Contact forms sit in an awkward middle ground: they must be easy for a person with a real question and hostile to bulk senders. Client-side tricks alone will not hold; the server has to validate, rate limit, and fail closed when configuration is wrong.
A hidden honeypot field catches a surprising amount of noise. Bots love filling every input; humans never see the field. Pair that with conservative rate limits per IP and you blunt casual abuse without adding friction for legitimate visitors.
Deliverability is the other half. Transactional mail should read like mail: clear subject, plain text or minimal HTML, and a Reply-To that points at the visitor. DNS alignment for the sending domain is not optional if you want messages to land in the inbox instead of promotions or spam.