Re: HTML for email

Nico Williams <> Tue, 02 March 2021 16:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B75D73A19A9 for <>; Tue, 2 Mar 2021 08:45:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.753
X-Spam-Status: No, score=-0.753 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pQnh0US0H0-J for <>; Tue, 2 Mar 2021 08:45:33 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DA39F3A19A7 for <>; Tue, 2 Mar 2021 08:45:32 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|
Received: from (localhost []) by (Postfix) with ESMTP id 8463A78218A; Tue, 2 Mar 2021 16:45:30 +0000 (UTC)
Received: from (100-96-16-25.trex.outbound.svc.cluster.local []) (Authenticated sender: dreamhost) by (Postfix) with ESMTPA id 1E253781F4F; Tue, 2 Mar 2021 16:45:30 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by (trex/6.0.2); Tue, 02 Mar 2021 16:45:30 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|
X-MailChannels-Auth-Id: dreamhost
X-Robust-Soft: 0abb5286137b3a61_1614703530372_174041943
X-MC-Loop-Signature: 1614703530372:3007685697
X-MC-Ingress-Time: 1614703530371
Received: from (localhost []) by (Postfix) with ESMTP id AF9AB86F53; Tue, 2 Mar 2021 08:45:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=r/yxDDnGYvH7SI WMNM49djpF4H0=; b=iAK40ZDCyqTAmKOApuoYtiXHtwyy7AUVgPbm6LyVSoNNz6 BODDV+nCjs459FbxT44OTlYGtjNrykvcioZ5pxA98uxFPeyg1Y/PEpJbUOdhFt5Q gWSosqSU5Ogue6Z2KLromU62oH9Y2gYN3lEt2Bob26CKdGHo+Coc3rtgcpSTk=
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 01A327EE8C; Tue, 2 Mar 2021 08:45:27 -0800 (PST)
Date: Tue, 2 Mar 2021 10:45:25 -0600
X-DH-BACKEND: pdx1-sub0-mail-a13
From: Nico Williams <>
To: Nick Hilliard <>
Cc:, IETF Discussion Mailing List <>
Subject: Re: HTML for email
Message-ID: <20210302164524.GT30153@localhost>
References: <s1f0vo$ejp$> <> <> <> <> <20210301232237.GI30153@localhost> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Mar 2021 16:45:35 -0000

On Tue, Mar 02, 2021 at 03:55:16PM +0000, Nick Hilliard wrote:
> Bear in mind that even within the IETF, plenty of people view the entire
> HTML email debate as flogging the proverbial dead horse, and when it rolls
> around every several months, welcomes it in the same way that you might
> welcome an outbreak of cold sores.

That can be said of many discussions here, some of which are ongoing.

> Looking at this from a different perspective, in the twenty-something years
> of discussion since Content-Type: text/html first appeared, have any
> actionable and viable suggestions emerged about how to deal with html email,
> other than stripping it off in the archived emails?

Wearing a security hat, what I would do is strip off all script and img
elements, and any element with an href that gets dereferenced

Or maybe pass it through elinks and then turn the references back into
HTML links that the user can click on if they really like.

> Maybe the people who are upset about html email could form a working group,
> take the discussion there and write up an ID with observations and
> recommendations for html emails at the ietf?

Unlikely.  We're a volunteer organization, but the volunteers do get
paid to do most of what they do here.

A better approach would be to standardize a subset of HTML for email
that is secure enough.  But I think that would fall on the W3C.