Should I put my email address on my website or not?

by Michael Bluejay • Updated May 17, 2021

The problem with putting your email address on your website is that spambots will steal it and start sending you spam. The problem with not putting your email address on your website is that it's harder for your readers to contact you. How you decide to handle this depends on how averse to spam you are, and how important it is for you to not miss any messages from your customers/readers.

What's the problem with putting my email address on my website?

Spammers use automated programs called spambots that scour the web, looking for email addresses to add to spam lists. If you put your email address on your website in plain text, spambots will discover it, and then you'll get spam.

You might think you can rely on your spam filter. The problem there is that spam filters aren't perfect. Some spam will slip through, and worse, some legitimate mail will get tagged as spam and go to your spam folder, where you'll probably never see it. If your website is a blog, that might not concern you. But if your site is for business, you probably don't want to miss even one message from a customer (or potential customer).

You might think that you can just delete the few spam messages you'll get every day. The problem here is that it'll be unlikely to be just a few messages a day. You could be looking at hundreds. It'll take a lot of time to delete all that spam, every single day. The best-case scenario is that your business is large enough that some employee can delete the spam as part of her/his normal duties.

On Feb. 22, 2021, I put an address on this page (spamtest@websitehelpers.com), to see how long it would take for spambots to find it and send me spam. Result: About 30 hours. Chew on that.

Preventing address theft, in general

None of the methods on this page will help you if your address has already been discovered by spammers. Once an address has been compromised, the damage has already been done: the address generally sold/shared among spammers, and there's no way to have your address un-stolen. If that's happened to you, the only way to stop the spam is to start over with a new email address. If you do that it's probably safe to use an autoresponder to notify people who write to your old address of your new address. I doubt that spammers are spending time writing code to extract a few piddling new addresses from autoresponder replies.

Speaking of new email addresses, if you do put an email address on your site using one of the obfuscation methods below, then create a new address for that purpose, not your main address, or any other address that's important to keep spam-free, because it's possible that spammers (or enemies) can steal your address even if it's obfuscated.

When you choose an address, don't pick a generic one, because spammers guess common addresses and spam those. For example, spammers are known to send to mail@, email@, contact@, info@, help@, admin@, webmaster@, sales@, service@, and support@. This is not an exhaustive list.

By the way, don't expose others' email addresses by mailing multiple people in the TO: field. When you put addresses in the TO: or CC: field, then everyone who gets the message can see everyone else's address. If your recipients are external to your company and don't already know each others' email addresses, then put the addresses in the BCC field, where they'll be hidden from the recipients.

Realize that spammers can steal email addresses from the computer of anyone you send email to. Bob writes to your obfuscated address (or contact form), you reply to Bob from a certain address, and then the malware that infected Bob's computer steals your email address (and everyone else who Bob corresponded with) and sends it back to the spammer. There's very little you can do about this, short of having a system where all messages (in both directions) have to be sent on your website, so your email address isn't exposed when you reply.

Option #1: Contact form

Most blog software and website builders let you put a form on your site for readers to contact you. Your email address is hidden from public view, and your web software forwards the contact form messages to whatever address you supply, behind the scenes. This stops most spam, but it comes with some downsides.

First, it won't stop all spam, because bots will actually spam the form. Those messages then get dutifully forwarded to you by your web software. However, you likely won't get nearly as much spam this way as by putting your email address on your website.

Yes, you could add a "CAPTCHA", the little puzzle that readers have to solve before they can send the message. That stops most form spam, because most bots can't solve the puzzle. But it's an annoyance for your readers, and it could discourage them from writing in the first place. That's a problem if the people writing are potential customers and you need their business.

Another problem is that lots of the mail forms are buggy. I can't count how many mail forms I've tried to submit, which barked at me because they didn't like something about my input. In many cases there was no clue as to what about my input they didn't like, so I was unable to send the message. Other forms just give some inexplicable error when trying to send. Still others say that they've sent the message, but then the website owner never actually gets the message (as they've reported to me).

Finally, contact forms come with their own security concerns. Older ones require you to put the destination email address in a hidden field, which defeats the purpose because page code is visible to spambots. Also, poorly-programmed contact forms can be hijacked by bots to send spam to lots of recipients (not just to you).

