Email Obfuscation

On July 30, 2019
6min read
Yevgen Tsvetukhin Product Manager @Mailtrap

Getting useless emails might be close to the top of everyone’s list of the most hated things on the internet (tied with Facebook game requests, probably). No one likes getting spammed, yet there are tons of tiny little creatures known as spambots that live to do exactly that. To avoid unwanted messages, lots of people use various email obfuscators with varying levels of success. But does this approach actually work?

What is email obfuscation about?

The idea behind email obfuscation is simple. You want to make it as hard as possible for website crawlers to capture your email address and use it later on. If you don’t, your inbox is likely to get flooded with ever-so-interesting offers of sophisticated therapies and messages from a long-forgotten uncle that left you a small fortune. 

Obfuscated contacts should be hard to traverse for bots but easy to utilize for real users.

There’s also the concept of email masking – altering an email address to protect our privacy online but also to secure the data of users or create data samples for software testing. We cover all these topics in our article on email masking.

Obfuscating Public Emails to Prevent Spam

Now, let’s explore the most common way of obfuscating your emails.

Changing email format

By far, the easiest way to hide your email address from crawlers is by removing or replacing some characters. The most common method is to replace ‘@’ character with [at]. It’s fairly obvious to just about anyone what the correct address is, and bots looking strictly for email addresses will get confused. It can also be implemented within seconds and without any code.

By default, such an email address is not clickable as adding a mailto redirection underneath would share the actual address. But there’s a way to get around this with a bit of JavaScript. We cover it in more detail below.

email-obfuscation

Many variations of this approach can be seen around the web. The next step would be to add our address as “support at mailtrap dot io”. Sounds clear? Yes. Will it mislead some bots? Likely. But it’s already forcing users to make some extra effort to contact you.

The same goes for all the “contact me at steve and the rest is my domain address” contact details. They’re very clear but will likely lower conversion.

Another approach that can sometimes be seen on rather simple pages is hiding contact details on an image. So, instead of a footer of your page with the details in it, the webmaster uploads a picture of a footer with an email address.

It’s almost impossible for spam bots to penetrate, but it’s also quite a hassle for users, especially those with a visual impairment. So please don’t take this approach.

Using contact forms

Another common way of hiding emails is by… removing them from a site. Such emails are replaced by contact forms of various shapes and sizes. Forms don’t expose an email address to bots, they also allow you to gather additional data in an easy-to-absorb form (as in the example below).

Are they perfect? No. Many users prefer sending emails over filling out forms, especially if they want to email several companies at once (for example, to compare the offers). Businesses tend to add multiple fields to a form, often with good intentions (e.g., when troubleshooting). But the more required fields, the harder it is to fill the form, and the fewer people will contact you. 

What’s even worse, while bots can’t harvest an email from such sites, they can easily complete a form and submit it within milliseconds. To prevent that, many forms come with verification solutions that check if users are legit before a message is sent.

Using Google reCaptcha

A great approach to validating senders is with Google reCaptcha. It has come a long way from forcing users to decipher sometimes ridiculously twisted characters to a really user-friendly tool these days. What’s most important, reCaptcha really works and with very high accuracy is able to distinguish bots from humans. 

You sure have seen reCaptcha v2 a number of times. It’s this bar that pops up usually under the ‘submit’ button and asks you to check a box if you’re not a bot. A quick load and a message is sent.

Later iterations also added the so-called Invisible reCaptcha – a bar stating that a form is “protected by ReCaptcha”. When submitting a form, a user doesn’t need to perform any action as the check happens automatically within milliseconds. Only those with low reCaptcha scores (so likely the bots) will be subject to additional verification before they can proceed.

With the latest iteration, ReCaptcha v3, the entire process happens in the background. Users don’t even know that any check is performed, and yet, nearly all spambots are easily discarded.

V3 also comes with other features that enable you to hide or fake contact details if a low score is recorded. Among other features, displaying only partial contact details and forcing users to click (and get verified) to get more might also be worth your attention.

