Email Privacy Checker

Last updated:

Find email addresses that spam bots can harvest from your page. We scan for plain-text and mailto addresses, rate the exposure, and show you safer ways to publish contact details.

Enter a page URL to scan for exposed emails:

How the Scanner Works

  1. Fetch the page, the host is validated and the HTML is read.
  2. Find addresses, plain-text and mailto emails are extracted.
  3. Assess exposure, counts and obfuscation signals are weighed.
  4. Recommend fixes, you get safer publishing options.

Why It Matters

  • Less spam, hidden addresses get harvested far less often.
  • Fewer phishing targets, exposed staff emails invite attacks.
  • Cleaner inbox, contact forms filter junk before it reaches you.
  • Professional image, controlled contact paths look polished.

The most reliable fix is a well-built contact form with spam protection rather than a raw address. Our website maintenance services build fast, spam-resistant contact forms and clean email routing so your inbox stays sane.

Email Obfuscation Methods Reference

If you must publish an address, there are several ways to hide it from harvesters, each with a different trade-off between protection and usability. No method is perfect, determined scrapers with headless browsers can defeat most of them, so a contact form remains the strongest option. Here is how the common methods compare.

Method How it works Effectiveness
HTML entitiesEach character is encoded, e.g. @ becomes @. The browser renders it normally; a plain text scraper sees codes.Low. Stops only the most basic bots; any scraper that decodes entities reads it.
JavaScript assemblyThe address is split and joined by JavaScript at load time, so it never appears whole in the raw HTML.Medium. Defeats crawlers that do not run JavaScript, but headless browsers can still execute it.
CSS direction trickThe address is written backwards and reversed visually with CSS direction / unicode-bidi.Low to medium. Fragile, and it harms copy-paste and screen readers, so it is rarely advised.
Contact form vs mailtoA form keeps the address server-side with spam protection; a mailto link exposes it in the HTML.High (form). The most reliable option for public pages and usually converts just as well.
Image of the addressThe address is rendered as a picture so no text exists in the HTML.High against text scrapers, but worst for accessibility, screen readers and copy-paste fail, so avoid it.

Next steps

Email Privacy Checker related tools and articles

Continue with the closest follow-up checks and guides based on this tool's topic, crawl intent, and optimization workflow.

Email Privacy Checker: FAQ

What does the Email Privacy Checker scan?
It fetches up to 512 KB of returned public HTML, extracts unique addresses from mailto values, removes script and style blocks, and searches the remaining source for email-like text. It reports the unique exposed addresses, mailto count, plaintext count, obfuscation signals, and a risk label.
How is the Low, Medium, or High risk label assigned?
No unique exposed address produces Low, one or two produces Medium, and three or more produces High. This is a simple harvesting-exposure indicator based on count, not a legal privacy assessment, spam forecast, or measure of the sensitivity of each address.
Why do mailto and plaintext counts overlap?
An address inside a mailto link can also appear in the surrounding HTML and match the plaintext pattern. The tool deduplicates the final exposed address list, so mailto count plus plaintext count can be greater than the unique exposed count.
What obfuscation methods can the report recognize?
It detects an encoded at sign using decimal or hexadecimal HTML entities, visible at and dot wording patterns, and common Cloudflare email-protection markers. These are signals only. The checker does not decode every entity sequence or prove that an address cannot be harvested.
Why can a browser-visible address be missing from the scan?
The endpoint does not execute page JavaScript. An address assembled or fetched after load may not exist in the returned HTML. Conversely, an address in hidden markup or a non-script code example can be reported even when ordinary visitors do not see it.
How should I reduce confirmed email exposure?
Prefer an accessible contact form with validation and spam protection. When an address must remain public, use a role-based alias that can be rotated and consider layered obfuscation while preserving copy, keyboard, and screen-reader usability. Test the final page source again after deployment.
Can this checker prove that an email address is protected from bots?
No. It models simple source harvesting with one regular expression and several marker checks. Advanced crawlers can render JavaScript or decode obfuscation, while basic crawlers may miss more. Server logs, mailbox spam patterns, and the actual implementation provide additional evidence.
What data is sent during an email privacy scan?
The public page URL is sent to the Web Aloha API, which fetches its returned HTML and sends the detected address list back to your browser as the report. Private-network hosts are blocked, no credentials are requested, and the endpoint contains no application-storage step for the URL, HTML, or addresses.

Free 48-Hour Website Audit

Not sure what to fix first on your own website? We'll review it and tell you, in plain English. Free & non-obligatory.

Want a Spam-Resistant Contact Setup?

We build fast contact forms with spam protection and clean email routing so your inbox stays sane.