Email Obfuscation: Which Methods are the Best?

Email obfuscation: everything you need to know
Alex Kachalov Alex Kachalov 20 september 2023, 09:20 354
For experts

Public email addresses have long been popular targets for spammers. Many spammers deploy web crawlers to harvest emails from every available web page, gathering a list to send spam messages later. If you need to publish your email address online, it is advisable to keep it from falling into the wrong hands. This can be done with a variety of methods collectively referred to as email obfuscation. These methods, however, differ both in complexity and effectiveness.

We will explain how email obfuscation works and show the best approaches to follow. After reading this article, hiding your email addresses from malicious actors should become easy.

What is email obfuscation?

It is a technique of making your email address unreadable by spammer bots to protect it from spam, phishing, malware attacks, and any other online threats. It makes it difficult for web crawlers to scrape your email contact for malicious intents.

There’s no single method for obfuscating emails. Instead, there are different approaches to follow, some simple, some more complex. For instance, a very basic approach is writing the email address in a human-readable format, as in salesmanager(at)unione(dot)io instead of salesmanager@unione.io. Crawler bots (at least non-sophisticated ones) easily recognize the latter as an email but fail to recognize the former.

An example of a complex approach for email obfuscation is using JavaScript code to hide the address from bots. Below, we’ll take a closer look at both simple and complex email obfuscation methods.

Best methods of email obfuscation

There are many creative ways to hide your email contact details from malicious bots. Let’s proceed with more details.

Change email format

As mentioned above, you can change the text format of the address on your website. The most common way is to replace the “@” symbol with the word “at” or the “.” sign with “dot”. Any human visitor will recognize it as an email address, while most bots and web crawlers won’t even notice.

This email obfuscation method is the most primitive one. Anyone can easily implement it by editing the text on their website, without any programming. Note, however, that this method also gives your website visitors some obstacles. If they wish to contact you by email, they would need to manually edit the address in their email client.

You can use other text-based obfuscation variants. For example, you may offer to “contact me at salesmanager [at] my domain”.

You can also present the email address as an image and upload it on your website. Place the picture in your page’s body or footer, and visitors will easily read the address, while bots usually won’t.

Placing the address on an image instead of plain text is a clever approach. But nowadays smart artificial intelligence-based crawlers can easily read text from an image. Your efforts may lead to nothing if the malicious actor uses such a crawler.

Needless to say, it’s advisable not to use this simple approach as it creates hassles for your users and can be bypassed with newer technologies.

Encode your email address with ROT13 using Javascript

You can obfuscate your email with encryption algorithms and use JavaScript code to decrypt it for users when the page is displayed. This way, users can see your email address, while bots can’t (unless they are able to interpret JavaScript code, which is a rare trait).

ROT13 is a simple encryption algorithm, one of the many algorithms classified under "Caesar ciphers." It encrypts every letter by replacing it with the 13th letter after it in the Latin alphabet.

You can encrypt your email address with the ROT13 algorithm using an online tool. Then use JavaScript code to decode the address right on your web page.

Let’s look at the example below:

salesmanager@unione.io.

We first encode the address with this online tool, and “salesmanager@unione.io” becomes “fnyrfznantre@havbar.vb”.

Then we use the following JavaScript code to show the encoded address on the web page:

<script>

document.write("<n uers=\"znvygb:fnyrfznantre@havbar.vb\" ery=\"absbyybj\">Fraq hf n zrffntr</n>".replace(/[a-zA-Z]/g, 

function(c){return String.fromCharCode((c<="Z"?90:122)>=(c=c.charCodeAt(0)+13)?c:c-26);}));

</script>

Note that “<n uers=\"znvygb:fnyrfznantre@havbar.vb\" ery=\"absbyybj\">Fraq hf n zrffntr</n>” in the example above is the ROT13 version of  <a href=\"mailto:salesmanager@unione.io\" rel=\"nofollow\">Send us a message</a>.

The idea is simple. Web crawlers read the code, but humans see the output of the code. You can decode the output using JavaScript and confuse the web crawler by feeding it gibberish.

JavaScript is one of the best ways to handle email obfuscation because it doesn’t interfere with the user flow, unlike changing the text format. Users can still click on your link and will be redirected to their mail client with your email address as the recipient.

But crawlers would extract gibberish and give it to their owner, who would waste their time sending malicious messages to the invalid address.

Extra JavaScript code takes up almost no bandwidth and doesn’t slow down your web page. This is the best method if you’re familiar with programming or willing to hire external developers. You can test your JavaScript code with this tool to ensure it’s working properly before deploying it on your website.

Use contact forms

Rather than obfuscate an email address, you may opt to remove it entirely from your website and replace it with a contact form. Customers that want to reach you can fill out this form, and you’ll receive their message on your website’s backend. Depending on your website development tool, you can also receive email alerts whenever someone fills out this form.

Contact forms come in many shapes and sizes. A useful one should include the following fields:

  • Name (optional)
  • Email address
  • Message

You can add more fields to your form, such as phone number, topic of complaint, social media username, etc.