We can safely recommend reCaptcha as a great way to secure contact forms.

Obfuscating emails with JavaScript

As promised earlier on, we’ll now demonstrate how to obfuscate an email address with JavaScript. We feel it’s the best way to tackle the problem for a few simple reasons:

  • Users can still click/tap on your email and be redirected directly to their inbox -> increased conversion
  • It’s neat, almost doesn’t take up any space, and doesn’t slow down your pages, like contact forms or images of contact details
  • Bots go crazy and look for a better target elsewhere

Obfuscating emails with JavaScript requires adding a simple code to your website. HTML code for adding a clickable email address is as follows:

<a href="mailto:name@domain.com">Your Name</a>

Since the address is exposed, it’s extremely easy for bots to find and save it. But with a bit of JavaScript, you can quite easily hide it.

<SCRIPT LANGUAGE="JavaScript">user = 'name';site = 'domain';document.write('<a href=\"mailto:' + user + '@' + site + '\">');document.write(user + '@' + site + '</a>');</SCRIPT>

Of course, ‘name’ and ‘domain’ are to be replaced with the components of your email address. In the case of our address (support@mailtrap.io), ‘support’ would be ‘name’ while ‘mailtrap.io’ is a ‘domain’.

Bots are getting smarter and smarter and some can already decipher even such code. That’s why developers try to find new and new ways to encode such addresses, without affecting the user experience. Below you can see our email address encoded with one of the approaches:

<a href="mailto:support@mailtrap.io">Mailtrap Support</a>

It’s really easy to find and use email obfuscators. These often free web tools let you encode your addresses in various ways. Try, for example, email-obfuscator.com or hcidata.info.

There are also various plugins that can automate the process in respective frameworks so that you don’t have to obfuscate each link manually. Here are some examples:

Does email obfuscation work in general?

It kind of does. If you did a simple test on two similar websites and put a plain email address on one and JS-obfuscated address on another, you would likely see the latter one perform better.

Likely it wouldn’t be 100% accurate though. As we mentioned earlier, crawlers are getting better and better as they need to find ways to harvest as many addresses as their computing power allows. Many are already coded in such a way that they can decipher all those [at] addresses without any hassle (see how easy it is to decode them here).

So if you’re putting some effort into obfuscation, do it with JavaScript or, even better, add a good-looking reCaptcha to your website. In all honesty, though, we wouldn’t recommend focusing on this for too long.

You might spend days testing different solutions, coding them, and analyzing results. And then, it could take a single person to find your email in some long-forgotten spreadsheet and sell it to a harvester to make all your efforts futile.

The crawlers are improving but so are spam filters. Gmail or Thunderbird spam filters these days are able to stop almost every useless message sent your way. In 2015, Google claimed that they are able to stop 99.9% of spam messages and mistakenly classify as spam, only 0.05% of incoming mail. And this was four years ago!

While on the topic of spam filters, do you know how they are treating your emails? Useless ones ending up in the spam folder are none of your concern, but the emails you send shouldn’t be getting the same treatment.

The best way to prevent this (besides keeping your fingers crossed) is to check your email content for spam, and you can do exactly that with Mailtrap Email Sandbox.

Within the Email Sandbox testing solution, you have access to the Spam Analysis tab, which offers a spam report as well as a blacklist report. 

The spam report gives an overall score of your email content based on numerous tests of email headers and body text made using the Apache SpamAssassin filter. It also lists each rule that email clients might deem suspicious and assigns it spam test points as well as a description.

The blacklist report, on the other hand, tells you if your IP/domain is listed on any commonly used blacklists. It will give you insight into what blacklists were queried, and, in case you have been listed on one, it will link to it, thus allowing you to review all the rules and instructions you need to follow to get delisted.

So, if you want to avoid triggering any spam filters and having your emails be in the company of true spam, make sure you do some email testing beforehand. Trust us, these spam and blacklist reports could prove to be a true “emailsaver”.

Article by Yevgen Tsvetukhin Product Manager @Mailtrap