In order to avoid some spam I suggest also trying the honeypot method if you’re not already doing so. It consists in adding an invisible text input to your form. Most bots will fill that in but not a normal user. So based on that you can check if that input has a value and if so invalidate the submission. Another effective method is to generate a unique token each time the form renders and store that both as a value in the session and in a hidden input in the form. Then upon submission you check if both values are the same. These are the best non-intrusive anti-spam methods.
My personal approach is combining all that with another check that measures the time since the page is requested until the form is submitted. Bots will fill in a form really really fast