What is the most important tip for working with Web-to-Lead?

Enable reCAPTCHA on every Web-to-Lead form. Without it, bots fill your daily submission cap with spam and real leads silently drop. The setup is one checkbox in the form generator.

Web-to-Lead automates lead capture from website forms.

The daily limit may require alternatives for high-volume scenarios.

Web-to-Lead can trigger assignment and auto-response automation.

DevelopmentIntermediate

Web-to-Lead

Web-to-Lead is the Salesforce feature that turns a web form on an external website into a direct Lead-creation pipe.

Hear it

§ 01

Definition

Web-to-Lead is the Salesforce feature that turns a web form on an external website into a direct Lead-creation pipe. Salesforce generates an HTML form snippet that posts directly to the Salesforce servers. A web visitor fills in name, email, company, message, and any custom fields; submission creates a Lead record in the org, fires Lead Assignment rules, and optionally sends an auto-response email. No middleware, no API integration code, no developer involvement.

The feature predates modern marketing automation by 15 years and is still the simplest way to capture web inquiries when an org does not have Pardot, Marketing Cloud Account Engagement, or HubSpot in the stack. The HTML form is plain, ugly by default, and trivially customizable with CSS. Per-org caps apply (500 successful Web-to-Lead submissions per day on most editions, expandable via support case), and submissions over the cap are queued or dropped depending on the configured behaviour. Web-to-Lead remains the workhorse for small-business orgs and for backup inquiry capture even at the enterprise tier.

§ 02

How Web-to-Lead turns a public HTML form into authenticated Lead records

The generated HTML form and how it actually works

Salesforce generates the HTML form via Setup, Web-to-Lead, Create Web-to-Lead Form. You pick which Lead fields to expose, set the return URL (where the visitor lands after submit), and copy the generated HTML. The form posts to https://webto.salesforce.com/servlet/servlet.WebToLead with a hidden oid (organization ID) field that authenticates the post. Salesforce parses the POST, maps fields by API name, creates the Lead, and redirects the browser to the return URL. There is no auth handshake beyond the oid; security relies on rate limits and validation, not on a secret token.

Daily submission limits and overflow behaviour

Most Enterprise and Unlimited Edition orgs allow 500 successful Web-to-Lead submissions per day. Beyond that, submissions fail silently from the visitor''s perspective and are queued internally if Daily Limit Behaviour is set to Hold; if set to Drop, they are lost. Salesforce Support can raise the cap via a case (a common ask during marketing campaign launches). Spam submissions also count against the cap, which is why CAPTCHA on the form is operationally important.

Lead Assignment Rules and the auto-response email

Once a Lead is created, the standard Web-to-Lead flow fires the active Lead Assignment Rule (Setup, Lead Assignment Rules) to route the lead to the right user or queue. The Default Response Template from Lead Settings sends an automatic email to the visitor confirming receipt. Both are critical for the experience; without the assignment rule the lead falls to the Default Lead Owner, and without the response template the visitor wonders if their submission even went through.

reCAPTCHA and spam prevention

Salesforce supports Google reCAPTCHA v2 directly in the form generator. Enable it, and Salesforce embeds the reCAPTCHA widget; the form is rejected server-side if the captcha fails. Without reCAPTCHA, the form is publicly visible and bots can submit endlessly, filling the org with spam leads and exhausting the daily submission cap. Enable reCAPTCHA on any production Web-to-Lead form, period.

Custom fields, picklists, and validation behaviour

The form supports custom Lead fields. Custom picklists render as dropdowns. Custom text fields render as text inputs. Lookup fields are tricky: the form needs the parent record''s ID, not its name. Validation rules on Lead do not fire on Web-to-Lead unless Enforce Validation and Triggers is enabled in Lead Settings. This is the single most common Web-to-Lead bug: validation rule passes in the UI but Web-to-Lead bypasses it, and bad data lands.

