Protecting your email address via SVG instead of JavaScript

Effectiveness of the SVG Technique

  • The email remains plain text inside an SVG (XML) file; simple tools (curl/wget + grep for mailto:) can still extract it.
  • Critics see it as “security through obscurity” and very easy to bypass, especially once bots are updated.
  • Supporters argue many basic scrapers only parse HTML and DOM anchors, not external SVGs, so this blocks a real subset of naive tools.
  • Several note this just shifts which bots you’re vulnerable to: it may stop DOM-based scrapers but reopens you to raw-text greppers if they fetch all assets.

Scraper Behavior and Arms Race

  • Some claim most simple scrapers never execute JS or build a DOM; they just recursively fetch HTML and regex for emails.
  • Others point out many “advanced” scrapers are headless browsers (Chromium-based) that render SVGs, query DOM, and could even apply OCR/AI to images.
  • Consensus: this technique at best filters out a “middle tier” of bots; widespread adoption would likely lead scraper authors to add SVG parsing.

Accessibility and Usability

  • Multiple tests with screen readers show inconsistent behavior:
    • Sometimes the email link is focusable but announced only as generic text like “Email us.”
    • Sometimes the SVG link is ignored entirely in certain browser + screen reader combinations.
  • Voice dictation tools may not activate the link when users speak the visible email, due to mismatched labels.
  • Terminal browsers generally fail to expose the address.
  • Users also note copy-paste is unreliable (selecting visible text often doesn’t copy the address).

Is Obfuscation Still Necessary?

  • Many report having plain mailto links for years with minimal problematic spam; modern filters catch most of it.
  • Several suggest spam now primarily comes from data breaches, contact list harvesting, and bought lists rather than web scraping.
  • Others self-hosting mail or using public addresses do see noticeable spam on exposed addresses, so experiences differ.
  • A recurring view: this is largely a preference issue now, not a major security control.

Alternative Approaches Mentioned

  • HTML entities for every character of the address.
  • Splitting the address across hidden <span>s.
  • Unique aliases per service or per website, often with catch-all domains.
  • Contact forms or routing “public” emails into filtered folders.
  • Simply publishing the email and relying on spam filters.