Protecting against spam using Cloudflare Turnstile

With Mailcoach, protecting your email list & subscription forms against spam is crucial to protect your sending reputation. Mailcoach now makes this easy by integrating with Cloudflare Turnstile, the privacy friendly alternative to Google’s ReCaptcha.

In this blogpost we’ll write a guide on how to set up Cloudflare Turnstile with your self-hosted Mailcoach instance. Mailcoach already has this enabled for all teams & users!

How does Cloudflare Turnstile work with Mailcoach?

When a visitor tries to submit the subscription form of your email list, Mailcoach will first redirect them to a challenge page where Turnstile will prompt them to complete a challenge. This challenge is designed to distinguish humans from bots and prevent spam from submitting the form. The challenge can take the form of a simple math problem, a checkbox to confirm that they’re not a robot, or even a simple game.

Once the visitor completes the challenge, they’ll be subscribed to the email list. If they fail the challenge, they’ll be prompted to try again.

If the challenge can be completed automatically, the visitor will be subscribed & redirected without any action necessary on their part.

You might ask yourself: why not just rely on double opt-in?, to facilitate double opt-in, you’re already sending an email to the email address that is filled in by the spammer or spam bot. This email address usually looks randomly generated by the bot.

In the best case, this would result in a hard bounce, but in the worst case this email reaches a person that did not expect to sign up and could result in a spam complaint.

A high bounce rate & spam complaints heavily impact your sending reputation.

Activating the Cloudflare Turnstile integration

1. Adding a site

The first step is to create a Turnstile site inside your Cloudflare account. It will ask for a site name & the domain you’re hosting Mailcoach on.

For the Widget Mode option, you need to select “Managed”.

2. Configure the keys inside Mailcoach

Once the Cloudflare Turnstile site is created, you’ll be given a Site key and Site secret. These need to be set inside your config/mailcoach.php config file:

* You can enable Cloudflare Turnstile spam protection
* by providing a site key & secret here. Make sure
* you have configured the domain correctly.
'turnstile_key' => '',
'turnstile_secret' => '',

We suggest setting these with environment variables:

'turnstile_key' => env('TURNSTILE_KEY'),
'turnstile_secret' => env('TURNSTILE_SECRET'),

Once these values are set. Your subscription forms will automatically be protected using Cloudflare Turnstile!

Ready to get started?