Contact forms are a simple and effective way to keep email addresses out of spammers’ reach. The drawback is that some users might not be willing to fill out forms to contact you. Many people prefer email because it’s easier. Forms feel like hard work, especially those with too many fields to fill out.

You can reduce the number of your form fields as much as possible to make it more painless for people to use. Ideally, the form should only request the customer’s email address and message text.

Use Google reCaptcha

We’ve talked about using forms in the previous section. However, web crawlers can fill out forms in an attempt to detect the email contact (for instance, if your code sends a confirmation email after receiving a message via your feedback form). You can tackle these attempts by including reCaptcha verification on your forms.

This technique was developed by Google, the company best known for its search engine, to distinguish humans and bots on the internet. It accomplishes the goal by asking whoever completes a form to decipher hard-to-read text or match images.

You have likely encountered a reCaptcha form at some point and wondered why you needed to pass through that boring process. For instance, it might ask you to select all the images of a bus out of a group of nine images or to type a word contained in a picture. The idea is to ensure that whoever is filling out the form is a human, not a bot.

Web crawlers will easily abuse forms without extra verification, sending hundreds of messages to overwhelm your website, but reCaptcha can prevent that. This technique is not perfect, as some sophisticated bots can mimic human behavior to bypass reCaptcha forms. Still it prevents the majority of bot abuse cases.

Adding a reCaptcha field isn’t too difficult. You must first register your site at the Google reCAPTCHA admin console. Then, you choose the version of reCaptcha you want to use and generate unique API keys for your website.

You will need to add some JavaScript code that will render the reCaptcha widget on your website. Some website builders let you create reCaptcha forms out of the box, so you won’t have to go through the complex process outlined above.

Reverse the text direction

Reversing the text direction is another low-key programming trick that you can use to obfuscate your contact details. You can write your email address backwards and use CSS to display it correctly.

Let’s take the same example: salesmanager@unione.io. The backward spelling for it is oi.enoinu@reganamselas.

You can copy the backward spelling to your web page and wrap it in a tag with a class attribute:

<span class="obfuscate">oi.enOinU@reganamselas</span>

To display the address properly, you’ll also add this CSS code to your style sheet:

.obfuscate { unicode-bidi: bidi-override; direction: rtl; }

The above code reverses the display of any text with the obfuscate CSS class. However, this method has its downsides:

  • If this CSS is not fully supported by the reader’s old browser, the email address will display backwards, causing confusion.
  • A mailto: link won’t work with a backward address, so the user must manually type your email address on their mailbox client.
  • If the user copies the text to paste it elsewhere, it’ll be inserted backwards.

Beyond obfuscation

Finally, there are a couple of tricks that do not provide obfuscation, but may be used to detect spammers and blacklist them.

Honeypots in HTML comments

You can insert invalid email addresses in your HTML source code as a treat for spam bots and crawlers. You’ll insert the address within a comment so it won’t appear in your document and confuse the user. However, bots scraping source codes will detect and extract the hidden addresses. You can set up a dedicated honeypot mailbox and report anyone who decides to send an email to that address, since they are guaranteed to be spammers.

HTML comments use this tag: <!-- … --> . For example, you’ll insert honeypot@unione.io as <!-- honeypot@unione.io -->.

Honeypots in CSS comments

You can similarly insert comments into your website’s CSS. Such comments are enclosed between /* */.

For honeypot@unione.io, the code will be /* honeypot@unione.io */.

Users won’t see the above email, but spam bots will.

But does email obfuscation really work?

Yes, it does. Of course, no obfuscation method can guarantee 100% email security, so spam bots could still fetch your address. However, implementing email obfuscation on your website reduces the chances of getting spam emails by a wide margin. Even simple methods like changing the text format will work, but complex methods like using JavaScript or reversing the text direction are more effective.

We have explained the most popular email obfuscation methods you can use. Follow our tips to reduce your chances of getting targeted by spammers, phishers, or other malicious online actors.

Related Articles

Blog
For beginners
What is DKIM and How to Add a DKIM Record
Domain Keys Identified Mail (DKIM) is one of the email authentication protocols, developed in 2004. It adds a digital signature header to your email. The signature acts like a watermark, allowing recipients to verify that the message really came from your domain, and not an impersonator. This article explains how DKIM works and how to add a DKIM record to verify your emails.
Valeriia Dziubenko
19 january 2024, 09:284 min
Blog
For beginners
Email Authentication: SPF, DKIM, and DMARC
Email authentication technologies — what are they? Learn about SPF, DKIM, and DMARC settings for emails and find out how they work in our UniOne blog article.
Alex Kachalov
13 october 2022, 11:136 min
Blog
For beginners
Why is Gmail Blocking My Emails and What To Do About It
Gmail is the most popular email service globally, with over 1.8 billion active users. It processes tens of billions of emails daily, an enormous volume, and blocks a significant percentage of incoming mail.
Yurii Bitko
12 september 2023, 08:485 min