the action of the form is to post to the thanks.php page.
the server validation that validates the form is on that page.
Captcha cannot prevent all spam from getting through, captcha will only prevent the form from being submitted by a automated script.
I would add additional validation to your page for validating the data types being submitted. for example, add phone number validation to the phone number field. Add alpha numeric validation to the first and last name fields.