How to Mask an Email Address

On February 28, 2020
10min read
Piotr Malek Technical Content Writer @ Mailtrap

There has been a lot of talk in recent years about data protection, partly because of the leaks and data abuses we hear about almost daily. It’s also because of the many major privacy regulations that pop up in response to these abuses. In light of all of this, email masking has become more important than ever before. 

Whether you wish to secure your email address or those of thousands of your clients, we may have something useful for you. Let’s begin!

What is email masking?

Email masking is the technique of altering email addresses, usually in order to protect the real data from mistakenly (or intentionally) being misused. Usually, an email address that’s masked keeps its original format and can’t be easily traced back to the original address.

Email masking is often a part of a bigger data masking process where sensitive data, such as names, last names, Social Security or credit card numbers are transformed. The goal is always to hide the real data from unwanted eyes.

What are the use cases for email masking?

There can be many reasons for email masking. Perhaps you need to:

  • Randomize the real user data to test software
  • Make sure the user data you share with 3rd parties is secure
  • Comply with privacy laws and secure data according to their guidelines
  • Submit a functioning email address on a site you don’t trust

Ultimately, the difference is whether you want to mask your own email address or have a database of user emails that need to be masked. Since the approaches to these are completely different, we’re going to explore them separately below.

Masking your users’ emails

Many data protection laws these days give strict guidelines on how user data must be handled, GDPR and CCPA being the most prominent examples. This includes the data you store as well as any copies of it that you make, regardless of the purposes. 

And there are plenty of legitimate reasons for creating new copies of your users’ data. It’s a dev environment and the data they need for testing. Or various 3rd parties that need data to offer services to you. You can also use data for training your employees and/or contractors or to run analytics. These are just examples. But you can see already how easily the data you’re in charge of can be multiplied. 

Each new copy makes the data more vulnerable. And countless leaks have taught us all that even the best-protected databases can fall victim to attacks by sophisticated malware. Even if that is not the case, simple human error is always something to factor in. Masking each piece of data that you have is just a smart thing to do. And IBM has the numbers to support it.

Types of data masking

These are the two most commonly used approaches to data masking:

With Static Data Masking, you create copies of a database, with data matching the original data. Then, with appropriate SQL queries, the copied data is masked and turned into a new set of data. Since it will be used mainly for testing and development, the goal of SDM is also to create realistic records without disclosing sensitive information.

In Dynamic Data Masking, no copies are made, but additional layers of security are applied to production data. The main goal of DDM is to enforce role-based security for databases. It’s done with a database proxy that:

  • verifies whether a user is authorized to access particular data.
  • processes the masked data back to a user.

Masking emails in a database

As we talked about earlier, emails are often masked in order to be used later for software testing. As a matter of fact, 61% of respondents of Red Gate’s Data Governance Survey admitted to using production data for non-production purposes.

For them, it’s crucial to have the data properly masked. Otherwise, they risk accidentally delivering test emails to some fairly legitimate clients. Not a good experience.

Here are several simple techniques for email masking with the respective SQL queries:

Updating each record with a fake address (the same for all)

UPDATE dbo.CM_CUSTOMERS SET customer_email = ‘’ ;

This method is good for two reasons – it lets you protect user data (the real addresses disappear) and test whether the right emails are sent. 

The drawback is that everything ends up in one inbox so if you want to investigate what went wrong for a specific user, you’ll have a bit of digging to do.

Updating each record with a random address (different for each)

This method solves this problem without adding much complexity. All you need to do is generate a unique email address that you’ll then match with specific records in your database. 

With the following query, you could generate thousands of fake addresses on your domain.

UPDATE db.CM_CUSTOMERS SET customer_emal = (SELECT CONCAT(left(NEWID(),6), ‘’));

Here are some of the examples of addresses it would return:


If during the QA process you realize something is wrong, you’ll be able to easily trace back to the origin of the problem.

Hashing records

Another approach for securing data involves turning emails into a useless set of hashes. Obviously, it won’t be any good for testing but makes for a pretty solid security layer for any other purposes.

