Authenticated emails and HTML

Written by Dominik Joe Pantůček on 11 dubna, 2019.

Today, I would like to talk about the habit that some companies still enforce. Sending HTML emails – ideally with some pseudo-legal notices and statements. Read on to find out why this is plain wrong on all counts.

Even before SMTP[1] defined in RFC 821[2] there was email[3] since the early days of ARPANET[4]. Most of the people with access to email were scientists that were generally being able to adhere to some implicit principles. It can be summed up as being nice to each other and just use the technology to improve the information flow.

Later on, as more and more people gained access to email, things started to be slightly complicated. First unsolicited bulk email appeared[5], some people were rude and no longer was being connected to the network a guarantee that you are a reasonable person adhering to those nice principles. That is why Netiquette[6] was written. It laid out basic rules for communication on the Internet and people were happy. For a while…

Also, from the early days of email, there were signatures. Back then that meant only snippets of text put at the very end of an email message with information about the sender. Name, online handle (nickname), surname, organization and maybe some ASCII-ART graphics[7] to make it more personal.

As the network grew and the technology has advanced, digital signatures were added to email infrastructure[8]. But also the ability to include attachments using MIME[9] was added to the mix. And with that the unfortunate ability to create HTML[10] emails.

Why is that bad? The answer is pretty simple. If you are digitally signing anything, you must[11] know what you are signing and you must be sure that anyone reading it will see the same thing. This is true for plain text emails in ASCII. Nowadays this is also true for plain text emails in Unicode[12] encoding like UTF-8. But HTML allows for white text on white background, small font sizes, and today even some active elements using client-size Javascript[13]. With all this the email can look completely different to the recipient. And therefore any digital signature of HTML email cannot be trusted.

But that is just the first level of badness. To make things worse, people include pseudo-legal disclaimers – usually in small font and in bold type-face – at the end or (even worse) at the beginning of the email. Although it has absolutely no legal binding for any – even unintended – recipient. Some lawyers just do not understand the technology and how it interacts with the legal system. The only result is – no digital signature of such emails can be trusted.

The worst thing of them all is if this pseudo-legal HTML disclaimer is injected by a SMTP server. And actually such action invalidates all digital signatures the email had. So maybe it is not that bad.

However, everyone can help. Even you! Just open up the preferences of your email client and disable HTML emails. For example in Mozilla Thunderbird[14] you can do it as shown in Picture 1 below.

Picture 1: Disabling HTML email

You – and your company – should also use a trusted email server. If you are in charge, make sure users‘ emails are not modified by your SMTP infrastructure. And if you are not in charge, talk to your CTO/CIO/CSO or in Europe to your DPO, because there some GDPR issues might come with inspecting email contents as well!

 

Thank you for staying with us and please, everyone, consider turning off HTML email in your email client and get back next week for some more authenticated news!


References

1. Wikipedia contributors. (2019, March 30). Simple Mail Transfer Protocol. In Wikipedia, The Free Encyclopedia. Retrieved 07:18, April 10, 2019, from https://en.wikipedia.org/w/index.php?title=Simple_Mail_Transfer_Protocol&oldid=890088488

2. https://tools.ietf.org/html/rfc821

3. Wikipedia contributors. (2019, March 25). Email. In Wikipedia, The Free Encyclopedia. Retrieved 07:20, April 10, 2019, from https://en.wikipedia.org/w/index.php?title=Email&oldid=889333181

4. Wikipedia contributors. (2019, April 4). ARPANET. In Wikipedia, The Free Encyclopedia. Retrieved 07:19, April 10, 2019, from https://en.wikipedia.org/w/index.php?title=ARPANET&oldid=890939968

5. Wikipedia contributors. (2019, March 3). Spamming. In Wikipedia, The Free Encyclopedia. Retrieved 07:21, April 10, 2019, from https://en.wikipedia.org/w/index.php?title=Spamming&oldid=886040700

6. https://tools.ietf.org/html/rfc1855

7. Wikipedia contributors. (2019, February 15). ASCII art. In Wikipedia, The Free Encyclopedia. Retrieved 07:22, April 10, 2019, from https://en.wikipedia.org/w/index.php?title=ASCII_art&oldid=883447580

8. https://trustica.cz/en/2018/08/30/securing-email/

9. https://tools.ietf.org/html/rfc2045

10. Wikipedia contributors. (2019, March 13). HTML. In Wikipedia, The Free Encyclopedia. Retrieved 07:23, April 10, 2019, from https://en.wikipedia.org/w/index.php?title=HTML&oldid=887642352

11. https://tools.ietf.org/html/rfc2119

12. Wikipedia contributors. (2019, April 10). Unicode. In Wikipedia, The Free Encyclopedia. Retrieved 07:26, April 10, 2019, from https://en.wikipedia.org/w/index.php?title=Unicode&oldid=891791938

13. Wikipedia contributors. (2019, April 8). JavaScript. In Wikipedia, The Free Encyclopedia. Retrieved 07:27, April 10, 2019, from https://en.wikipedia.org/w/index.php?title=JavaScript&oldid=891543539

14. https://www.thunderbird.net/en-US/