Back to blog

Email Hashing: The Trouble With Hashed Emails (HEMs)

Identity
LiveRamp
|
July 28, 2022
|
10 min read

For years, marketers and publishers have relied on ‌third-party cookies for retargeting and monetization, overlooking the myriad problems they posed. However, cookies have always raised concerns with lack of consumer consent, device addressability, and poor durability, and have invited serious scrutiny and condemnation as a result.

Today there are several solutions being touted as cookie improvements, but marketers and publishers should beware that many don’t solve the initial problem raised by cookies, since these replacement identifiers also lack durability, provide limited addressability, and do nothing to improve transparency and choice. Fortunately, some solutions already work better today than cookies do. Authenticated people-based addressability should remain at the very top of the marketing tactic list.

Another solution that is often talked about is the use of hashed emails (HEMs). Let’s take a closer look at why this solution may not be an improvement from cookies.

Key Takeaways

  • HEMs aren’t future-proof: They lack persistence, can be reversed, and provide limited visibility across devices and channels, making them a fragile replacement for cookies.
  • RampIDs offer a stronger alternative: With broader matching, support for responsible use of data, and stability over time, RampIDs solve the shortcomings of HEMs.
  • Marketers gain scale and trust: RampIDs are interoperable with major industry identifiers, supported by 500+ partners, and built to meet global privacy regulations – ensuring accurate measurement and responsible addressability at scale.

What is a hashed email?

A hashed email (HEM) is a type of identifier created by applying a cryptographic hashing function (such as SHA-256 or MD5) to a user’s email address. This process converts the email into a unique string of numbers and letters that is not immediately human-readable. The idea is that brands, publishers, or platforms can use these hashed strings as identifiers without exposing the raw email address.

For example, the email jane.doe@email.com might be transformed into a long alphanumeric code. If another company applies the same hashing method to the same email address, they’ll get the identical hash, allowing the two parties to recognize a user in common without directly sharing the email itself.

HEMs have gained traction because they offer a marginally more secure alternative to third-party cookies, particularly as marketers look for ways to maintain audience targeting and measurement in a cookieless future. Publishers, advertisers, and identity vendors often promote HEMs as a way to:

  • Enable cross-site tracking and activation
  • Support audience matching between partners
  • Extend the life of authenticated identifiers like emails in a privacy-sensitive format

Why publishers and advertisers are considering HEMs

The push toward HEMs stems from three major trends:

  1. Cookie deprecation: As much of the web is already cookie-free, marketers are searching for durable identifiers to maintain addressability.
  2. Authenticated traffic: With more websites and apps requiring logins, email addresses have become a common anchor for identity.
  3. Perceived privacy: Because HEMs are not directly human-readable, some marketers view them as a “safe” way to share and activate customer data.

However, as the rest of this article will explore, HEMs carry major drawbacks that make them less effective and secure than durable, tokenized identifiers such as LiveRamp’s RampID

Why HEMs Fall Short

While HEMs are often positioned as a quick fix for a cookieless future, they carry serious limitations that undermine their effectiveness. From security concerns to weak persistence and measurement challenges, HEMs fail to provide the durability, privacy, and accuracy that modern marketers need. Below are the key reasons why relying on HEMs can create more problems than they solve.

  • HEMs aren’t secure
  • An email address is not a comprehensive online identity
  • An email address is not persistent
  • HEMs weaken measurement

Hashed emails aren’t secure

Proponents of hashed emails hail the solution’s cryptographic, one-way encryption process that creates a code unique to the email. However, HEMs are a universal identifier—the same HEM is sent by brands to all activation endpoints. While an email in hashed form may not be human readable, they are standardized algorithms, and many firms are now offering services that can reverse email hashing to correctly guess consumers’ email addresses, identifying users on a personally identifiable level. Of equal or greater concern is that these email lists can be, and are, easily repurposed and rehashed to violate user privacy.

An email address is not a comprehensive online identity

Identity resolution providers such as LiveRamp provide value by tying multiple identifiers (including email) to a real, person-based identifier. Using email address data that a user declares as the base of identity will create a brittle conception of the consumer that may not extend comprehensively across devices, households, and environments that require a log-in using a different identifier. Since HEMs don’t protect directly identifiable personal data, they're an inappropriate solution for data collaboration with other parties, and because they’re not a durable people-based identifier, matching identity for the purposes of data activation is weak.

An email address is not persistent

Email addresses change with each new job, with new software, and with maturity. Email addresses are elective identifiers, and consumers can elect to change them at any point, often without any fee. Inconsistencies also create fragile matching. HEMs require both parties to not only have the same individual email address, but that address must be stored in the same syntax for HEMs to join. HEMs also can’t match against other common directly identifiable personal data, such as NAP data (name and postal information), or against digital device identifiers used to recognize visitors and prospects. This match weakness is exacerbated in programmatic bidstreams, where each call from brand to DSP to SSP to publisher will go through this same probabilistic match test and cause drop-off in audience reach.

HEMs weaken measurement

Analytic accuracy is strengthened by using durable omnichannel person-based identifiers that are stable even when the consumer updates their directly identifiable personal data. As noted above, HEMs change when a customer’s email changes, and HEMs don’t resolve to single individuals across channels, harming long-term incrementality measurement for attribution or building training data for machine learning.For marketers who want to maximize reach and return, and for publishers who want to maximize yields, RampID offers more. In this video, Tom Affinito, Global Portfolio Marketing Lead, Partnerships, answers common questions we get around HEMs and how RampID compares when the two are stacked against each other.https://liveramp.wistia.com/medias/e6yry5vdiv#To watch fullscreen, click here.