SQL Server has a built-in HASHBYTES function that does all the work for you. It supports most common hashing algorithms from MD and SHA families and can be called with the following command:

SELECT HASHBYTES('MD5', 'string_to_hash')   AS Col1, HASHBYTES('MD5', 'string_to_hash ')   AS Col2

Email masking services

If you need more than that, there are a lot of 3rd party tools for Dynamic Data Masking. 

Microsoft SQL Server Data Masking

It’s not really a separate tool but a feature of Microsoft SQL Server (2016 and newer). Dynamic Data Masking is used to limit the exposure of sensitive data to non-authorized users. Since the masking is dynamic, the data is not cloned and amended. The masking is applied directly to the sensitive data in a database.

Redgate Data Masker

Redgate Data Masker replaces sensitive data, such as emails, with anonymized data. At the same time, it ensures the data is realistic in order to provide the right environment for testing software. Data Masker offers support for both SQL Server and Oracle databases.


Datprof is strictly dedicated to turning production data into realistic, synthetic data, while at the same time securing the real data of users. It boasts its flexibility to bypass triggers, indexes and constraints to get you the very data you need for proper software testing. 

IRI FieldShield

IRI FieldShield covers a broader spectrum of features, specializing in automated data masking, profiling and classification. It can mask data using various methods and rules, including encryption, pseudonymization and redaction. It’s known for its high performance and affordable pricing.

Oracle Data Masking and Subsetting

This Oracle tool is great for securing existing data and creating high-quality test data. It features automatic detection and masking of sensitive data, removing duplicates and cleaning databases of unnecessary files and data pieces. It supports not only Oracle databases but also MySQL, SQL Server, Sybase and others.

After deciding and using one of the above tools to mask your emails, it’s important to track your email deliverability performance. This can be easily done with Mailtrap Email API, which provides detailed information via reports, alerts, and dashboards that show unique open rates, the percentage of spam complaints on your emails, and other important information. 

Is masking emails for testing a good idea?

Truth be told, even if you use the most sophisticated tools for masking real email addresses and spend hours altering your data, something might eventually go wrong (and it will if Mr. Murphy was right).

You may accidentally skip some records in your DB or upload the wrong contacts to your next QA campaign. The masking algorithm may not properly handle some of the emails and errors may prove to be hard to catch for very large data sets.

The more users you have, the higher the chance of an error. If it occurs, you may accidentally send an entire sequence of test emails to a valued customer. You can send a communication completely irrelevant to a given user. Or you can reveal sensitive users’ data in the process.

By sending test emails to dummy accounts, you also hurt your deliverability. You don’t really expect any engagement from your farm of test accounts. To email servers, this will look like a mailing to a really poor quality list. And it may have consequences on subsequent campaigns, when you send something to legitimate contacts for a change.

For these reasons, we always advise against testing email workflows with production data. While there’s plenty of tools for creating dummy email addresses, this solution is still far from ideal. 

The best alternative is setting up a testing environment in staging without touching the production database. This way, you can enjoy safe and thorough email testing with no risks of spamming customers. Mailtrap Email Sandbox is a tool that precisely does this. 

Developers and QA engineers use Email Sandbox to capture test emails, preview how they appear across various devices, inspect any HTML/CSS issues and do a quick spam assessment.

Masking your own email

Moving on to a completely different problem. Very often, you’re asked to leave your email address online when you would rather keep it to yourself.

For instance, this can be to post a comment on a public forum or to download an ebook as well as any other resources. Frequently, we have to share email address when using public wifi such as login to airport wifi.

Either way, you don’t want your inbox to be flooded with messages from this source. And often, typing in a random set of characters with an ‘@’ in the middle won’t do the job as you still need to confirm your account.

One way to go about it would be with a fake email account from services such as Temp-mail, Guerilla Mail or Internxt temporary email. This is fine for a single use but using these services on a regular basis is a lot of effort. Some sites run a validation process that automatically rejects popular dummy domains.

