Email Obfuscator — hide from scrapers, click for humans.
Encode your email so naive scrapers can't read it but humans can still click. Pick HTML entity encoding (no JS needed), reversed-string, or split-concat. Outputs are pure HTML — paste into any page.
How email obfuscation actually works
Spam scrapers crawl public web pages looking for email addresses. The cheap ones use a regex like [a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,} on raw HTML. Obfuscation defeats that by making the address not look like an email in the HTML source, while still rendering as one in the browser.
The three methods this tool produces trade off accessibility against scraper resistance:
- HTML entity —
hello. Browsers render it as "hello"; naive regex scrapers see entities and skip. No JavaScript required. Works with every screen reader. - Reversed string + JS — the email is stored backwards in a
data-revattribute and reassembled on page load. Stronger against slightly smarter scrapers, but fails without JavaScript. - Split-concat + JS — user and domain stored as two separate JS variables and joined with
+. The full address never appears in the HTML source. Strongest of the three for resisting regex scrapers, but JS-dependent.
The limit on all three methods: scrapers that run a real headless browser see the rendered DOM, not the source. Those scrapers are more expensive to operate, so they're a small fraction of all spam scraping — but they exist. The only method that fully resists them is not putting the email on the page at all. That's what a contact form does.
splitforms is the simplest contact-form backend. Drop the form into your HTML, point action at our endpoint, and submissions land in your inbox plus a dashboard — your email address never appears in the page. Free for 1,000 submissions/month.
When to use which method
- HTML entity — your default. Works without JavaScript, accessible by default, blocks naive scrapers. Use this on any page where you want a quick win.
- Reversed + JS — when you've already exposed the address publicly and want a stronger second-layer defense. Combine with HTML entity for layered protection.
- Split-concat + JS — high-traffic public pages (footers, contact pages) where you accept the JS dependency for the strongest obfuscation.
- Contact form — the right answer for any business contact page. Your email never appears in the HTML at all. Free splitforms drop-in.
Email obfuscator FAQ
Why obfuscate an email address on a public website?
Spam bots scrape billions of pages a day looking for plain-text email addresses to add to their lists. Once your address is on those lists, the volume of spam you receive grows by orders of magnitude — and removing yourself is functionally impossible. Obfuscation makes the address invisible to naive scrapers (the kind that look for `user@domain.tld` regex matches in HTML) while still letting human visitors click it. It's a 5-minute mitigation that reduces inbound spam to your address by 80-95% in practice.
Which obfuscation method is most secure?
HTML entity encoding (`he...`) is the most accessible — it works without JavaScript, screen readers handle it correctly, and most simple scrapers don't decode entities. The JavaScript-based methods (reversed string, split-concat) are stronger against more sophisticated scrapers, but they fail for users with JavaScript disabled and for any scraper that runs a real browser. For most contact pages, HTML entity encoding is the right default; combine it with one of the JS methods for high-traffic public-facing pages.
Will obfuscation completely stop email spam?
No. Modern scrapers run headless Chrome, render the page, and read the live DOM — which defeats all client-side obfuscation. They're more expensive to operate, so they're rarer than naive scrapers, but they exist. Obfuscation cuts the long tail of cheap automated spam (the bulk of it) but won't stop a determined attacker. If you genuinely don't want your email scraped at all, don't put it on the page — use a contact form that POSTs to a backend instead.
How is obfuscation different from a contact form?
Obfuscation keeps your email address on the page in some scrambled form; the visitor still ends up emailing you from their own client. A contact form removes your email from the page entirely — visitors fill in a form, the form POSTs to a backend, the backend emails you. Forms are strictly safer (your address never appears anywhere on the public page), more accessible (works without an email client configured), and give you a record of every submission. splitforms is the easiest backend — free for 1,000 submissions/month.
Does obfuscation hurt accessibility?
HTML entity encoding doesn't — browsers decode entities into normal text before passing to screen readers, so the address is read normally. JavaScript-based methods can break for users with JS disabled or for some assistive tech configurations. If you must use a JS method, include a noscript fallback (a contact form link or your office mailing address).
Can I obfuscate emails inside a CMS like WordPress or Webflow?
Yes. Paste the obfuscated HTML snippet into a custom-HTML block (WordPress: Custom HTML block; Webflow: Embed; Squarespace: Code block). The output is plain HTML, so it works anywhere arbitrary HTML is allowed. For WordPress specifically, several anti-spam plugins do this automatically — but the encoding logic is identical to what this tool produces.
How long until the obfuscation effect wears off?
It doesn't 'wear off' — your address stays unreadable to naive scrapers indefinitely. The risk is that more sophisticated scrapers eventually become cheap enough to outweigh the obfuscation, and the equilibrium shifts. In practice, that hasn't happened — the cost gap between regex-based scrapers and headless-browser scrapers is still wide enough that obfuscation remains effective for the majority of automated spam. The long-term answer is to never expose your address at all, which is why splitforms exists.
Or just don't put the email on the page at all.
Use a contact form that POSTs to splitforms. Your email address never appears in the HTML; visitors still send you messages; spam handling is automatic. Free for 1,000 submissions/month.
Get a free splitforms key →