Adding an Obfuscated Email Address to Contact Page, Or Just Have A Form?

Hi There

I appreciate that somebody may have asked this question already, but an advanced search didn’t turn up any answers.

I did read and have now worked through the suggested script.

However, I’m still left with a fundamental question. For a user, is it best to offer a mailto link as well as a contact form? Are they more likely to contact if they have both options? If so, is it worth the security risk? I appreciate that using an Obfuscated allows a human spammer to ascertain the email address.

Thank you greatly for any assistance


[font=verdana]What you want (usually!) is for your customers to be able to contact you as easily as possible. The two main ways of doing this are (i) by clicking on a mailto: link and (ii) by submitting a contact form. Anything else they need to do makes it less likely that they will succeed or even bother. Don’t make it difficult for them.

There are good reasons for using mailto links and there are good reasons for using contact forms.

With a mailto link, the message comes from the customer’s email application/service, which guarantees that the email address given is correct (a small but significant proportion of the contact form submissions I receive have incorrect email addresses, and there are potentially others that I don’t find out about – some of these are recoverable but not all). It also means that people can save the message and come back to it, it may allow them to use HTML formatting, they can keep a copy in their sent items folder, and so on.

On the other hand, the downside of a mailto link can also be the fact that it goes through the email application/service, because if you are using someone else’s computer or a public terminal, you won’t have your email account set up, which may make it difficult … or even if you are using a work computer but want contact through your personal email address – a contact form gets round that problem, and means that customers can specify whatever email address they want contact from you on. Contact forms can also be easier to protect against spam and harvesting.

One method of protecting email addresses that I have found to be largely successful is to simply replace the @ with @ in the HTML (both in the mailto link and, if applicable, in the displayed text). It has exactly the same outcome, but doesn’t seem to be picked up by spam harvesters except in a small minority of cases. If you don’t mind the potential risk of losing some legitimate contacts, you can also use a dedicated email address for website contacts and put a required keyword in the subject line, like this:

<a href="[B][COLOR="#008000"]?subject=Website contact[/COLOR][/B]">Email me</a>

You can then filter emails sent to that address and any that don’t have the required words in the subject line can be junked. Of course, if you’re doing that, it’s a good idea to make sure you tell people not to change the subject line!

Anything else where customers have to assemble the email address themselves, copy and paste it from plain text, remove certain letters or symbols from it, or whatever other manual method you choose – or any automatic method that relies on Javascript – is likely to see large numbers of people either try and fail, or just not bother even trying. The best thing you can do is to try to get a decent anti-spam filter on your email, and then you have far less to fear.[/font]

Thank you very much for that comprehensive response, that has been extremely helpful, and I’ll keep the post for reference.

Based upon your words, my contact page seems to fit your criteria?

Thank again, everything you said made perfect sense and helped me pull everything together.


Your approach is exactly how I would do it, that is, give them a contact form, but let them click on an obfuscated mailto: link as an alternative.

Just one point to add to Stevie’s good advice: Another reason for not relying exlusively on the mailto: link is that the person might prefer to use a web-based mail address, such as Hotmail or Gmail, which doesn’t work with mailto: links (I know it’s possible to work around that, but the average person won’t know how).

One final suggestion: In the contact form, I would add a note near the email address field to say something like “We will only use your email address for dealing with your enquiry. We won’t use it to send unsolicited emails, nor we will pass it on …” (you know the rest).


My preferred way is to use JS to mask it and give a plain text fallback that does not need to be reconstructed by the user at any point. All three in that tut are actually really good. The php one is easy all around too.

I like obfuscating more than just the @ symbol-- I’ll obfu the words “email” and everything but the too.

Then at the very least a honeypot on the contact form to keep out the majority of the dumbest spambots, to save sanity.

One thing I’d say is that, if the user has JS off, they see this:


Please click the link above should you prefer to email rather than use our contact form.

It would be better, if using this method, just to hide all that if JS is off, rather than display something that doesn’t work. Let the user just use the form without getting confused.

I the link shown above I showed a easy way to do it with JS off


One way I’ve done it is when users have JS enabled I have a hashed email address string that on click call the de-hashing function and substitutes the mail-to has with the unhashed email address. I then also have the choice of a contact form. If the user has JS off then the mail-to link is not shown just the contact form is displayed. I also use a honey-pot.