And what if you’re fine with receiving occasional emails from a site but don’t want your address to be sold and misused as a result? It happens frequently that you subscribe to a newsletter and shortly after start receiving fishy viagra advertisements from a completely unrelated account. These two facts could very well be related.

To protect your email address, you can mask your email address. This can be done either with dedicated tools or with built-in features of various email clients. We’ll discuss both approaches now.

Tools for masking a personal email address

There are at least a few tools on the market that work in a similar fashion, some examples include 33Mail and IronVest (formerly Blur). They let you create fake email addresses online that you can use for free. Each email sent to such an address is by default forwarded to your actual inbox. 

This way, you can still receive the communication needed to, for example, complete a sign up process. You can also easily disable particular addresses if you don’t need to receive emails from them anymore. Anything sent to such an address will then immediately bounce

If you suddenly start receiving unwanted communication you didn’t subscribe to, you can quickly figure out who’s selling your data. Say, you used an example address (which is a domain used by IronVest for email masking) to sign up on ‘XYZ’ site (and only there). If spam suddenly starts hitting this particular address, you’ll know very well that XYZ either sold your data or they were hacked. Neither should be taken lightly.

IronVest, for example, gives you a dashboard with all your dummy emails and you can disable or enable forwarding as you please. A paid, premium plan also offers dummy credit card or phone numbers along with other features.

Also, as of recently, IronVest to include continuous biometric protection and decentralised infrastructure, making users less vulnerable to SIM swapping and advanced attacks.

Masking email address in email clients

If you don’t want to use any external tools, you can also perform some masking from within your email client. They’re a bit limited as compared to the tools we just talked about but can prove useful if you wish to stay anonymous on the web.

Gmail / Google Apps

There are two features of Gmail or its paid Google Apps equivalent that may be of use.

First of all, you can create aliases of your actual email account by adding words after the ‘+” sign. As an example, email address can have the following aliases:

And so on. You don’t need to set anything up, simply come up with a prefix when typing in an email address. For example, let’s assume you need to sign up for a Hubspot account to download an eBook from them. Use an email address and the confirmation email will arrive in your inbox.

Let’s assume (an extremely unlikely) scenario that Hubspot decides to sell your email address to some fishy site. Shortly, you will probably start receiving some really exciting “offers”. Each will be addressed to, letting you easily figure out who’s behind this nasty deed.

You can:

  • Call Hubspot and demand they explain what just happened.
  • Or simply open your account Settings, head to ‘Filters & Blocked Addresses’ and set for all the emails coming to to be deleted right away.

Another trick with Gmail is that you can send emails from a different address. Continuing the example, I use the email address but I send emails from You can use actual accounts or aliases that we just discussed.

Follow Gmail Help pages for detailed instructions on how to set things up.

As you know, YouTube is owned by Google so you can’t use an alias when creating a YouTube channel. If, however, you want to hide your identity, you can connect your personal account to a brand account that you manage in several simple steps.


Outlook also offers both free aliases and a modifiable “From” field.

To create an alias, head to the Add an alias menu and create a new account to be used as an alias. Alternatively, you can use an existing email account as an alias. For example, send and receive emails from your company account to your personal Outlook account. (Talk about work-life balance! ;-))

The same as was the case with Gmail, you can use this alias or the account you just added to send emails from. 

Open the Compose window, hit the three dots and choose “Send From”. Then, select the desired email address from the list.

If you want to change the default “From” address, open ‘Settings’ -> ‘View all Outlook settings’. Find ‘Mail’ in the ‘Options’ pane and choose ‘Sync email’. And finally, choose the desired email in the ‘Set default From address’.

You can, of course, unmask an email address of your choice at any time and start sending from your original account again.

Other reads

That’s all, folks. If you’re interested in masking, our article on email obfuscation may be of interest to you too. We discuss different methods for hiding your email address to prevent spam from flooding your inbox.

Also check out other articles from our blog where we talk about emails. A lot! We discuss how to test them properly and how to pick the right tools for sending them. We also frequently cover sending emails with various frameworks and libraries.

Take care, and we’ll talk to you on another occasion!

Article by Piotr Malek Technical Content Writer @ Mailtrap