# Email address obfuscation: What works in 2026? > A 2026 benchmark of 15+ email obfuscation techniques, using a live honeypot to measure which methods actually stop spam harvesters, with code examples. Published: 2026-04-02 URL: https://daniliants.com/insights/email-address-obfuscation-what-works-in-2026/ Tags: email-obfuscation, spam-protection, web-security, html, javascript, privacy, anti-spam --- ## Summary A data-driven 2026 benchmark of 15+ email obfuscation techniques for websites, based on a live honeypot that collects real spam to measure which techniques are actually broken by harvesters. The article covers both plain-text and clickable mailto link protection, with concrete code examples for each method. ## Key Insight - The article doubles as a live honeypot: each technique protects a unique address, and spam received reveals which harvesters have cracked it. Real empirical data, not guesswork. - Most harvesters are unsophisticated. Even trivially weak techniques like HTML entities and URL encoding stop the majority of bots - because most harvesters never advance beyond parsing raw HTML source. - Top-tier techniques (expected to remain unbroken): - **JS custom conversion** - source code contains gibberish; only a full JS-capable browser can restore the email. "Frighteningly simple" but extremely effective. - **JS AES-256 encryption** (SubtleCrypto) - uses the browser's native crypto API; will not run outside a browser even in JS environments. Requires HTTPS. - **CSS display:none with decoy spans** - harvesters can't apply stylesheets, so they see the garbage; screen readers work fine since display:none hides from visual only when used correctly (must use `display: none`, not off-screen tricks). - Techniques that break usability and should be avoided: CSS content property, CSS text direction reversal, image-only display, symbol substitution (e.g. "AT"), and instruction-based obfuscation. - SVG via `` tag is accessible and hides the email in an unusual DOM location, but the address is still plain text inside the SVG file. - Harvesters prioritise high-traffic pages and follow "leads" more than crawling links - low-traffic pages can suddenly need protection if they go viral. - Layering multiple techniques (e.g. JS conversion + CSS display:none) provides defence-in-depth against more advanced harvesters.