W3Forms

Customization

Every form has settings you can configure in the dashboard under Form → Settings. This page covers redirects, email notifications, spam protection, and domain restrictions.

Redirects

After a visitor submits a form via a standard browser POST (no JavaScript), W3Forms redirects them to a URL you configure.

  • Success redirect — The URL to redirect to after a successful submission (e.g., /thanks or https://yoursite.com/thanks). Must match one of your allowed domains or be a relative path. If not set, W3Forms shows a default success page.
  • Error redirect — On validation or quota errors, redirect here instead of returning a JSON error. Useful for showing a custom error page to non-JavaScript users.

Note: If you send Accept: application/json (e.g., via fetch), redirects are not used. You receive a JSON response instead. See the Quick Start for a fetch example.

You can also set the redirect URL as a hidden form field: <input type="hidden" name="redirect" value="https://yoursite.com/thanks" />. The hidden field takes precedence over the dashboard setting.

Email notifications

W3Forms sends an email notification for every non-spam submission. Configure email settings in Form → Settings:

  • Notify email — The primary recipient for submission notifications. Defaults to your account email.
  • CC — Additional recipients, comma-separated. Useful for teams where multiple people need to see submissions.
  • Subject — Customize the email subject line. Use placeholders like {{name}} or {{email}} to insert form field values dynamically. Example: New message from {{name}}.
  • Reply-to — Sets the Reply-To header on notification emails. Set this to the submitter's email field (e.g., {{email}}) so you can reply directly from your inbox to the person who submitted the form.
  • Auto-respond — Optionally send a confirmation email to the submitter. The submitter's email address is taken from the field named email in the form data.

Emails are sent via Amazon SES and include all form fields in a clean, readable format.

Spam protection

W3Forms provides multiple layers of spam protection. You can enable any combination:

  • Honeypot — A hidden field invisible to real users. If a bot fills it, the submission is flagged as spam. This is the recommended starting point: zero friction for humans, catches most basic bots. Add a hidden input with style="display:none" and tabindex="-1".
  • Captcha — For higher-risk forms, enable captcha in settings and add the widget to your form. This adds friction but blocks automated submissions effectively.
  • Keyword blacklist — Comma-separated words or phrases. Any submission containing a blacklisted term is marked as spam. Useful for blocking repeat patterns like "crypto" or "casino."
  • Block disposable emails — Rejects submissions from known throwaway email domains (mailinator.com, guerrillamail.com, etc.).
honeypot.html
<form action="https://api.w3forms.com/submit" method="POST">
  <input type="hidden" name="access_key" value="YOUR_ACCESS_KEY" />

  <!-- Honeypot: hidden from humans, visible to bots -->
  <input type="text" name="company_website" style="display:none" tabindex="-1" autocomplete="off" />

  <input type="email" name="email" required />
  <button type="submit">Send</button>
</form>

Spam submissions are stored in your dashboard (marked as spam) but do not trigger email notifications or webhooks. Note that spam submissions still count toward your monthly quota.

Allowed domains

The most important security setting. List every domain that hosts your form (e.g., yoursite.com, www.yoursite.com). Submissions from any other origin are rejected with a 400 error.

localhost is allowed by default during development. Before deploying to production, make sure your production domain is listed. Redirect URLs must also match an allowed domain or use a relative path.

See Security for more best practices.

Hidden form fields

Some settings can be overridden per-form using hidden input fields. These take precedence over dashboard settings:

  • <input type="hidden" name="redirect" value="URL" /> — Override the success redirect URL.
  • <input type="hidden" name="subject" value="New contact" /> — Override the email subject.
  • <input type="hidden" name="from_name" value="Contact Form" /> — Override the email sender name.