a blog post by emailxender, an international SMTP EMAIL MARKETING provider

How to Mask an Email Address?

There has been a lot of talk in recent years about data protection, partly because of the leaks and data abuses we hear about almost daily. It’s also because of the many major privacy regulations that pop up in response to these abuses. In light of all of this, email masking has become more important than ever before. 

Whether you wish to secure your email address or those of thousands of your clients, we may have something useful for you. Let’s begin!

What is email masking?

Email masking is the technique of altering email addresses, usually in order to protect the real data from mistakenly (or intentionally) being misused. Usually, an email address that’s masked keeps its original format and can’t be easily traced back to the original address.

Email masking is often a part of a bigger data masking process where sensitive data, such as names, last names, Social Security or credit card numbers are transformed. The goal is always to hide the real data from unwanted eyes.

What are the use cases for email masking?

There can be many reasons for email masking. Perhaps you need to:

  • Randomize the real user data to test software
  • Make sure the user data you share with 3rd parties is secure
  • Comply with privacy laws and secure data according to their guidelines
  • Submit a functioning email address on a site you don’t trust

Ultimately, the difference is whether you want to mask your own email address or have a database of user emails that need to be masked. Since the approaches to these are completely different, we’re going to explore them separately below.

Masking your users’ emails

Many data protection laws these days give strict guidelines on how user data must be handled, GDPR and CCPA being the most prominent examples. This includes the data you store as well as any copies of it that you make, regardless of the purposes. 

And there are plenty of legitimate reasons for creating new copies of your users’ data. It’s a dev environment and the data they need for testing. Or various 3rd parties that need data to offer services to you. You can also use data for training your employees and/or contractors or to run analytics. These are just examples. But you can see already how easily the data you’re in charge of can be multiplied. 

Each new copy makes the data more vulnerable. And countless leaks have taught us all that even the best-protected databases can fall victim to attacks by sophisticated malware. Even if that is not the case, simple human error is always something to factor in. Masking each piece of data that you have is just a smart thing to do. And IBM has the numbers to support it.

Types of data masking

These are the two most commonly used approaches to data masking:

With Static Data Masking, you create copies of a database, with data matching the original data. Then, with appropriate SQL queries, the copied data is masked and turned into a new set of data. Since it will be used mainly for testing and development, the goal of SDM is also to create realistic records without disclosing sensitive information.

In Dynamic Data Masking, no copies are made, but additional layers of security are applied to production data. The main goal of DDM is to enforce role-based security for databases. It’s done with a database proxy that:

  • verifies whether a user is authorized to access particular data.
  • processes the masked data back to a user.

Masking emails in a database

As we talked about earlier, emails are often masked in order to be used later for software testing. As a matter of fact, 61% of respondents of Red Gate’s Data Governance Survey admitted to using production data for non-production purposes.

For them, it’s crucial to have the data properly masked. Otherwise, they risk accidentally delivering test emails to some fairly legitimate clients. Not a good experience.

Here are several simple techniques for email masking with the respective SQL queries:

Updating each record with a fake address (the same for all)

As we talked about earlier, emails are often masked in order to be used later for software testing. As a matter of fact, 61% of respondents of Red Gate’s Data Governance Survey admitted to using production data for non-production purposes.

For them, it’s crucial to have the data properly masked. Otherwise, they risk accidentally delivering test emails to some fairly legitimate clients. Not a good experience.

Here are several simple techniques for email masking with the respective SQL queries:

UPDATE dbo.CM_CUSTOMERS SET customer_email = ‘test_email@emailtestingis.cool;

This method is good for two reasons – it lets you protect user data (the real addresses disappear) and test whether the right emails are sent. 

The drawback is that everything ends up in one inbox so if you want to investigate what went wrong for a specific user, you’ll have a bit of digging to do.

Updating each record with a random address (different for each)

This method solves this problem without adding much complexity. All you need to do is generate a unique email address that you’ll then match with specific records in your database. 

With the following query, you could generate thousands of fake addresses on your @emailtestingis.cool domain.

UPDATE db.CM_CUSTOMERS SET customer_emal = (SELECT CONCAT(left(NEWID(),6),@emailtestingis.cool));

Here are some of the examples of addresses it would return:

If during the QA process you realize something is wrong, you’ll be able to easily trace back to the origin of the problem.

