displays a challenge (such as selecting images) when suspicious activity is detected, such as automated scripts, VPN traffic, or high-frequency submissions. This helps keep your contact list clean without disrupting the user experience.
💡 Learn more: Create a Signup Form | Signup Forms: Behavior Settings
Benefits of Enabling reCAPTCHA
Enabling reCAPTCHA offers several advantages for email marketers and store owners:
Improved Data Integrity: Bots flood forms with fake email addresses. reCAPTCHA blocks most of these submissions from reaching your database.
Improved Deliverability: Reducing invalid signups helps maintain a high sender reputation, improving the likelihood your campaigns land in inboxes.
Reduced Fraud Risk: Bots are sometimes used to exploit forms for fraud. reCAPTCHA adds a security layer to mitigate these risks.
Invisible User Experience: The implementation uses invisible reCAPTCHA v2, which operates in the background. Real visitors won't see any challenges unless Google flags their activity as suspicious.
Setup Process
Step 1: Enable reCAPTCHA in your Omnisend form
Navigate to the form builder for the form you want to protect.
In the right-hand panel, locate the Behavior settings → Audience section.
Find the Verification subsection → Check the box labeled Enable reCAPTCHA.
4. Click the Set up reCAPTCHA button. This will open a modal window prompting you to input your Google credentials.
Step 2: Register your site with Google reCAPTCHA
To generate the required credentials (site key and secret key), follow these steps:
1. Visit the Google reCAPTCHA Admin Console → Click Get started.
2. Log in with a Google account.
3. Under Label, enter a descriptive name (e.g., “Store name newsletter form”).
4. Select the reCAPTCHA type:
Choose reCAPTCHA v2;
Then select the Invisible reCAPTCHA badge.
5. Under Domains, enter your domain name (e.g., mystore.com). Do not include https:// or path names — just the root domain.
Important! To activate reCAPTCHA for your Landing Page forms, you must add omniform1.com as a domain. Even if you’re not setting up a landing page now, we still recommend adding omniform1.com as an additional domain.
6. Accept the reCAPTCHA terms of service.
7. Submit the form. Google will generate a Site Key and Secret Key for you.
8. Copy the Site & Secret keys generated and return to the Omnisend form builder.
These keys authorize your forms to interact with Google's verification service.
Note: Do not include https:// or path names in the domain field, just the root domain. Make sure to remove any trailing slash (/) at the end of the domain name.
Step 3: Complete the setup in your Omnisend form
Return to the form builder where the reCAPTCHA modal is still open.
Paste the Site Key you obtained during the Google reCAPTCHA setup into the corresponding Site Key field.
Then, enter the Secret Key into the Secret Key field.
Click Finish to complete the integration.
If the keys are valid, you'll see a confirmation message: "reCAPTCHA is now connected to your form."
How reCAPTCHA Works
Once configured, reCAPTCHA is integrated into your form with no visible challenge unless suspicious behavior is detected. Visitors typically won't see any additional input fields or checkboxes unless Google flags their activity.
A small reCAPTCHA badge may appear in the lower right-hand corner of the page to indicate that protection is active. This complies with Google's requirement to inform users about reCAPTCHA and links to its privacy and terms of service.
When Will Visitors See a Challenge?
Under normal circumstances, reCAPTCHA works invisibly in the background. However, if Google detects potentially suspicious activity, the visitor will be prompted with a challenge, such as selecting images matching a category (e.g., "Select all images with a bus").
Google may flag activity as suspicious if:
Private browsing/incognito mode (no cookies/session context).
High-frequency form submissions.
Suspicious IP addresses (e.g., VPNs, proxies, or known bot networks).
Emulated or automated browsers.
Lack of user interaction signals (like mouse movements or clicks).
This is expected behavior and serves as a defense mechanism against bot submissions. It does not indicate a misconfiguration or bug in your setup.
FAQ
Do I need to set up reCAPTCHA for every form individually?
No. Once you’ve configured reCAPTCHA and entered valid keys, the protection can be reused across all forms associated with the same domain. You can and should selectively enable or disable it per form.
What happens if I enter incorrect keys?
If your site key or secret key is invalid, the system will prevent you from completing the setup and show an error message. Make sure that:
The domain you entered on Google matches the domain where the form is published.
The keys are copied exactly as provided (no extra spaces or characters).
I'm getting "Invalid domain for site key"—what does this mean?
This error means the domain you registered in Google reCAPTCHA doesn't match the domain where your form is published. Go to your Google reCAPTCHA Admin Console and ensure you entered only the root domain (e.g., yourstore.com)—no https://, www., or trailing slashes. If your form is on a subdomain (like shop.yourstore.com), add it separately. For landing pages, you must also add omniform1.com as a domain.
Can I switch to a different reCAPTCHA type (e.g., v3)?
At this time, Omnisend supports reCAPTCHA v2 with the Invisible badge only. Support for other versions may be added in the future.
Will reCAPTCHA affect the performance or speed of my form?
The reCAPTCHA script is lightweight and loads asynchronously. It should not noticeably affect the performance or load time of your form.
What should I do if users report issues submitting the form?
If legitimate users are being challenged repeatedly or blocked:
Confirm that your reCAPTCHA setup is using the correct domain and keys.
Check if third-party ad blockers or browser extensions are interfering.
Consider temporarily disabling reCAPTCHA to isolate the issue.
Contact our support team via in-app chat or at [email protected] if the issue persists.
Why don't I see the reCAPTCHA challenge when I test my form?
reCAPTCHA v2 Invisible runs silently for most visitors. You'll only see a challenge (like selecting images) if Google detects suspicious behavior, such as using a VPN, private browsing, or submitting the form repeatedly. To test if it's working, look for the small reCAPTCHA badge in the bottom-right corner of your page. To force a challenge, open multiple tabs and submit the form rapidly 3–5 times, or submit using a VPN.
I enabled reCAPTCHA, but I'm still getting bot signups. What should I do?
reCAPTCHA reduces bots significantly but may not stop all attacks. First, confirm the bots are coming from your Omnisend form, and check the contact's Source tag in Audience → Contacts.
If it says "Shopify" or "BigCommerce," the bots are entering through your store's checkout (not your form). Contact your platform support to secure those entry points. For additional protection, enable double opt-in and block suspicious email domains in Store settings → Audience management settings.
Didn't find an answer to your question? Our 24/7 Support Specialists are here to help via in-app chat or at [email protected].