Option 2: Options that require the user to type your email address

The downside of all the methods below is that your users will have to manually type your email address into their mail software in order to mail you. You can't use a mailto: link even if the address isn't visible on the page (e.g., <a href=mailto:mail@example.com>Email Us</a>), because spambots can steal email addresses even from the code of a web page, not just the visible text of the page.

Post a picture of your email address

It's unlikely that spambots can read addresses that are pictures. For example, this is a picture: . You can tell it's a picture because you can't select the text. (Try it.) This is the safest way to put your email address on your website.

Disguise the email address

Popular methods include:

email-at-example.com
email /at/ example.com
email(at)example.com

I wouldn't be surprised if some spambots can figure out those kinds of addresses, though.

Option 3: Javascript

Most spambots can't read Javascript, but some can. Using any of the Javascript methods below will mean that fewer spambots will steal your address (versus putting your address on your site unprotected), but they're not 100% secure. This is the method I've used on most of my sites since circa 2004, and haven't updated to other methods because the amount of spam I get to my Javascripted addresses is trivial.

On 2/22/21 I put five addresses on this page with Javascript to see if spambots pick them up. (As of 5/17/21, I'm not getting spam to any of these yet, but I got spam to the naked address I listed near the top of the page within 30 hours of posting it.)

JavaScript methods (obsolete?)

Method

Sample

How to Implement

Basic JavaScript
I first noticed a bot that could defeat this method in March 2006, but as of 2021 I think that bots that smart are probably pretty rare.

Write us at

Click to .

Write us at <SCRIPT>a='js1'; b='WebsiteHelpers.com'
document.write('<A hre'+'f="mai'+'lto:'+a+'@'+b+'">');
document.write(a+'@'+b+'</a>');
</SCRIPT>

Click to <SCRIPT>
a='js1'; b='WebsiteHelpers.com';
document.write('<'+'A hre'+'f="mai'+'lto:'+a+'@'+b+'">email us</a>');

You can add a <noscript> tag if you like so those super-rare users who have turned off Javascript can still see the address, e.g. <noscript>mail-at-example.com</noscript>)

Field

<button onclick="jsem.value='js2'+'@'+'WebsiteHelpers.com'">Click to show address</button>
<P><INPUT id=jsem SIZE=25>

Javascript alert

Click to send us email

<A HREF="#" onclick="d='WebsiteHelpers.com'; u='js3'; prompt('Copy address to clipboard',u+'@'+d); return false">Click to send us email</A>

Other obsolete methods

Encoding part or all of the email address (e.g. @ instead of the @ sign) no longer works against modern spambots.

Other spam issues

Use plus-addressing

Gmail supports plus-addresses. That lets you create a new email address on the fly by using a + sign. For example, let's say your address is lisa@example.com. You can use lisa+[anything]@example.com and it will work automatically, without your setting up anything special. All mail will be delivered to lisa@example.com.
So how do you use this? When you buy something on eBay, you use lisa+ebay@example.com. When you apply for a Home Depot credit card, you use lisa+homedepot@example.com. If you start getting spam to a particular plus address, you can turn off just that one address in your control panel, and you'll continue to get all other mail. Sweet!

Dreamhost also offers plus-addressing, but they amazingly don't allow you to turn off an individual plus address when it starts getting spam. (I learned the hard way.) So you can't use this trick with Dreamhost.

Don't store customers' email addresses in the webspace!

Hackers can often read files from the webspace, even if you don't link directly to those files. Don't make the assumption that a file can't be seen just because it isn't linked and the directory it's in has an index.html file. Somehow, one of my secret unlinked files that was in a directory with index.html got exposed; I still don't know how.

Customers' personal data should be stored an a database, that's password-protected. If you must store personal data in the webspace and not in a database, then store it above the webspace, so the file(s) can't be loaded in a browser. That is, put it one level above the "public_html" or "www" or "domain.com" or whatever folder contains your website.

If it's really necessary to put customer data in the webspace for some reason, put it in a password-protected directory.

Address to link to this section: https://WebsiteHelpers.com/spam/#whybad

"What's wrong with spam? You can just delete it."

Every time I hear someone say that I want to slap them.

