Contact Form Processing Products - for all your needs

FormMail • Form Encryption • Hosted Forms


This page documents the AT_MANGLE configuration setting in FormMail.

Type Of Setting

AT_MANGLE is an OPTIONAL setting, which means...

OPTIONAL : you can change this setting if you need to, but the default value is fine for most circumstances.


Hides email addresses from Spambots.


The AT_MANGLE feature allows you to hide email addresses in your forms and protect them from Spambots.

SpamBots are programs that search for email addresses on the Internet. Typically, they look for "mailto:someone@somewhere", and some are smart enough to look inside the fields of HTML forms.

You can invent any string you like and specify this in AT_MANGLE, then, instead of using the "@" in email addresses, you use this string.

For example, email addresses you specify in your forms will be like this:

<input type="hidden" name="recipients" value="" />

The AT_MANGLE feature allows you to mangle your email addresses and protect them from SpamBots. Here's an example:


This tells formmail.php to replace "_*_" in your email addresses with "@". So, in your forms you can specify:

<input type="hidden" name="recipients" value="someone_*" />

No SpamBot will recognize this as an email address, and your addresses will be safe!

If you use this feature, we encourage you to be creative and different from everyone else.

Note that the AT_MANGLE pattern match is case-sensitive, so "AT" is different from "at".

Also, note that SpamBots cannot look inside your FormMail script (PHP scripts get executed instead of displayed, and their contents are not visible on the web), so email addresses you store inside FormMail are already safe from SpamBots.

Default Value

From version 9 onwards:

$AT_MANGLE = "";

Before version 9:



From version 9 onwards:

$AT_MANGLE = "_@_";     // e.g. 
    // SpamBots may recognize this, 
    // but it'll be an invalid address

Before version 9:

define("AT_MANGLE","_@_");     // e.g. 
    // SpamBots may recognize this, 
    // but it'll be an invalid address

From version 9 onwards:

$AT_MANGLE = "AT";      // e.g.

Before version 9:

define("AT_MANGLE","AT");      // e.g.
SSL Certificate Authority