Email obfuscation: What works in 2026?
A comprehensive guide to the best techniques for hiding email addresses from spammers in 2026, balancing security effectiveness with user accessibility.
Email obfuscation: What works in 2026?
- Last updated:
- January 30, 2026
Here are some of the best techniques for keeping email addresses hidden from spammers—along with the statistics on how likely they are to be broken.
1 Plain text
These techniques protect an email address written out in plain text (e.g. “[email protected]”).
Ideally, you should be using multiple techniques in combination, by splitting the email address into segments, where each segment is protected by a different technique.
1.1 No protection
aa@email.spencermortensen.com
1.2 HTML Entities
HTML entities are often decoded automatically by server-side libraries, which means that even the most basic harvesters can get your email addresses without any special effort. This technique should be worthless—and, yet, it still stops most harvesters.
1.3 HTML Comments
ac@email.spencermortensen<!--.example--> .com
This will stop only the most basic harvesters that struggle with HTML tags. It offers minimal protection—and, yet, still manages to stop most harvesters (since most harvesters are basic).
1.4 HTML SVG
<object class="email" width="130" height="24" data="email.svg" type="image/svg+xml"></object>
This hides the email address in an unusual place where most harvesters won’t think to look. However, the email address is stored there in plain text.
This technique is accessible to all users, including those who depend on a screen reader. But you must use an object element for this to work: an img element would give you an image that is non-interactive, and inline SVG would put the email address in the source code where harvesters would find it easily.
1.5 CSS Display none
<div class="email">ad@<span>email.</span>spencermortensen.<span>example.</span>com</div>
Most harvesters are unable to apply style rules, so this is one of the absolute best techniques. Be sure to vary the decoy tags so the harvester won’t know which parts to omit. This is fully accessible to everyone, including those who depend on a screen reader.
1.6 JS Concatenation
Using document.write to join strings. Convenient but the full email address appears in the HTML source code, so it cannot be considered safe.
1.7 JS Rot18
Rotating letters and numbers. Can be undone by basic harvesters that interpret JavaScript.
1.8 JS Conversion
HTML source contains gibberish, and a custom function converts it into a working email address. This is expected to be one of the very best techniques.
1.9 JS AES encryption
Uses AES 256 to encrypt the email address. Requires HTTPS as it uses the browser's built-in SubtleCrypto library.
1.10 JS User interaction
Keeps the email address hidden until the user interacts with the page (e.g., click or hover).
1.11 HTML Symbol substitution
ag AT email DOT spencermortensen DOT com. Easily reversible and breaks usability.
1.12 HTML Instructions
[email protected] (remove the “.fluff”). Inconvenient for users.
1.13 HTML Image
Non-copyable and inaccessible for many users.
1.14 CSS Content
Text can be seen but not copied, which is very frustrating for users.
1.15 CSS Text direction
Reverses the text direction. The email address can be copied, but the text remains reversed, forcing the user to fix it manually.
Source: Hacker News