Hashed emails vs. RampID

HEMs offer a step forward from cookies, but they still have limitations. RampID goes further as a durable, secure identifier that works across the ecosystem. The table below highlights the key difference

HEMs RampID
Definition An email address that’s been encrypted using a hashing algorithm. A people-based identifier built on an authenticated, privacy-safe identity infrastructure.
Persistence Stays tied to an email but can break if users change or stop using that email. Stable, durable identity that persists across channels, partners, and ecosystems.
Accuracy Dependent on the quality and cleanliness of the email database. Verified and authenticated, reducing duplication and inaccuracies.
Interoperability Often siloed; limited portability across platforms and partners. Interoperable across publishers, platforms, and partners for data collaboration.
Privacy Considered PII; if exposed, hashes can be reversed with enough computing power. Designed to be privacy-first, enabling secure data sharing and activation.
Future Outlook Useful but limited as cookies go away; not scalable across the open web. Positioned as a leading cookieless solution with wide ecosystem adoption.


How RampID solves the challenges presented by hashed emails

While HEMs may appear to offer a quick fix for identity, they fall short in durability, privacy, and accuracy. LiveRamp’s RampID was designed to overcome these weaknesses, giving marketers and publishers a secure, people-based solution that scales across the ecosystem and provides the following benefits:

  • Stronger and broader matching
  • Responsible use of data
  • Persistence over time
  • Ecosystem-wide interoperability
  • Future-ready identity

Stronger and broader matching

Unlike HEMs, which require both parties to have the exact same email address formatted and hashed in the same way, RampIDs can match across multiple identifiers. They work whether data is based on email, postal, phone, cookies, MAIDs, or IPs, reducing audience drop-off and extending addressability across environments. RampID matching has been proven to deliver 44% higher match rates than HEM-to-HEM matching across leading publishers.

Responsible use of data

HEMs are reversible, exposing consumers to tracking and data leakage risks. RampIDs are tokenized and obscure directly identifiable personal data, assigning unique encodings for each partner. That means two companies referencing the same individual will see different RampID formats, eliminating universal tracking threats and protecting consumer trust.

Persistence over time

Email addresses change often, but RampIDs remain stable even as names, addresses, or digital devices shift. LiveRamp maintains these links in its longitudinal identity graph, ensuring consistent recognition of individuals and households over time. This persistence enables accurate attribution, incrementality measurement, and machine-learning training.

Ecosystem-wide interoperability

No identifier has more operational support through the programmatic ecosystem than RampID. It is accepted across DSPs, SSPs, publishers, and more than 500 global partners, enabling marketers to activate, measure, and optimize campaigns without loss of scale.

Future-ready identity

RampIDs are interoperable with other industry identifiers like UID2, OpenID, and Lotame Panorama ID, giving marketers flexibility in their tech stack. RampID has been developed to support customers' privacy program requirements and provide tools to enable compliance as privacy regulations evolve.

Is there a possibility for the industry to adopt a “universal” ID?

There’s no silver bullet for a cookieless marketing future, but RampIDs were thoughtfully designed as a global post-cookie identifier, and for over a decade clients have benefited from this stable technology with much greater reach and accuracy than weaker device-based identifiers such as cookies and HEMs.

Publishers and marketers should have their choice of IDs to activate first-party data, which sometimes means using multiple identities. LiveRamp’s neutral infrastructure is accessible to any identity that meets consumer privacy needs. As more interoperable IDs are added, customers will continue to have flexibility and security in their tech stacks as they strive to create meaningful connections with their consumers.

How LiveRamp can help you move beyond HEMs

For marketers who want to maximize reach and return, and for publishers who want to maximize yields, RampID offers more. HEMs may look like an easy replacement for cookies, but their weaknesses in security, persistence, and accuracy make them a fragile solution. RampIDs provide the durability, privacy, and scale needed for modern marketing.

Ready to move beyond HEMs? Discover how LiveRamp’s identity solutions can help you develop a future-ready data strategy and unlock privacy-first addressability at scale.

Hashed Email FAQs

What does a hashed email look like?

A hashed email is a long string of letters and numbers created by applying a hashing algorithm (like SHA-256) to an email address. For example, jane.doe@email.com might become something like 7c4a8d09ca3762af61e59520943dc26494f8941b.

What is the difference between a hashed and an unhashed email address?

An unhashed email is the plain-text address you use every day (e.g., jane.doe@email.com). A hashed email is the same address run through an algorithm that produces an obfuscated alphanumeric string. The unhashed version is directly identifiable, while the hashed version is meant to mask it – though it can often still be traced back to the original email.

Is a hashed email PII?

Yes. Even though hashed emails aren’t immediately human-readable, they are still considered personally identifiable information (PII). That’s because the hash can often be reversed or matched back to an individual, making it possible to re-identify the person behind the email.

Can HEMs and RampIDs work together, or is it better to choose one?

RampIDs can work in cases where HEMs do, but they also succeed where HEMs fail – such as mismatched email formats, multiple identifiers per user, or when only postal, phone, or digital IDs are available. Unlike HEMs, RampIDs are not reversible, enable companies to protect consumer privacy, and are widely supported across DSPs, SSPs, and publishers, making them a more durable choice.

How do RampIDs improve the customer experience compared to hashed emails?

RampIDs drive better experiences by enabling accurate omnichannel campaigns, helping companies protect privacy through non-reversible IDs, and delivering more reliable analytics. They’re stable over time, interoperable with other IDs, supported by 500+ partners, and enable  compliance – giving marketers both flexibility and consumer trust that HEMs can’t match.