Lambda + SES: Serverless Contact Form

Contact forms need backend infrastructure to send emails, but managing servers is overkill for occasional submissions. The challenge: build a secure, cost-effective contact form that handles spam and rate limiting.

AWS Lambda with SES provides serverless email delivery at $0.10 per 1,000 emails. Combined with API Gateway's built-in throttling and Lambda's validation logic, the solution costs effectively $0/month for typical contact form traffic.

The Implementation

const { SESClient, SendEmailCommand } = require("@aws-sdk/client-ses");
const ses = new SESClient({ region: "us-east-1" });

exports.handler = async (event) => {
  const body = JSON.parse(event.body);
  const { name, email, subject, message, honeypot } = body;
  
  // Honeypot check - bots fill this hidden field
  if (honeypot) {
    return { statusCode: 200, body: JSON.stringify({ message: 'Success' }) };
  }
  
  // Validate inputs
  if (!name || !email || !subject || !message) {
    return { statusCode: 400, body: JSON.stringify({ error: 'Missing fields' }) };
  }
  
  // Send via SES
  const emailParams = {
    Source: process.env.FROM_EMAIL,
    Destination: { ToAddresses: [process.env.TO_EMAIL] },
    Message: {
      Subject: { Data: `Contact Form: ${subject}` },
      Body: { Text: { Data: `Name: ${name}\nEmail: ${email}\n\n${message}` } }
    },
    ReplyToAddresses: [email]
  };
  
  await ses.send(new SendEmailCommand(emailParams));
  return { statusCode: 200, body: JSON.stringify({ message: 'Sent' }) };
};

Security Layers

The implementation includes multiple protection mechanisms: API Gateway throttles to 10 requests/second, honeypot field catches basic bots, input sanitization prevents injection attacks, and reCAPTCHA v3 scores submissions from 0.0 (bot) to 1.0 (human), accepting scores above 0.5.

Rate limiting tracks IPs in memory, allowing 3 submissions per minute per IP. CORS restricts requests to the production domain and localhost for testing.

Results

The contact form handles legitimate submissions while blocking spam, costs $0-$0.10 monthly, and requires zero server maintenance. Lambda's automatic scaling handles traffic spikes, and CloudWatch logs provide debugging without additional configuration.

The combination of serverless architecture, SES's low cost, and layered security provides a production-ready contact form with predictable costs and minimal operational overhead.