Email harvesters and bots are roaming the Internet looking for email addresses to add to their spam lists. For every email that is on a public facing page, that email address can expect to receive 800 spam messages the following year. Web masters have created clever ways to protect against this by writing out email addresses (i.e. help [at] cloudflare [dot] com) or by using embedded images of the email address. Although these methods work, you lose the ease of being able to click on the email address and automatically send an email.
By enabling the Email Address Obfuscation CloudFlare feature, CloudFlare will encrypt email addresses on your web page from bots, while keeping them visible to humans. There are no visible changes to your website for visitors.
How do I know if email address obfuscation is working?
1. Make sure that the feature is "On" in the ScrapeShield app of the CloudFlare dashboard.
2. Retrieve the page source from non-browser client, such as curl, an HTTP library, or similar. Review the source to confirm that the address is no longer present. (Tip: If you have a full page of html, you can easily sort through the content by searching for @. You shouldn't find an @ for the email address that was encrypted.)
If you would like to see what CloudFlare has done to the email, just search (in the source code) for cloudflare.com. Just below/after that link is the encrypted email address.
Scenarios where email addresses don't scramble
There are certain scenarios where the email addresses are not obfuscated to avoid breaking websites including:
In attributes of html tags
Inside certain other html tags such as:
`*script tags : <script></script>
*noscript tags : <noscript></noscript>
*html comments : <!-- -->
*textarea tags : <textarea></textarea>
*xmp tags : <xmp></xmp>
*head tags : <head></head>`
Any page that does not have a MIME type of "text/html" or "application/xhtml+xml"
You can also prevent CloudFlare from obfuscating emails by adding comments within the HTML code for the page. The comments to use are <!--email_off--> <!--/email_off-->. Any email addresses between the opening and closing comment tags will be displayed to the user exactly as written in the original HTML code.
If an email address is not being replaced and it doesn't fall into one of these categories, contact CloudFlare and they'll look into the scenario.
If you switch the toggle from on to off, or vice versa, the change will take 15 seconds to propagate through the system. You do not need to refresh the page.
A page should have a MIME type (Content-Type) of "text/html" or "application/xhtml+xml" for the email obfuscation to happen. For instance, if you're doing some ajax calls, and wish to return email addresses in a JSON format, make sure your webserver returns a type of "application/json"
You can turn Email Obfuscation on or off by going to the ScrapeShield app in the CloudFlare dashboard.
You can alternatively get to the ScrapeShield page for a domain by going to: