Application of the CAPTCHA Integration

Marketo Employee
Marketo Employee

TBlane_McMichen_0-1685705887655.png Firefly-robot-form-user.jpg

CAPTCHA for Real Life


Sometimes we read the product documentation and we enable a new feature, but we feel like a bull staring at a new gate. (That’s country talk for “confused.”) We just don’t know what to do with it.


The new built-in CAPTCHA capability in Marketo Engage is pretty easy to setup with the product documentation.   And Steven does a great job of explaining the integration in his blog post, “Marketo Engage Form CAPTCHA integration.” But still, the penny hasn’t dropped.  You are wondering how put this in practice. Let’s see if we can solve that problem.

The Big Picture

The Marketo Engage CAPTCHA feature is passive, meaning it does not take any action with respect to the lead that filled-out the form.  It simple collects the response from the CAPTCHA provider and adds that information to the form fill response data. This means that your program’s smart campaigns need to act on the data based on your risk tolerance to determine what to do with the resulting record. You may use your own preference to set an exact breakpoint in your logic, or you can use the classifications buckets called “normalized score” that are included in the feature.

Let’s Zoom in a Little

Let’s first look at a CAPTCHA response. You can make a test form submission from a CAPTCHA enable form. Open the lead record and wander over to the Activity Log, find the “Fill Out Form” activity entry and double click if to open the details.



  1. Is the CAPTCHA Provider.  i.e. Google reCAPTCHA v3
  2. The CAPTCHA Normalized Score is the general “bucket” category for the submission.
  3. The CAPTCHA Raw Score is a more granular score that will be between 1 and 0. (As you can see here the score is 0.9, so Willy Wonka is almost human.)

Steven has documented this in his blog post, but I will shamelessly copy it here for your convenience.  (Sorry Steven … I owe you a coffee.)


This field captures the raw score returned by the CAPTCHA provider. It will always be a value between 0.0 and 1.0. For reCAPTCHA v3, scores closer to 1.0 are likely human and scores closer to 0.0 are likely bots.

CAPTCHA Normalized Score

This is a normalized version of the score returned by the CAPTCHA provider as interpreted by Marketo Engage. This also includes normalized error messages returned by the provider or that occurred during processing. The values can be:

TRUSTED: Score of the submission >= 0.5. The submission is likely from a human.

SUSPICIOUS: Score of the submission < 0.5. The submission is likely from a bot.

MISSING: The CAPTCHA provider did not return a score for the submission.

QUOTA: The monthly quota of evaluations set by the CAPTCHA provider has been reached. Contact the CAPTCHA provider to purchase more evaluations.

FAILED: An error occurred during processing.


Gotcha, But Now What?

Well, it’s just data.  It doesn’t do anything, but you can do something with it.  You get to decide the fate of this lead record.  This is a good time to draw a simple flow diagram. In our example we will not use the normalized score because we like our humans to be more human. We will trust scores 1.0 to 0.6, quarantine scores 0.5 to 0.4, and purge any scores 0.3 or less.  (Normalized scores use the CAPTCHA providers breakpoints. I’m using the Raw scores to make mine special.)







OK, I’m Listening…

From here you need to do what works for your business, but I will give you an idea of how you make the flow work.  Two options seem obvious, Trusted and Suspicious. Trusted will move on and be part of your happy community of person records. Low raw scores will be Block Listed and removed if it does not match an active record in Marketo Engage or our CRM. But what about the Quarantine? Since we are not sure if it is a real person, we want to be selective so we can mark the record as Marketing Suspended.  It functions like an unsubscribe and will not include them in our marketing campaigns, but still receive operational emails. (Just in case it is a real person that wishes to be part of our happy community. We don’t banish them from our community, but they only get bread and water rations.)


If You Don’t Build It, They All Come

That’s right! Unless you build a program to manage this, they all still go to your database, regardless of the score. There are many ways to build this program, but here’s an approach.


Trusted (High) Score or No Score

If there is no score or a high score, they don’t need any flow and become part of the happy community. Just as they have been doing from the beginning. But if you want to create a smart campaign, the smart list could include these triggers. (I’m assuming you want to trigger and not wait to batch them.) The last trigger is to accommodate error conditions so we can be fault tolerant.  In this case I may opt to treat them as trusted, because I don’t want to penalize the record because of a technical glitch.





Quarantine (Mid-range) Score

They filled out a form, but the score makes you want to proceed with caution.

Smart List




You can add them to a list to keep an eye on them and maybe move them later.  Mark them as Marketing Suspended and record a reason in the appropriate field.  (It is a best practice to have a marketing suspended reason field, so you have some context for the suspend.)





Suspicious (Low) Score

You just don’t like the low score, so you want to manage the record more strictly.

Smart List




First, we decide if they are part of our Marketo Engage or CRM database. If not, we will put them in the “Dumpster” list. (You can just use a Delete Person step, but I will use a list to queue it for a short while.) Since I am going to keep the record for a bit, I want to Block List it.  There is no need to repeat all the same tests, so if I added it to the Dumpster list, I want to Block List it.



Release form Quarantine

You may want to build another trigger campaign to release a record from quarantine if you get a good score later.  Maybe something like this…



In the flow you would remove it from the “Quarantine” list, uncheck the Marketing Suspended flag, and clear the reason field. (HINT: Set the value to “NULL”.)

In Summary…

There are many ways to manage the records that do not meet your threshold of trust, but the bottom-line is that you need to act on the CAPTCHA values. There is no auto-magic build into the CAPTCHA feature, which is a good thing because you get to decide, and you don’t have to try to trick the system into behaving differently.



Level 10 - Community Advisor

Great process @TBlane_McMichen . In my experience it can depend quite widely per instance where to draw the lines, so I tend to run a process  with some benchmark thresholds first to see what actually happens and add people to respective lists and send alerts to follow up on low raw scores to define where the mark is. As an example, for one of my customers quite a few clicks in emails to the preference center are marked as suspicious at a 0,3 and that value is pretty much always a real person. So there my real bad guys come in even lower. Only when I get a sense for this I take action to implement the suspensions and blocklists/

Marketo Employee

@Katja_Keesom  that is a perfect example of why to set your own ranges.  granted, you can start with the normalized values, which is better than nothing.  But, as You've said, you need to monitor the results and adjust to suit your business.  If your objective is lead generation, then you may may take lower scores.  If you have very focused goals with strict B2B targets, you may want higher scores.  Thanks for sharing!

Level 2

Question about this process.  If we determine something is a bot and we don't want it in our database, but its a shared program sync'd to CRM will this be able to remove the person BEFORE they get passed over? 

Level 10 - Community Moderator
Question about this process. If we determine something is a bot and we don't want it in our database, but its a shared program sync'd to CRM will this be able to remove the person BEFORE they get passed over?

Nope! You need to ensure they don’t enter an automatic sync process.