Re: HTML for email Tue, 02 March 2021 14:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 43C6C3A1984 for <>; Tue, 2 Mar 2021 06:35:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vl1HBPxT5_tP for <>; Tue, 2 Mar 2021 06:35:42 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 67AC23A197B for <>; Tue, 2 Mar 2021 06:35:36 -0800 (PST)
Received: from by (PMDF V6.1-1 #35243) id <> for; Tue, 2 Mar 2021 06:30:32 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: TEXT/PLAIN; CHARSET=US-ASCII; format=flowed
Received: from by (PMDF V6.1-1 #35243) id <> (original mail from for; Tue, 2 Mar 2021 06:30:28 -0800 (PST)
Cc: Benjamin Kaduk <>, Nico Williams <>, IETF Discussion Mailing List <>
Message-id: <>
Date: Tue, 02 Mar 2021 06:08:13 -0800 (PST)
Subject: Re: HTML for email
In-reply-to: "Your message dated Tue, 02 Mar 2021 09:42:58 +0000" <>
References: <20210227190200.06ED46F10439@ary.qy> <4064.1614454347@localhost> <s1f0vo$ejp$> <> <> <> <> <20210301232237.GI30153@localhost> <> <>
To: tom petch <>
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Mar 2021 14:35:48 -0000

> I think that a security-conscious mail-list system would suppress the
> html alternative.

I did an informal survey of the viability of this approach a while back. The
very first thing I found is that the IETF is an outlier, and you shouldn't
assume what you see on IETF lists is in any way the norm.

When dealing with lists in general, do the text only thinkg and you end up with
delightful stuff like messages that say, "Please see the HTML part for the
actual content of this message". Or "This message can only be read by a client
that supports HTML".

Then there are the ones that do a crap job of producing the text from the HTML.
Things like text that is the same as the HTML with all the XML-ish punctuation
removed, but retaining all the tags and scripts. There's even one that produces
text with one character on each line that I especially like.

And then there are the ones which insert the text part but leave it blank.

This is just the subset I've seen on various lists. Once you start considering
the full gamut of email messages you'll find additional things like commercial
messages where the text part says, "Please click on this URL to view the
message on the web". 

> E-mail used to have lots of executables attached with
> the potential to spread virus and the like and, nowadays, most mail
> exploders will remove anything like that that could do damage without
> being asked - it is taken as read.

In spam, sure. But in legitimate email? Not in my experience.

> In recent times, a lot of attention
> has been paid to privacy, in the work of the IETF, but sending out the
> html to all subscribers I see as a vector for bad actors to breach privacy.

A potential vector. And while lists are important, I'm far more concerned
with the more general case that includes commercial email.

And like it or not, outside the IETF the HTML horse left the barn a long time
back. We can chose to deal with or ignore it, but getting it back in
the barn is not an option.