What information can an email QR code contain?

An email QR code using the mailto: URI scheme can contain the recipient email address, a pre-filled subject line, and a pre-written message body. Our decoder extracts and displays all three fields.

Is it safe to scan an email QR code?

Email codes (mailto:) are generally lower risk than URL QR codes since they open your email client rather than a browser. However, be cautious of pre-filled messages designed to trick you into sending sensitive information unknowingly.

Email QR Format

Email QR Code
Decoder & Reader

Decode email QR codes (mailto: format) to instantly reveal the recipient address, pre-filled subject, and message body. Upload an image or scan with your camera — always private.

Upload Email QR code

Drop your QR image here or click to browse — Ctrl+V paste also works

PNGJPGWEBPGIFSVG

Camera is off

Click Start Camera to begin scanning

Email Details

Recent Scans

Understanding Email QR Codes

Email QR codes encode a mailto: URI — an internet standard defined in RFC 6068 that instructs devices to open an email composition window pre-populated with the encoded details. When scanned on a mobile device, it automatically opens the default mail app.

A full mailto: URI can look like:

mailto:[email protected]?subject=Enquiry&body=Hi%20there%2C%20I%20would%20like%20to...

Our decoder parses the address, subject, and body fields and displays them clearly — so you know exactly what email would be sent before acting on it.

Fields an Email QR Code Can Contain

To: One or more recipient email addresses
CC: Carbon copy recipients
BCC: Blind carbon copy recipients
Subject: Pre-filled email subject line
Body: Pre-written message body text

Common Use Cases

Business cards with a "contact us" email QR code
Product packaging for customer support or warranty registration
Conference and event feedback collection
Marketing campaigns with pre-filled enquiry forms
Restaurant menus with order-by-email links

Email QR Code Security Risks

While email QR codes are lower risk than URL-based QR codes (they don't navigate a browser), they carry their own specific attack vectors that users should understand before scanning unknown codes.

Social Engineering via Pre-filled Emails

A malicious email QR code can pre-populate a message body with text designed to impersonate the victim — for example, a pre-written authorization message or a request for sensitive account information. When the victim taps "Send" without reading the pre-filled content carefully, they unknowingly send the attacker's crafted message from their own email account.

Email Harvesting

Posting QR codes in public that encode a mailto: link to a legitimate-looking address is a way for spammers to collect active email addresses. When someone scans and sends even a blank message, the attacker confirms the sender's email is active and in use.

BCC Exfiltration

A mailto: URI can include a BCC field that silently copies a third party on any email sent. Victims scanning the QR code may send what they believe is a private communication while unknowingly copying an attacker's address. Our decoder reveals all BCC fields so you can spot this before acting.

Best Practices

Always decode and review the full mailto: content before sending
Check the BCC field carefully — it should be empty for most legitimate uses
Read the pre-filled subject and body before tapping Send
Be suspicious of email QR codes in unsolicited physical mail

FAQ

Email QR Decoder FAQ

What does an email QR code look like when decoded?

The raw content starts with mailto: followed by the email address and optional query parameters for subject, body, cc, and bcc. Our decoder parses these and displays each field with a clear label.

Can an email QR code contain multiple recipients?

Yes. The mailto: specification allows comma-separated email addresses in the To, CC, and BCC fields. Our decoder will display all recipients found in the QR code.

Is the decoded email content stored anywhere?

No. All decoding is done entirely in your browser. Nothing is sent to any server. The decoded content is only stored in your browser's localStorage for scan history, which you can clear at any time.

What is the difference between a mailto: QR code and a URL QR code?

A URL QR code (starting with http:// or https://) opens a web browser when scanned. A mailto: QR code opens your email app with a pre-filled compose window. Neither automatically sends data — user action is required to proceed in both cases.

Can I decode an email QR code from a screenshot?

Yes. Take a screenshot of the QR code and upload it using the Upload tab. This works for QR codes in PDF files, emails, web pages, and any other digital source — just screenshot the page containing the QR code first.

URL Encoding Inside a Mailto QR

The body and subject of a mailto URI have to be URL-encoded. Spaces become %20, newlines become %0A, and ampersands become %26. This is why raw mailto strings look unreadable at first glance. Our decoder handles the decoding for you and shows the subject and body in plain text.

Occasionally you will encounter a mailto QR where the encoding is wrong. The two most common mistakes are unencoded spaces (which break parsing at the first space) and unencoded ampersands inside the body (which get treated as a separator between fields). When you run into either, the visible result is a subject or body that cuts off partway through. The rest of the content is still in the QR, just not readable to most email apps.

Mailto vs SMTP vs contact-form QR Codes

Three approaches exist for letting someone reach you through a QR code. Each one has a different trust and privacy profile.

Mailto QR: Opens the user's email client with your address pre-filled. You trust the user has a configured email app, which is less universal on mobile than it used to be. Your real email address is exposed in plain text inside the QR code.
SMTP QR: Rare in practice. Encodes SMTP server details alongside the mailto. Unless the sending device is preconfigured for that server, the result is a failed send.
Contact-form QR: A URL QR code pointing to a web contact form. The user never sees your email address. You get spam filtering and captchas for free. This is what most organizations eventually migrate to.

For personal cards where you want to keep things simple, mailto wins. For business or public-facing scenarios, routing through a contact form page is the cleaner pattern.

More Tools