Tracking the source and the LeadSource field

The form can hardcode LeadSource via a hidden field, or use URL parameters to differentiate campaigns. The pattern: query parameters on the form page (utm_source, utm_campaign) pre-populate hidden form fields via JavaScript before submit. This is how Salesforce orgs without a marketing platform stitch together campaign attribution. Pardot and Marketing Cloud Account Engagement automate this, but the manual JavaScript-and-hidden-field trick works on plain Web-to-Lead too.

Web-to-Lead versus Marketing Cloud Account Engagement forms

Web-to-Lead is free, built-in, and basic. Marketing Cloud Account Engagement (Pardot) forms are richer: progressive profiling, lookup tables for company match, automatic Account creation, marketing-list-level visibility on submission events. Pardot costs money; Web-to-Lead does not. Most orgs running Pardot use Pardot forms for primary marketing pages and Web-to-Lead as a backup for utility pages, contact-us forms, and quick deployments where Pardot would be overkill.

§ 03

Setting up a Web-to-Lead form from form generation to live capture

Web-to-Lead setup takes about 30 minutes. The work splits into form generation, deploying the HTML, configuring assignment and response, and adding reCAPTCHA. Test on a staging URL before flipping the production form live.

Generate the Web-to-Lead HTML
Setup, Quick Find, Web-to-Lead. Click Create Web-to-Lead Form. Pick the Lead fields to include. Set Return URL to a thank-you page on your site. Toggle Enable reCAPTCHA Verification on. Generate. Copy the HTML snippet.
Deploy the form to your website
Paste the HTML into a web page (WordPress, Webflow, custom CMS, or static HTML). Style with CSS to match the brand. The form posts directly to Salesforce; no proxy or middleware is needed.
Configure the Lead Assignment Rule
Setup, Lead Assignment Rules. Create or edit the active rule. Add entries based on Lead Source, country, industry, or any other field on the Lead. Each entry assigns to a user or queue. Activate the rule before live traffic hits the form.
Set up the auto-response email
Setup, Lead Settings. Pick a Default Response Template that confirms receipt. Edit the email template under Setup, Email Templates. Personalize with merge fields (FirstName, Company) and include the rep''s calendar link if relevant.
Test end-to-end
Submit the staging form with a test email address. Verify the Lead appears in Salesforce, the assignment rule fires (Owner is correct), the auto-response email arrives, and the return URL renders. Test the reCAPTCHA flow by submitting without solving it.

Key options

Return URLremember

Where the visitor lands after submit. Typically a thank-you page on your site. Required field on the form generator.

Enable reCAPTCHAremember

Adds Google reCAPTCHA v2 to the form. Configurable from the form generator. Enable on every production form to prevent spam.

Daily Limit Behaviourremember

Hold (queue submissions above the cap and process when the cap resets) or Drop (silently lose them). Configured in Lead Settings.

Hidden fieldsremember

Lead fields included in the HTML but not visible to the user. Common pattern for hardcoding LeadSource, campaign attribution, or referral codes.

Gotchas

Validation rules on Lead do not fire on Web-to-Lead by default. Enable Enforce Validation and Triggers in Lead Settings or bad data lands without challenge.
500-per-day cap is per-org, not per-form. A high-traffic marketing campaign can exhaust the cap. Raise via Salesforce Support case before launching big pushes.
Spam submissions count against the daily cap. Without reCAPTCHA, bots will exhaust the limit and crowd out real leads.
The form''s hidden oid field is the org ID, not a secret. Anyone with the HTML can submit forms to your org. Server-side validation and reCAPTCHA are the only spam defenses.
Lookup fields require the parent record''s 15- or 18-character ID, not the parent''s name. Forms with raw text lookup fields silently store the text as a string, not as a lookup.

Trust & references

Sources

Cross-checked against the following references.

Web-to-Lead OverviewSalesforce Help
Generate a Web-to-Lead FormSalesforce Help

Official documentation

Straight from the source - Salesforce's reference material on Web-to-Lead.

Set Up Lead Assignment RulesSalesforce Help
Enable Spam Prevention with reCAPTCHASalesforce Help

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. What is Web-to-Lead?

Q2. What's a limitation?

Q3. What can it trigger?

Discussion

Loading…

Loading discussion…

Back to Dictionary