Email harvesters and bots are roaming the Internet looking for email addresses to add to their spam lists. For every email that is on a public facing page, that email address can expect to receive 800 spam messages the following year. Web masters have created clever ways to protect against this by writing out email addresses (i.e. help [at] cloudflare [dot] com) or by using embedded images of the email address. Although these methods work, you lose the ease of being able to click on the email address and automatically send an email.
By enabling Email Address Obfuscation, email addresses on your web page will be obfuscated (hidden) from bots, while keeping them visible to humans. There are no visible changes to your website for visitors.
How do I know if email address obfuscation is working?
1. Make sure that the feature is "On" in the ScrapeShield section. You can turn Email Obfuscation on or off by going to the ScrapeShield in the Cloudflare dashboard: Cloudflare.com > ScrapeShield > Email Obfuscation
2. Retrieve the page source from an http client such as curl, an HTTP library, or browser's view-source option. Review the source to confirm that the address is no longer present. (Tip: If you have a full page of html, you can easily sort through the content by searching for @. You shouldn't find an @ for the email address that was encrypted.)
If you would like to see how the email has been changed, just search (in the source code) for cloudflare.com. Just below/after that link is the encrypted email address.
Email obfuscation isn't working
There are certain scenarios where the email addresses are not obfuscated to avoid breaking websites including:
- In attributes of html tags
- Inside certain other html tags such as:
* script tags : <script></script>
* noscript tags : <noscript></noscript>
* html comments : <!-- -->
* textarea tags : <textarea></textarea>
* xmp tags : <xmp></xmp>
* head tags : <head></head>
Any page that does not have a MIME type of "text/html" or "application/xhtml+xml"
Preventing email obfuscation
You can also prevent Cloudflare from obfuscating emails by adding comments within the HTML code for the page. The comments to use are <!--email_off--> <!--/email_off-->. Any email addresses between the opening and closing comment tags will be displayed to the user exactly as written in the original HTML code.
If an email address is not being replaced and it doesn't fall into one of these categories, contact Cloudflare and they'll look into the scenario.
A page should have a MIME type (Content-Type) of "text/html" or "application/xhtml+xml" for the email obfuscation to happen. For instance, if you're doing some ajax calls, and wish to return email addresses in a JSON format, make sure your webserver returns a type of "application/json"