Exposing email addresses in plain HTML on your website invites spam bots to harvest them for mailing lists, phishing, and scrapers. Learn simple to advanced methods to mask email on your website, protect against bots, and keep addresses clickable for real users. Discover how to have a robust protection for your website.
Why Mask Your Email Address on Websites?
Spam bots scan for mailto: links and plain-text emails, fueling harassment. The key risks are:
- Spam overload: Automated crawlers grab addresses instantly.
- Harvesting and resale: Scrapers store and sell emails on black markets.
- Phishing attacks: Stolen addresses enable fake support emails.
The fix? Make emails human-readable and clickable while invisible or useless to bots. MDN on email security backs this as a core web hygiene practice.
Method 1: HTML Entity Encoding to Hide Emails
Convert characters to HTML entities (e.g., m becomes m). Browsers render it normally; source code hides the plain text.
Pros: No JS, works in static HTML.
Cons: Bots easily decode standards-based entities. It uses as a base layer.
Example:
<a href="mailto:mail@example.com">mail@example.com</a>
Renders as: mailto:[email protected].
Method 2: Add HTML Comments for Extra Obfuscation
Insert comments between encoded characters to break bot regex patterns.
Pros: Pairs with entities; server-side friendly (e.g., PHP generation).
Cons: Advanced bots strip comments. This is medium protection only.
Example:
m<!-- -->ail<!-- x -->@example.com
Render as: [email protected].
Method 3: Proxy Links with Tokens (Bot-Proof)
Skip mailto: entirely. Link to a server proxy custom link like /email-proxy.php?token=abc123, which maps tokens to emails in a cache/transient.
- Server validates referrer, user-agent, rate limits.
- Redirects to
mailto:on legit clicks; deletes token. - Regenerates tokens on page load per visitor.
Pros: No email/mailto in HTML; blocks bulk harvesting.
Cons: Needs custom PHP/script.
Example:
<a href="/email-proxy.php?token=abc123">Contact Us</a>Extra Protection: Block in robots.txt
Prevent search engines from crawling proxy URLs. Add this rule:
User-agent: *
Disallow: /email-proxy.php?*Method 4: Custom Link Text Without Email Exposure
Use vague anchors like “Email Support” with a protected href (proxy best) instead of displaying “[email protected]”.
Pros: Hides email in visible text; accessibility win.
Cons: Pair with proxy to block mailto: scraping.
Example:
<a href="/email-proxy.php?token=abc123">Email Support</a>Methods 3 and 4 complement each other perfectly. Method 3 secures the link destination, while Method 4 eliminates email visibility in the display text.
Method 5: JavaScript Decoding (Use Sparingly)
Hide email in data-* (e.g., base64), decode via JS on load/click.
Pros: No static exposure.
Cons: Fails in browser without JS; Since this is a legacy method, bots now can run javascript when they crawl.
Method 6: Combine method 1 and 2
Show obfuscated text (entities + comments) without links so users copy manually. Implement the email as a combination of html entities and html comments for more obfuscated text. Users can copy it manually while bots struggle to parse it.
Pros: No clickable target for bots; simple server-side generation.
Cons: Users must copy-paste (no one-click email).
<span class="email-display">
m<!-- n -->a<!-- . -->i<!-- hide -->l<!-- @ -->@<!-- bot -->e<!-- stop -->x<!-- . -->a<!-- proof -->m<!-- block -->p<!-- block2 -->l<!-- xyz -->e<!-- . -->.<!-- end -->c<!-- final -->o<!-- . -->m
</span>Renders as: [email protected]
Quick Comparison of Email Masking Methods
| Method | Email in Source? | mailto in Source? | Bot Resistance | JS Needed? |
|---|---|---|---|---|
| Plain mailto | Yes | Yes | None | No |
| Entity Encoding | Encoded | Yes | Weak | No |
| Entities + Comments | Encoded | Yes | Medium | No |
| Proxy + Vague Anchor | No | No | Strong | No |
| JS Decoding | Encoded | No (pre-JS) | Medium | Yes |
| Proxy + Obfuscated Text | No | No | Strong | No |
Top pick: Proxy + Vague Anchor + Obfuscation is my strongest recommendation that has no-JS option.
Implement Email Protection Today
Start with entities/comments for quick wins, upgrade to proxy tokens for sites handling sensitive contacts. In WordPress, custom functions make site-wide protection effortless. Need a full website audit to implement these securely? Check out my services, and don’t hesitate to contact me. I’ll review your setup and stop spam bots for good. Protect your inbox now!