Here's why:

It's very common for legitimate senders, ISPs, or messages to incorrectly get tagged as spam, and the messages don't get through. Nobody knows how many important messages have never been received. It's obviously a huge problem when you never know whether messages you send were received or not, not to mention that you never know about all the important incoming messages you miss yourself.
It's not so easy to just hit Delete when you get hundreds of spam messages a day. Many people are in this situation. Sure, they can abandon their email addresses and start over, but that's not as simple as just hitting Delete, is it? (It may be preferable to hitting Delete hundreds of times a day, but my point is that for many people, spam can't be easily dealt with by "just hitting Delete".) Spam-clogged mailboxes ruin people's ability to use email.
People routinely have to abandon their addresses and start over with new ones because of all the spam they get. Think of all the time wasted throughout the world by people sending out "Here's my new address messages" and then all the recipients updating their own contact lists. Spam is responsible for untold hours of wasted people-time this way.

Someday you'll try to email a long-lost friend or business contact only to discover that their email address no longer works because they had to abandon their old address because of excessive spam, and somehow they missed notifying you about their new address, and you have no other contact information for them. This is real harm: Because of spam people wind up losing contact with each other. It cuts both ways, too: Someday people may try to contact you only to discover that your own old email address no longer works. Too bad for both of you.

The inability to connect with old friends profoundly decreases one's quality of life. And spam is to blame. And this problem can't be solved by "just hitting delete".
When deleting so much spam, you're much more likely to accidentally delete legitimate messages. Do you open each and every message to verify that it's spam before deleting it? If so, then you're really letting spam waste a lot of your time. If not, then you're invariably deleting legitimate messages accidentally on occasion. Congratulations, you're screwed either way.
Users are sometimes in positions where they're paying for their Internet data (hotels, remote locations in which there's no local access number so they have to dial long distance, ships at sea). These people are forced to pay extra to download the spam they have no choice but to receive. (And the more they try to filter it, the more likely they are to miss legitimate, important messages.)
If you're not receiving hundreds of spams a day, it's because mail providers devote considerable resources to blocking and filtering spam so you never see it. It's such a waste when you consider that mail providers could be doing something more productive with their time than spending thousands of collective people-hours fighting spam. The staff resources they have to devote to this increases the cost of web hosting. Personally, I've spent hundreds of hours combatting spam.
Mail providers have to buy bigger hard drives to process all the junk mail, and to store the junk mail that they couldn't positively identify as spam. (About 75% of all messages sent are spam.) This increases the cost of webhosting.
Mail providers are sometimes forced to kill legitimate messages to clear out a mail queue when spam is flooding its servers. Here's one example.
In my previous line of work it was essential that I reply to inquiries as quickly as possible. Whenever I heard the incoming email chime I had to stop what I'm doing and switch over to my mail client to check the new message. Imagine doing this dozens or hundreds of times a day, just to discover that the incoming message is spam. This is a serious impediment to productivity.
Web hosts are forced to disable useful features because spammers abuse them. For example, Dreamhost discontinued Catch-All email addressing, because it was too hard for them to manage when spammers tried to abuse it. Legitimate customers no longer have this useful option because of spam.
Webmasters can't easily put email addresses on their websites or spambots will steal the addresses, flood them with spam, and make them useless. That means that webmasters are forced to use the anti-spam methods described on this page, which wastes their time, and gives their users a poorer experience since all the anti-spam methods have downsides for users—such as the email address not being visible or clickable.
Webmasters who have forms on their site where visitors can enter their email address have to put in safeguards so spammers don't hijack the forms to send out spam. This wastes a lot of their time. I've been forced to waste a lot of my time on this very problem.
Webmasters who aren't super-cautious have their feedback forms hijacked by spammers anyway. This has happened to me. Had I not been able to respond quickly, my host would have shut down my server, turning off websites and email service for dozens of clients who had done nothing wrong. And as a result of the spam that did get through, it's likely that many servers no longer accept email from my server. These are serious consequences.
Spammers usually forge the return address on the spam they send out, often picking the address of a legitimate person who had nothing to do with the spam. That person's email address then gets flooded with thousands and thousands and thousands of bounce messages from the old, dead addresses on the spammer's mailing list, as well as hundreds of angry messages from people who thought that the legitimate user was the person who sent the spam. Even worse, the innocent victim risks having his or her website shut down since it looks like the victim was the one who sent out the spam.

"Just hit delete"? Any time I hear someone saying that I want to smack them.

Fighting spam is a big, big issue and I couldn't cover every single thing, but I hope this is enough to get you started. Good luck!