Get Your HTML Email Off My Lawn!
Why nobody ought to send HTML by email, ever
I wrote a couple of blog pieces in 2017 about how horrified I am when I find activist groups and other social change organizations helping surveillance capitalism tools like NationBuilder and MailChump to track their supporters. In the MailChump piece, I also took the opportunity to gripe about people sending HTML pages as emails. At the risk of sounding like the 1990s internet equivalent of people who moan about how nobody sends paper letters anymore, I just wanted to share a few resources about just how dodgy HTML mail can be.
To set the scene, here’s what I said in the MailChimp piece:
While we’re on the subject of mass email, the “service” that seems to make MailChimp so attractive is that is uses HTML to add a bunch of trackers to the email sent through its servers. Putting aside the ethics of enabling companies to use email to track people we like, I strongly discourage people from sending HTML by email.
Email is designed as a text-only medium, and works better this way. HTML email massively increases the amount of space email takes up in someone’s inbox, how much of their data allowance is used looking at it, and how much of the total resources of the internet are used by email that may not even be wanted or seen. HTML email also creates vectors for viruses and malware to spread through email, vectors which do not exist in plain text email.
If you want to show someone a page of HTML, it’s better to put that on a website, and include a link to it in a plain text email. That way people can read the email anytime, then look at the linked web pages when they are using fast, un-metered internet. This is also helpful to people still using dial-up connections, or slow rural broadband.
But hey what do I know? I’m just a guy who researches user-respecting software and writes a tech blog. I practically live in my Mum’s basement. How about we consults some experts?
Let’s start with George Dillon, a performance artist and web designer. Now we all know how much web designers love HTML, and George has been building his own websites since the late 90s. But his article on using HTML for email lists seven reasons why HTML mail is “evil”, or at least unhelpful and unnecessary, covering many of the points I touched on but in more detail. OK, it hasn’t been updated since 2009, and some of the specifics may seen out-of-date (HTML mail exploits are the least of your worries if you’re still using Windows XP), but you’d be amazed how many people still use dial-up connections to access the net. Plus, as I forgot to mention in the MailChimp piece, many of the same issues that apply to dial-up also apply to people using mobile devices to read their email, on metered mobile data connections they pay through the nose for.
Next, let’s pay a visit to tech writer M. E. Kabay, who wrote a 2004 piece about the growing use of HTML in email, for NetworkWorld.com, describing a number of specific security holes made possible by HTML mail, and dismissing it as a pointless source of …
“unwanted, mislabeled links, Web bugs, harmful active content, and outright worms and viruses”.
Kabay sums up the piece with this advice:
“I urge everyone to send plain text instead of HTML as the default format for outgoing e-mail. If you need to send a message with features beyond text, you can always create a word-processing document and send that.”
Now I know what you’re thinking. Like me, these articles are showing their age. I mean, 2004 was more than a decade ago. Surely all these security problems have been solved by now, right? Nope. Here’s the conclusion of an article published on The Conversation in 2017, written with input from security researcher Robert Graham:
“Security-conscious users must demand that their email providers offer a plain-text option. Unfortunately, such options are few and far between, but they are a key to stemming the webmail insecurity epidemic. Mail providers that refuse to do so should be avoided, just like back alleys that are bad places to conduct business.”
The title of the piece is ‘The only safe email is text-only email‘. Need I quote further?
Finally, there’s StackExchange, a Q&A website where anyone can ask a question, and the answers from the communities of experts there get upvoted, and downvoted, and commented on, and edited, until only the best answers are left standing. A question about the security risks of creating a webmail that allows HTML mail was asked in the software engineering department, and my favourite quote from among the answers given is this one by one Michael Shaw, which pretty much sums it all up:
“Start allowing anything beyond presentational [HTML] tags and you are making assumptions that you know more about how these tags can be misused than the mal-ware writers. And believe me, that is a brave claim for anyone to make.”
Need I say more?
This piece was originally published on the first Disintermedia blog on CoActivate in April, 2018. About a month later, I read a highly misleading piece on The Atlantic called ‘Email Hackers are Winning‘, discussing a recent crack called ‘Efail” that proves encrypted email can be cracked, and claiming that Efail:
“showed that encrypted (and therefore private and secure) email is not only hard to do, but might be impossible in any practical way, because of what email is at its core”
Ummm … no. For the Efail crack to work, the receiver of the malicious email has to have HTML mail turned on in their email app. If HTML mail is turned off, Efail … well … fails. The core of email - the email protocols - have nothing to do with it. The author, security blogger Quinn Norton, who really ought to know better, also claims that the fundamentals of email have remain unchanged since the 1970s. Since that was before HTML was invented, if that was true, Efail wouldn’t work at all. Indeed, the email protocols are constantly being improved through standards work at the IETF (Internet Engineer Task Force). However, despite the weird fairy tale Quinn wraps around the story of Efail, it is yet another very good reason for activists not to use HTML mail.
Update 2023/11/07: Now, discerning readers who have subscribed will notice that new posts from the Disintermedia SubStack arrive as HTML mail. Yes, I know, and I’m embarrassed it took me a while to notice the self-contradiction. I'm trying to find out if there’s any way to send plaintext emails instead, for all the reasons given here. If there’s no way to do this right now - as I suspect there isn’t - I intend to be a squeaky wheel until the SubStack team make it possible.
Thanks for reading Disintermedia! Subscribe for free to receive new posts and support my work.