Spam and Email Obfuscation


Email obfuscation isn’t effective at stopping spam, and can prevent real users from contacting you.

Contact forms have uses but are not a replacement for email addresses.

Effective spam filters are much more effective.

How do spammers get email addresses?

Contrary to common belief, spammers don’t harvest email addresses. They buy lists of millions of email addresses from other people. This means that once an address is harvested, it is re-sold to lots of spammers, and there’s limited long-term value in protecting it any more.

Email addresses end up on these lists in a variety of ways:

  • Some email addresses are guessed (info@, sales@, admin@, accounts@, …). We’d advise to avoid using these most common email addresses. Consider using less common addresses such as ‘reception@‘, ‘hello@‘, ‘welcome@‘, etc. instead.
  • Email addresses can be harvested from your website.
  • Contact details can be harvested from other websites where listing contact details is mandatory (e.g. whois records, company records, etc.)
  • However, and most commonly, email addresses are added to spam lists due to:
    • someone you’ve given the address to selling or leaking it to a mass-mailing list
    • a company or service you use being hacked and customer data exposed
    • a friend who has your email address having their account hacked.

    Indeed, for most personal email addresses, these are the only way they will have been found.

Preventing spammers getting your email address from your website

Obfuscation techniques

Many clients think they would like their email addresses obfuscated to prevent spammers finding them. There are three significant issues with this approach:

  • It only prevents one means by which email addresses are added to spam lists
  • It is of limited effectiveness
  • It may prevent legitimate users from contacting you


All methods of obfuscating email addresses are a trade-off between usability on the many kinds of devices around today (from PCs to phones to screen-readers), methods of using them (clicking, copy/pasting, retyping), and effectiveness in preventing trawling of email addresses.

Ultimately, however, no obfuscation technique can prevent spammers from getting your email address, as whatever mechanism makes it visible for genuine users will work for spammers too. It’s like trying to hide your physical mailbox so that you don’t get pizza flyers through the door; if the postman can find it, so can the pizza flyer guy.

Simpler or more common obfuscation techniques are trivially undone by spammers, and provide no protection. Even a brand-new, currently unbroken technique will be broken next year.

Unfortunately, once one email harvester has done this, your email address will be added to spam lists and re-sold, so whilst you might see some reduction in spam initially, there’s little long-term value in a partially effective obfuscation technique.

However, and more significantly, all obfuscation techniques can cause usability issues, particularly with older browsers, or with assistive technologies (e.g. screen readers). Generally, more effective techniques cause greater usability issues. Many users still browse the web without javascript (1.1% of users), or javascript may fail for other reasons (slow or partial page load, particularly on mobile connections; script errors; browser plugins; …). It is never a good idea to make it harder for genuine users to contact you. Many of the techniques, when they fail for users, won’t alert the user that there is a problem, meaning that they will think you have received their email.

Spam is a problem for you – obfuscation makes it a problem for your users.

You need to consider seriously how the risk of a genuine client failing to contact you balances against the hassle of deleting a few spam emails.


Some clients ask for a contact form to avoid placing their email address online at all. Contact forms can be very effective and have their uses, but research shows that for many users, a contact form is a barrier to contacting you. They tend to look corporate and unfriendly, and many users have little confidence that anyone will reply to them – particularly a very general ‘contact us’ form.

Whilst contact forms are effective when used correctly, they should be in addition to, not instead of, an email address.

Additionally, contact forms can attract spam too, though to a lesser extent than email addresses.


What risks does spam carry? Generally, spam is just a minor annoyance – select and delete a few spam emails occasionally, just like you recycle the junk mail that comes through the door with the real post. If users are less technical however, there is a risk of them falling for phishing attempts or opening infected attachments.

If an address has a significant spam problem, it can be more than a minor annoyance, but in this situation, it’s likely that a spam filter will effectively remove the vast majority of spam, and a spam filter and virus scanner will remove almost all infected spam emails.


A better solution is to place your email address in plain text on the web, and have a strategy to deal with the spam that comes – whether it’s from the address being harvested, or from another source.

Indeed, even if your email address is not on your website, you need to take these steps, because that is only one of many ways your address may end up on spam lists.


Spam filters can be set up both at the server level and (if you’re using a desktop mail client), at the client level. Spam filters use many multiple criteria to attempt to identify as much spam as possible without falsely rejecting genuine email. They are usually configurable as to how aggressive they are.


A virus scanner will protect you from any viruses contained in spam, and indeed any accidentally sent you by friends and colleagues.


In addition, for a primary contact address for a company or organisation, we would recommend to use a role-based address (hello@, welcome@, students@, bookings@, etc.). There’s a number of benefits to this.

Firstly, these can be redirected to the appropriate person as needed; UK Sales director left? No need to hire someone else called ‘John’ to inherit the address ‘’, just change who ‘’ delivers to.

Secondly, in the unlikely situation that an address does attract too much spam that can’t be filtered, it can be changed, since it’s not a real mailbox, but a forward to the real person filling the role.


We’d highly recommend not implementing any email obfuscation techniques. They are of limited effectiveness, and may stop genuine users from contacting you.

If you really insist, we’ll put something on for you, but we’d really encourage you to look to other ways to deal with spam.