powermailrecaptcha for TYPO3

Powermail without spam protection becomes a junk pile within weeks

Powermail is by far the most widely used form extension for TYPO3. Over 150,000 active installations (as of TER, 2026), from contact forms to application forms to complex multi-step inquiry workflows. The problem: every publicly accessible form without a CAPTCHA will eventually be found by bots. Typical result: 200 to 500 spam entries per day, overflowing inboxes, noisy statistics and forms that staff eventually ignore - including the genuine inquiries within.

powermailrecaptcha is the official companion to Powermail that integrates Google reCAPTCHA v2 or v3 into Powermail forms. The extension is maintained by in2code (the Powermail developer), ensuring short update cycles and high compatibility.

Typical use cases

Contact forms on corporate websites. The standard scenario: a form with name, email, message and submit button. Without CAPTCHA, 50 to 300 spam messages arrive daily, mostly with links to pharmaceutical or casino sites. reCAPTCHA v3 (invisible, score-based) is ideal here: no additional click for the user, bots are detected in the background. A score below 0.5 (on a scale of 0 to 1) is classified as bot and the submission is blocked.

Application forms with file upload. Career pages where applicants upload CVs and cover letters are particularly spam-prone because bots distribute malware through the upload function. reCAPTCHA filters the automated submissions. Additionally, server-side file type validation (PDF, DOCX only) and a size limit (max. 10 MB) should be active.

Multi-step forms with conditional logic. Powermail can build forms with conditions: if “Industry = Real Estate” is selected, additional fields appear. For such forms, a CAPTCHA on the last page before submission suffices. powermailrecaptcha binds the check to the submit button by default, so it works with multi-step forms as well.

Technical architecture

powermailrecaptcha extends Powermail via a TYPO3 Signal/Slot (v11) or PSR-14 Event (v12+). When rendering the form, the reCAPTCHA JavaScript is embedded (from google.com/recaptcha/api.js). On submission, the reCAPTCHA token is validated server-side: TYPO3 sends a POST request to https://www.google.com/recaptcha/api/siteverify with the token and secret key. Google responds with a score (v3) or confirmation (v2).

Configuration is done through TypoScript constants: Site Key and Secret Key (from the Google reCAPTCHA Admin Console), threshold score for v3 (default: 0.5), reCAPTCHA version (v2 Checkbox, v2 Invisible or v3). The keys are maintained in the TYPO3 backend under Constants, ideally via environment variables so they do not end up in the Git repository.

For v3 (invisible), no visible widget is rendered. The score is calculated in the background and stored in a hidden field. For v2 Checkbox, the familiar “I’m not a robot” widget appears. For v2 Invisible, nothing appears until the system detects a suspicious user and then shows a challenge (image selection).

Common problems and solutions

GDPR concerns about Google connection. reCAPTCHA loads JavaScript from Google servers and transmits the user’s IP address to Google. Since the Schrems II ruling and increasingly strict interpretation by data protection authorities, this is a real risk. Solution: only load reCAPTCHA when the user has consented via cookie banner (consent integration). Or switch entirely to European alternatives: Friendly Captcha (servers in the EU, no tracking), hCaptcha (more GDPR-compliant than reCAPTCHA but US-based servers) or a pure honeypot strategy without external services.

reCAPTCHA v3 blocks real users. The scoring algorithm is a black box. Some real users (e.g. behind VPN, with ad blocker, on older devices) receive low scores and are incorrectly blocked. Solution: set the threshold to 0.3 instead of 0.5 and additionally implement a honeypot field. Alternatively: display a fallback to reCAPTCHA v2 Checkbox on low scores instead of blocking outright.

Extension conflict with Content Security Policy. Since TYPO3 v12, the Core supports Content Security Policies (CSP). reCAPTCHA JavaScript from google.com must be permitted in the CSP, otherwise it is blocked. Solution: add script-src and frame-src for https://www.google.com/recaptcha/ and https://www.gstatic.com/recaptcha/ in the CSP configuration.

Migration and version compatibility

powermailrecaptcha supports TYPO3 v11, v12 and v13 (the latter since Q1 2026). The extension follows Powermail’s release cycle: when Powermail supports a new TYPO3 version, powermailrecaptcha follows within weeks.

For projects switching from reCAPTCHA to a more GDPR-friendly alternative, the conversion is manageable. Friendly Captcha offers its own Powermail plugin (powermail_friendlycaptcha) that works as a drop-in replacement: install the extension, enter keys, deactivate powermailrecaptcha. The form configuration in Powermail itself remains unchanged. Gosign recommends Friendly Captcha as the default for new projects and offers migration of existing forms as a fixed-price service.

An often overlooked aspect is spam prevention beyond CAPTCHAs. Powermail natively offers a honeypot field (an invisible form field that only bots fill in). Combined with a time check (form must be open for at least 3 seconds before submission), the majority of automated spam can be filtered without external services. Gosign deploys a three-layer strategy for projects where GDPR compliance is the priority: honeypot and time check as the first layer (zero external requests), Friendly Captcha as the second layer (EU servers) and server-side content analysis as the third layer (link density, language, known spam patterns). This combination achieves a spam detection rate of over 99% without Google services.

For switching from powermailrecaptcha to Friendly Captcha, Gosign estimates 2 to 4 hours per website, including installation, configuration, testing all forms and deactivating the old extension.