J. R. Swab

You Need To Stop Using HTML Email

Categories: [Technology]

HTML email is bad and should be considered harmful.

HTML Email Makes Phishing Attempts Easier

HTML emails allow you to make links which hide the URL behind some user-friendly text. However, this is an extremely common vector for phishing attacks, where a malicious sender makes a misleading link which takes you to a different website than you expect.

"It looks like its from Facebook so it must be from Facebook."

HTML Email Makes Tracking Easier

Virtually all HTML emails sent by marketers include identifiers in links and inline images which are designed to extract information about you and send it back to the sender.

You probably block ads and trackers already with a browser plugin but your emails are likely not covered.

HTML Email Increased Email Client Vulnerabilities.

HTML is an extremely large and complicated set of specifications designed without emails in mind. It's designed for browsing the world wide web, on which a huge variety of documents, applications, and more are available.

Thunderbird has over 400 know vulnerabilities and (almost) all are because of HTML Email and the need to render them as a webpage.

We Can Kill HTML Email

We need to change this norm from the ground up as a grass roots effort. We'll never convince Gmail and others to automatically display emails in plain text for all users. Nor will we convince companies to stop sending HTML emails to their clients. The only way is to start sending plain text emails and setting up our email programs to only display our received emails as plain text.

As more and more people do this the companies will begin to follow suite due the increasing number of people being unable to easily read their messages.

It's also our duty as good email users to only every send emails as plain text because we can not always be sure that the receiver of our emails is using a program that will render out all the HTML instead of displaying it as a webpage.

Keep in mind that by plain text I don't mean you should not encrypt your emails. If you need to encrypt them then please do; PGP and GPG work very well. When sending an encrypted message; type up your message, encrypt it, and the paste the encrypted output into the email as plain text.

Email Clients That Use Plain Text by Default:

My preferred email client is the terminal based Aerc. But any of the above clients will work just fine and there are many more.

But J. R., what if I want to keep using {insert email service here}

There is no way I can list out how to set up every existing email client to default email composition to plain text.

So here as Gmail:

  1. Create a new email
  2. Click the three-dotted icon in the bottom right
  3. Choose plaintext

Now your email will send as plain text and Gmail will remember your preference for every new email unless you change it again.

For more clients please check out the site useplaintext.email

HTML Email as Displayed In Plain Text:

<!DOCTYPE html>                                                                                                                       
<html xmlns='http://www.w3.org/1999/xhtml'>                                                                                           
<head>                                                                                                                                
<title>Some Site</title>                                                                                                                 
<meta content='text/html; charset=utf-8' http-equiv='Content-Type'>                                                                   
<meta content='width=device-width, initial-scale=1.0' name='viewport'>                                                                
<link href='https://fonts.googleapis.com/css?family=Open+Sans:400,300,300italic'>      
<style>                                                                                                                                  
  a{                                                                                                                                  
    outline:none;                                                                                                                     
    color:#666;                                                                                                                       
    text-decoration:none;                                                                                                             
  }
</style>
</head>
<body bgcolor='#f9f9f9' style='margin:0; padding:0;'>
<p>This would be much more pleasant in plain text.</p>
<a href='https://somesite.com/' target='_blank'>Click here for more!</a>
</body>
</html>

Plain Text Alternative:

This would be much more pleasant in plain text.
https://somesite.com/

What would you rather read? I'm sure it's the plain text option.

Plain text email is the future.

All quoted text is from useplaintext.email.


Don't want to miss a post?

Sign up for the (plaintext) email list by sending an email to:

~jrswab/[email protected].

By subscribing to the email list, you agree to nothing more than wanting to receive an email when a new blog post is released.

Your email address is private to both me and other subscribers unless you choose to reply to a thread.