Email address obfuscation: What works in 2026?

My notes

Summary

A data-driven 2026 benchmark of 15+ email obfuscation techniques for websites, based on a live honeypot that collects real spam to measure which techniques are actually broken by harvesters. The article covers both plain-text and clickable mailto link protection, with concrete code examples for each method.

Key Insight

• The article doubles as a live honeypot: each technique protects a unique address, and spam received reveals which harvesters have cracked it. Real empirical data, not guesswork.
• Most harvesters are unsophisticated. Even trivially weak techniques like HTML entities and URL encoding stop the majority of bots - because most harvesters never advance beyond parsing raw HTML source.
• Top-tier techniques (expected to remain unbroken):
  • JS custom conversion - source code contains gibberish; only a full JS-capable browser can restore the email. “Frighteningly simple” but extremely effective.
  • JS AES-256 encryption (SubtleCrypto) - uses the browser’s native crypto API; will not run outside a browser even in JS environments. Requires HTTPS.
  • CSS display:none with decoy spans - harvesters can’t apply stylesheets, so they see the garbage; screen readers work fine since display:none hides from visual only when used correctly (must use display: none, not off-screen tricks).
• Techniques that break usability and should be avoided: CSS content property, CSS text direction reversal, image-only display, symbol substitution (e.g. “AT”), and instruction-based obfuscation.
• SVG via <object> tag is accessible and hides the email in an unusual DOM location, but the address is still plain text inside the SVG file.
• Harvesters prioritise high-traffic pages and follow “leads” more than crawling links - low-traffic pages can suddenly need protection if they go viral.
• Layering multiple techniques (e.g. JS conversion + CSS display:none) provides defence-in-depth against more advanced harvesters.