Without plugins, it's difficult to use obfuscated email addresses in Hugo. Additionally, Hugo will aggressively escape anything you introduce to a template, especially if it's a href attribute.
To use a character entities obfuscation technique (eg. that of http://wbwip.com/wbw/emailencoder.html), place email.html in the layouts/shortcodes folder, and place emails.yml in the data folder.
The contact email in emails.yml is the character entity-encoded form of user@example.com. It will be the default email used if you call the email shortcode (by using {{< email >}} or {{< email contact >}} in your page content) without any parameters. You can add other emails to emails.yml and use them in the email shortcode by passing their key as a parameter, eg: {{< email newKey >}}