Disable Cloudflare Email Obfuscation: It Hurts Your Core Web Vitals

Cloudflare email obfuscation injects a render-blocking script for trivially reversible encryption. Disable it or replace it.

Arjen Karel Core Web Vitals Consultant
Arjen Karel - linkedin
Last update: 2026-03-11

What is Cloudflare email obfuscation?

Cloudflare Email Address Obfuscation is a Scrape Shield feature that hides email addresses on your pages from email harvesters and bots, while keeping them visible to human visitors. It is enabled by default on every Cloudflare zone.

Last reviewed by Arjen Karel on March 2026

The way it works is simple. Cloudflare's edge proxy scans your HTML for anything that looks like an email address. It replaces each address with an XOR-encoded hex string and injects a render-blocking script called email-decode.min.js to decode the addresses in the browser. The script is about 1.2 KB, runs synchronously, and removes itself from the DOM after execution.

The problem: that script is not loaded with async or defer. It blocks rendering. And it does this for a feature that most visitors will never notice or need.

.

How does Cloudflare email obfuscation affect the Core Web Vitals?

.

The email-decode.min.js script is injected as a render-blocking resource. The browser must download, parse, and execute it before it can continue rendering the page. This has three consequences:

1. It competes for network bandwidth during the critical rendering window, delaying the Largest Contentful Paint.
2. It blocks the main thread, which can push the Interaction to Next Paint into "needs improvement" territory.
3. It triggers up to five Lighthouse audit warnings: eliminate render-blocking resources, avoid long main-thread tasks, reduce JavaScript execution time, avoid chaining critical requests, and serve static assets with an efficient cache policy.

The impact depends on your LCP optimization

If your LCP is already well optimized (discoverable in the HTML source, fetchpriority="high", not lazy loaded, and no other render-blocking scripts), the 1.2 KB email-decode script adds maybe 50 to 100 ms. Noticeable in a Lighthouse audit, but not catastrophic.

But if your site already has slow by mistake antipatterns (render-blocking CSS, unoptimized LCP image, missing fetchpriority), this script compounds the damage. It is one more render-blocking resource fighting for bandwidth and main thread time during the critical rendering window. On sites with multiple render-blocking scripts, Cloudflare Community users have reported FCP delays of 0.8 seconds and LCP delays of over 2 seconds from the combination.

The real question is: why accept any performance cost for a feature that uses trivially reversible encryption?

SEO side effects

Cloudflare replaces email addresses with links that point to /cdn-cgi/l/email-protection#[hex]. These URLs return 404 to crawlers, including Googlebot. The result: "Soft 404" errors in Google Search Console. SEO audit tools like Ahrefs and Screaming Frog report them as broken internal links, creating noise that masks real crawl issues. If you use Cloudflare with email obfuscation enabled, check your Search Console coverage report for these phantom errors.

Is Cloudflare email obfuscation even secure?

Not really. Cloudflare uses a single-byte XOR cipher where the key is embedded in the encoded string itself. Every Cloudflare-protected site uses the same decoding mechanism. A spammer only needs to implement one decoder to extract email addresses from all of them.

Security researchers have demonstrated that the encoding is trivially reversible. Spencer Mortensen's 2026 obfuscation study tested 25 different methods against 300+ distinct spammers using honeypot email addresses. Even a simple CSS display:none technique achieved a 100% block rate against harvesters. You do not need a render-blocking JavaScript to hide an email address from bots.

The easiest fix: disable it in Cloudflare

If you do not need email obfuscation (and most sites do not), just turn it off:

1. Log in to your Cloudflare dashboard.
2. Go to Security > Settings (or Scrape Shield on older dashboard layouts).
3. Toggle Email Address Obfuscation to OFF.

That is it. The render-blocking script disappears immediately. For a full Cloudflare performance configuration, see the best Cloudflare configuration for passing the Core Web Vitals.

Disable per page with Configuration Rules

If you want email obfuscation on your contact page but not on high-traffic landing pages, use a Configuration Rule:

1. Go to Rules > Configuration Rules.
2. Create a new rule, name it (e.g. "Disable email obfuscation on landing pages").
3. Set the matching criteria (hostname, URL path, or both).
4. Add the Email Obfuscation setting and set it to Off.
5. Deploy.

You can also exempt individual email addresses in your HTML by wrapping them in comments: <!--email_off-->email@example.com<!--/email_off-->

If you need obfuscation: do it yourself

If you do want to hide email addresses from bots, there are much better ways that do not involve executing scripts early in the rendering process. The best approach: attach an IntersectionObserver and decode the email just-in-time when it scrolls into view. This is the same defer until needed pattern I use for everything from YouTube embeds to Google Maps.

Create the obfuscated email

In this case I used a simple base64 encoding. The base64 encoding is just an example. There are numerous free encoding and decoding libraries out there.
<a
 class="email-hidden"
 href="#"
 data-email="aW5mb0BleGFtcGxlLmNvbQ==">
 [email-hidden]
</a>

Attach the IntersectionObserver. Place this piece of JavaScript at the bottom of the page.

<script>
const emailtag = document.querySelector('.email-hidden');
let observer = new IntersectionObserver((entries) => {
  entries.map((entry) => {
    if (entry.isIntersecting) {
      let script = document.createElement('script');
      script.onload = function () {
        emaildecode(entry.target)
      };
      script.src = 'decode-email.js';
      document.head.appendChild(script);
    }
  });
}).observe(emailtag);
</script>

Upload the email-decode script decode-email.js and replace the email decoding function with a decoding library of your own choice.

const emaildecode = (e) => {
	let email = atob(e.dataset.email);
	e.href = 'mailto:'+email;
	e.innerHTML = email;
}

Check the results

<a href="mailto:info@example.com">info@example.com</a>

The email is decoded only when the visitor scrolls it into view. Zero impact on LCP, zero impact on INP, and the base64 encoding is no less secure than Cloudflare's XOR cipher. To verify the improvement with real visitors, set up Real User Monitoring. Lighthouse scores are useful for debugging, but field data from real users is what Google uses for ranking.

About the author

Arjen Karel is a web performance consultant and the creator of CoreDash, a Real User Monitoring platform that tracks Core Web Vitals data across hundreds of sites. He also built the Core Web Vitals Visualizer Chrome extension. He has helped clients achieve passing Core Web Vitals scores on over 925,000 mobile URLs.

Ask AI why your INP spiked.

CoreDash is the only RUM tool with MCP support. Connect it to your AI agent and query your Core Web Vitals data in natural language. No more clicking through dashboards.

See How It Works
Disable Cloudflare Email Obfuscation: It Hurts Your Core Web VitalsCore Web Vitals Disable Cloudflare Email Obfuscation: It Hurts Your Core Web Vitals