Hashing records

Another approach for securing data involves turning emails into a useless set of hashes. Obviously, it won’t be any good for testing but makes for a pretty solid security layer for any other purposes.

SQL Server has a built-in HASHBYTES function that does all the work for you. It supports most common hashing algorithms from MD and SHA families and can be called with the following command:

SELECT HASHBYTES('MD5', 'string_to_hash')   AS Col1, HASHBYTES('MD5', 'string_to_hash ')   AS Col2

Is masking emails for testing a good idea?

Truth be told, even if you use the most sophisticated tools for masking real email addresses and spend hours altering your data, something might eventually go wrong (and it will if Mr. Murphy was right).

You may accidentally skip some records in your DB or upload the wrong contacts to your next QA campaign. The masking algorithm may not properly handle some of the emails and errors may prove to be hard to catch for very large data sets.

The more users you have, the higher the chance of an error. If it occurs, you may accidentally send an entire sequence of test emails to a valued customer. You can send a communication completely irrelevant to a given user. Or you can reveal sensitive users’ data in the process.

By sending test emails to dummy accounts, you also hurt your deliverability. You don’t really expect any engagement from your farm of test accounts. To email servers, this will look like a mailing to a really poor quality list. And it may have consequences on subsequent campaigns, when you send something to legitimate contacts for a change.

For these reasons, we always advise against testing email workflows with production data. While there’s plenty of tools for creating dummy email addresses, this solution is still far from ideal. 

The best alternative is setting up a testing environment in staging without touching the production database. This way, you can enjoy safe and thorough email testing with 0 risk of spamming real customers.

Arguably the most popular tool for setting up such an environment is Mailtrap. Over 450,000 developers and QA professionals use it to capture test emails in their online, virtual inbox. There, they can preview them, get insights on HTML issues and spam assessment and forward them to their colleagues.

Masking your own email

Moving on to a completely different problem. Very often, you’re asked to leave your email address online when you would rather keep it to yourself. This can be to post a comment on a public forum, login to airport wifi, or to download an ebook or another resource. 

Either way, you don’t want your inbox to be flooded with messages from this source. And often, typing in a random set of characters with an ‘@’ in the middle won’t do the job as you still need to confirm your account.

One way to go about it would be with a fake email account from services such as Temp-mail or Guerilla Mail. This is fine for a single use but using these services on a regular basis is a lot of effort. Some sites run a validation process that automatically rejects popular dummy domains.

And what if you’re fine with receiving occasional emails from a site but don’t want your address to be sold and misused as a result? It happens frequently that you subscribe to a newsletter and shortly after start receiving fishy viagra advertisements from a completely unrelated account. These two facts could very well be related.

To protect your email address, you can mask your email address. This can be done either with dedicated tools or with built-in features of various email clients. We’ll discuss both approaches now.

Tools for masking a personal email address

Moving on to a completely different problem. Very often, you’re asked to leave your email address online when you would rather keep it to yourself. This can be to post a comment on a public forum, login to airport wifi, or to download an ebook or another resource. 

Either way, you don’t want your inbox to be flooded with messages from this source. And often, typing in a random set of characters with an ‘@’ in the middle won’t do the job as you still need to confirm your account.

One way to go about it would be with a fake email account from services such as Temp-mail or Guerilla Mail. This is fine for a single use but using these services on a regular basis is a lot of effort. Some sites run a validation process that automatically rejects popular dummy domains.

And what if you’re fine with receiving occasional emails from a site but don’t want your address to be sold and misused as a result? It happens frequently that you subscribe to a newsletter and shortly after start receiving fishy viagra advertisements from a completely unrelated account. These two facts could very well be related.

To protect your email address, you can mask your email address. This can be done either with dedicated tools or with built-in features of various email clients. We’ll discuss both approaches now.

Masking email address in email clients

If you don’t want to use any external tools, you can also perform some masking from within your email client. They’re a bit limited as compared to the tools we just talked about but can prove useful if you wish to stay anonymous on the web.


EmailXender SMTP Service Email Campaign Logo

EmailXender Company OOO
Zvenigorodskoye Shosse, 14, этаж 4,
123022, Moscow

OUR HOURS

09:00 AM – 18.00 PM

Monday – Saturday

CONTACT US

Phone: +7 923 222-05-00

Email: [email protected]

Skype: [email protected]