Email obfuscation: What works in 2026?
Key Finding: JS AES encryption, HTML SVG, CSS display:none, and JS user interaction all block 100% of email harvesters.
Best Techniques for Plain Text Emails
| Technique | Block Rate | Notes |
|---|---|---|
| HTML SVG | 100% | Email in SVG object, harvesters don't look here |
| CSS Display none | 100% | Split email with decoy spans, harvesters can't apply styles |
| JS AES encryption | 100% | AES 256 encrypted, only browser can decrypt |
| JS User interaction | 100% | Reveal on click/hover, raises bar for harvesters |
| JS Conversion | 100% | Gibberish in HTML, custom function restores |
| HTML Entities | 95% | Simple but stops most basic harvesters |
| HTML Comments | 98% | Break up email with HTML comments |
Best Techniques for Clickable Links
| Technique | Block Rate | Notes |
|---|---|---|
| HTML HTML entities | 100% | Encode mailto: link characters |
| HTTP redirect | 100% | Use server-side redirect |
| HTML SVG | 100% | Link inside SVG object |
| JS Concatenation | 100% | Build URL from pieces in JS |
Key Insights
Use multiple techniques: Split email into segments, protect each with different technique. If one fails, others still work.
CSS display:none is excellent: Most harvesters can't apply style rules, so they can't find email hidden with CSS. Use varying decoy tags so harvesters don't know which parts to remove.
JS conversion is elegant: HTML contains gibberish. Custom function converts gibberish to real email. Only browsers with DOM+JS can restore it.
Breaks usability: Techniques like "symbol substitution" (AT/DOT) and "instructions" (remove .fluff) inconvenience users and may prevent them from contacting you.
Methodology
Tested against 318 real spam harvesters to determine effectiveness. Results published January 2026.