Tips for hiding your email address from Spam/Bots

I’ve been doing work on a website for one of my clients, and I noticed they followed a trend with their email address that I’ve seen a lot. They were getting lots of spam at their contact email address, i.e., so they replaced it with as a last ditch method to stop the avalanche of spam.

While this works, it doesn’t get to the root of the problem: if your email address is on the internet, spammers will get it. But with that being said, there are a few tactics you can use to slow down your intake of spam. Most of them are very simple, and take only a few seconds of your time.

  1. Choose non-generic email addresses
    I’ve run far too many domains and email addresses to not notice that if you have a, spammers will try to send email to it — even if you don’t have it set up. So don’t set it up! Use more creative addresses such as, or
  2. Don’t have a “catch-all” email address
    You may also have a “catch-all” email address in place, so emails sent to any address will show up in your inbox anyways. Turn that off too. Spammers will more than happily send email to generic/random addresses, in hopes of scoring a hit. Don’t let that happen.For those of you using a domain control panel named cPanel, there is an option inside of it for Email named “Default Email Address” what most people will do is send any email that isn’t connected to a proper address to either :fail: which will email the user back announcing that this address doesn’t exist, or my favorite :blackhole: which removes the email from the server entirely, never getting to you. Note that you will still be able to receive spam on your published email address but this deletes the emails going to addresses that you do not have on your server. IE: If you own the address of but you do not own the address of, the spam going to will be instantly removed, while the spam going to the owned will be in your inbox.
  3. Don’t use your email for the domain registration
    If you register a domain name and use your email address for the registrant, administrative and/or technical contact email, you’re just asking to get spam. Yes, some sites like will censor your email address from a WHOIS request. When registering your domain through NameCheap, you’re given a free whois guard. Yet still others, like, won’t. Also, you can usually pay for a “unlisted” domain registration, what will keep your contact info private.
  4. Use online forms for email communication
    If you have the technical ability, allow your website visitors to contact you via email using an online form. That way, the form sends the email to you and the visitor has no idea what address it’s sending it to. But be careful, online mail forms are tricky and can be subject to code injection. This can lead to your sever actually sending out spam.
  5. Encrypt your email address
    If you must have your email address live on the web, don’t just use a simple mailto: link — you can encode it using JavaScript. That way a web browser can display it correctly, but a spammer trying to scrape your site won’t be able to read it. Note: the spammer still may be able to extract your email address from the HTML code, but using this method makes it a lot harder.To do this, I’d recommend any one of the free online tools. My personal favorite is Mailto Encoder. Just use their system, fill in some variables, and you’re done. For instance, rather than have the usual mailto link,, you insert some custom JavaScript that builds your address dynamically for you.

If anyone else has some additional suggestions, feel free to share.


A thirty-something code ninja + web diva. Former New Yorker who's passionate about web development, HTML/CSS, beautifying things and marketing.

More from this author