Hi @lexnicole , I’ve run into this before.

The key thing is that HubSpot’s spam filter for forms doesn’t only look at IP exclusions, it also evaluates email domains, submission behavior, and sometimes even past form activity.

Excluding your office IP keeps page views out of analytics, but it doesn’t bypass the spam filter for form submissions. That’s why even your team’s own addresses can still get flagged.

There isn’t a direct “allowlist” setting for email addresses inside form tools today. The closest native workaround is to create a hidden field on the form and use a workflow that checks whether the email domain matches your company domain, then automatically unenrolls those submissions from the spam review queue. HubSpot explains how the spam system works here:

(https://knowledge.hubspot.com/forms/manage-form-spam-submissions )

You can also adjust form options so certain values skip CAPTCHA checks, though it still won’t fully override the spam flag if HubSpot decides it looks suspicious.

(https://knowledge.hubspot.com/forms/prevent-spam-form-submissions )

If this happens a lot, quick clarifier: are your internal users filling these forms only for testing, or do you also have legitimate workflows that require them to submit regularly?

That helps decide whether the better path is to filter them out of automation altogether or to try preserving their submissions while suppressing the spam flag. Where native settings stop, we’ve seen teams rely on a sync layer to distinguish “real” internal submissions versus external spam. If consistency between HubSpot and your ops systems is the gap, Stacksync keeps them mirrored in real time so you don’t need to worry about manual release of flagged entries later.

Hope this helps.

Did my answer help? Please mark it as a solution to help others find it too.

	Ruben Burdin HubSpot Advisor Founder @ Stacksync Real-Time Data Sync between any CRM and Database