Spam Filtering
Your time is limited, so we want to make sure the only submission data that hits your inbox is sent by humans, not bots.
Introduction
Spam filtering is the hardest part of operating a form service. Everyone has a different tolerance for spam they are willing to sort, or expect to be filtered for them. There will always be some percentage of false positives with any spam filtering system. We filter spam in order to protect our email sending reputation, this is what enables us to land emails in your inbox instead of your spam folder.
We recommend the following techniques to ensure you review all false positives
- Webhooks can be configured to trigger regardless of the spam status of a submissions.
- Configure reminders to review your spam folders often.
- Enable spam summary emails within your form settings.
Notice:
Basin retains spam for 30 days before it is permanently deleted. Be sure to review your spam folder frequently.
Cloudflare
All our forms are protected by Cloudflare's Web Application Firewall (WAF). This is our first line of defense against submissions originiating from the dark web, and known bots.
Junkbox
To accurately assess the legitimacy of your form's submission content, we use Junkbox --- an intelligent API solution that provides automatic protection and stops spam content from reaching your inbox. As a machine learning spam filter, its constantly training and evolving to be better at what it does.
Cloudflare Turnstile
Cloudflare Turnstile can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.
Step 1 --- Setup your Cloudflare account, enable Turnstile, and retrieve your Site Key and Site Secret Key
You must provide your own Site Key and Site Secret Key.
See the Cloudflare documentation for more details.
Step 2 --- Add script tag to your page
You must add the following script tag somewhere outside of your form code and before the closing head tag.
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallback" async defer></script>
Danger
Please retrieve your Site Secret Key and Site Key from the Cloudflare dashboard before continuing. See here for details.
Step 3 --- Add cf-turnstile div to your form code
Your cf-turnstile div must contain your site key.
<form action="/login" method="POST">
<input type="text" placeholder="email"/>
<input type="text" placeholder="name"/>
<div class="cf-turnstile" data-sitekey="<YOUR_SITE_KEY>"></div>
<button type="submit" value="Submit">Submit</button>
</form>
Step 4 --- Enable 'Require valid Turnstile response' in Basin.
This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful Turnstile response.
Step 5 --- Review other Cloudflare Turnstile configuration options
Turnstile has many other options you can configure within your Cloudflare account and within your HTML page.
See the Cloudflare documentation for more details.
Google reCAPTCHA
Google reCAPTCHA can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.
Note
Basin supports both click and invisible reCAPTCHA. Choose and use one only.
Warning
Please make sure to use Basin's reCAPTCHA site key when integrating your form with Basin. Other site keys will NOT work.
Please use the following reCAPTCHA site key:
Step 1 --- Add script tag to your page
You must add the following script tag somewhere outside of your form code and before the closing head tag. If you place it inside the form div, then reCAPTCHA won't initialize.
Step 2 --- Add reCAPTCHA div to your form code
Your reCAPTCHA must contain the same sitekey as shown in the code snippet below. If you use a different sitekey, reCAPTCHA will not work.
Step 3 --- Enable 'Require Valid reCAPTCHA response'
This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful reCAPTCHA.
Setup invisible reCAPTCHA Optional
If you'd rather not have the default styling of the reCAPTCHA conflict with your form's style, you can hide it instead using the code snippet below. Remember to keep the data-sitekey as shown.
<script>
function onSubmit(token) {
var form = document.getElementById("invisible-recaptcha-form");
// Check if form is valid
if (form.checkValidity()) {
form.submit();
} else {
// If the form is not valid, trigger the browser's default validation UI
form.reportValidity();
}
}
</script>
<form id="invisible-recaptcha-form">
...
<button class="g-recaptcha" data-sitekey="6Lew3SMUAAAAAJ82QoS7gqOTkRI_dhYrFy1f7Sqy" data-callback='onSubmit' data-badge="inline">Submit</button>
</form>
Hide Google's attribution badge Optional
If you want to hide Google's attribute, you can use the CSS below. Simply include it anywhere outside of your form tags, or to your custom stylesheet.
hCAPTCHA (Google reCAPTCHA alternative)
hCAPTCHA can be configured to add an additional layer of protection to your form, but it takes a little bit of work to setup.
Note
Basin supports both click and invisible hCAPTCHA. Choose and use one only.
Warning
Please make sure to use Basin's hCAPTCHA site key when integrating your form with Basin. Other site keys will NOT work.
Please use the following hCAPTCHA site key:
Step 1 --- Add script tag to your page
You must add the following script tag somewhere outside of your form code and before the closing head tag. If you place it inside the form div, then hCAPTCHA won't initialize.
Step 2 --- Add hCAPTCHA div to your form code
Your hCAPTCHA must contain the same sitekey as shown in the code snippet below. If you use a different sitekey, hCAPTCHA will not work.
Step 3 --- Enable 'Require Valid hCAPTCHA response'
This setting is found within your form's 'Edit' tab in the dashboard. Enabling this ensures all form submissions must be accompanied by a successful hCAPTCHA.
Setup invisible hCAPTCHA Optional
If you'd rather not have the default styling of the hCAPTCHA conflict with your form's style, you can hide it instead using the code snippet below. Remember to keep the data-sitekey as shown.
<script>
function onSubmit(token) {
document.getElementById("invisible-hcaptcha-form").submit();
}
</script>
<form id="invisible-hcaptcha-form">
...
<button class="h-captcha" data-sitekey="7fe715a1-151f-4c63-b497-bd971974df05" data-callback='onSubmit' data-badge="inline">Submit</button>
</form>
Honeypot
This technique can be used to add an additional layer of protection. By including a field (hidden or visible) in your form for spam bots to fill out, the submission will be ignored when a value is entered and submitted.
A custom honeypot field name can be specified within your form settings.
<form accept-charset="UTF-8" action="https://usebasin.com/f/1a2b3c4d5e6f" method="POST">
...
<input type="hidden" name="_gotcha">
...
</form>
Allowed domains (Domain restriction)
You can setup your project to only accept form submissions from a specific domain which is essentially an additional layer of spam protection. By setting your allowed domains, only submissions that originate from a form that was hosted on the specified domain and all subdomains will be accepted. The submissions that were not submitted from the specified domain will be sent to your spam folder.
You can edit your allowed domains within your project settings: Forms -> Project -> Allowed domains
NOTE: you can add multiple domains, seperated by a comma.
Ensure Referrer Policy is Set Correctly
In order to use Basin's domain restriction spam filter you must ensure your site's Referrer-Policy sends your site's origin information to Basin.
By default, sites usually have the Referrer-Policy set to strict-origin-when-cross-origin which is compatible with Basin. Click here for more information on referrer policy