
The only safe email is text-only email - 5travac
https://theconversation.com/the-only-safe-email-is-text-only-email-81434
======
userbinator
I've noticed that "if it's not plaintext, it gets deleted without being read"
seems to be a pretty common rule among Germans on the Internet, who also have
a tendency to like specifying very exactly what they want of email to them.
Here's a few examples:

[https://www-user.tu-chemnitz.de/~heha/email.en.htm](https://www-user.tu-
chemnitz.de/~heha/email.en.htm)

[http://problemkaputt.de/email.htm](http://problemkaputt.de/email.htm)

[https://www.gaertner.de/~neitzel/email-to-
mn.html](https://www.gaertner.de/~neitzel/email-to-mn.html)

[http://www.karo-electronics.de/448.html](http://www.karo-
electronics.de/448.html)

...and of course there's this:

[http://arc.pasp.de/](http://arc.pasp.de/)

~~~
eveningcoffee
Second link points out a problem I was afraid of existing - big providers just
stump on personal email servers.

> _Hotmail is typically deleting all emails that I am sending. ... Monopolists
> like gmail.com won 't accept any messages sent from my mail server._

~~~
simias
I feel like I'm making this comment once a week on HN but I host my own email
and I haven't had any major issue so far with "big email".

The main caveat is that you will have a very hard time getting your email
accepted if it comes from a home connection IP range instead of some host
provider but if you do have a dedicated server and follow the guidelines
(SMTPS, DKIM, SPF etc...) it just works, at least in my experience.

~~~
dozzie
Hosting one's own e-mail server is a totally opaque random crapshot. You may
not have any trouble, but some other dude or gal will get their e-mail marked
as spam without any way to tell what exactly is wrong and what to change.

~~~
Belphemur
First step when getting an ip for a server that will be a mail server is to
check if the ip is not already blacklisted.

You can always get it unlisted.

After that don't start to send hundred of email by day. You need to build a
reputation for your domain and ip.

As the parent comment says, set up directly spf, dkim and dmarc (also arc if
you can). Rspamd can help you do that.

I've been running a personal mail server for 5 years with simply following
those rules.

~~~
dozzie
I've been running a personal mail server for twice as long with simply
following those rules and my e-mail _is still tagged as spam_ in Gmail when
it's me who initiates contact (once the other party sends me an e-mail, reply
or otherwise, I no longer get tagged as spam).

As I said, it's totally opaque crapshot.

~~~
cyberpunk
Are you using DKIM and SPF properly? I've never had any problems with this
(although, I'm not mailing from home ISP ranges)

~~~
dozzie
Yes.

~~~
cyberpunk
That's very strange, then.

I'd recommend trying [http://dkimvalidator.com/](http://dkimvalidator.com/) to
make sure everything is perfect; having proper certs on your MXs seems to help
too.

I run a pretty large email infra (~500k/minute) and I'd help you out if I
can...

If you're still having problems with all that in place then why don't you just
change IPs?

~~~
dozzie
As I said, Gmail is opaque with regard to its spam detection.

As for your help offer, thank you, but I'm good. It's usually other people who
want to contact me, I rarely send the first message ever.

~~~
cyberpunk
Hmm well, I've found it to be pretty straightforward, I'm curious why this is
happening to you though and there must be a solution...

I mean.. If you get a solid result from dkimvalidator but google is still
shitlisting you then I'd definitely consider moving to another host/dc/isp at
least.

Depending on your size, it might be best just to make this someone else's
problem (if you can) -- like google, o365, etc..

~~~
dozzie
I'm definitely not giving to somebody else my /var/log/mail.log, IMAP/Mutt
access, sieve rules, nor ad hoc dedicated aliases for every website account I
create. And on top of that, I would land on some US-based server for ease of
illegal spying and my mail would be harvested for some advertising crap, all
to solve something that is not a problem for me. Not happening.

~~~
cyberpunk
Yep, that's the reason I host my own email also.

I'm working on a guide for setting this stuff up; still WIP [1] -- feedback
appreciated!

1: [https://medium.com/@cyberpunk_networks/nsa-proof-your-
email-...](https://medium.com/@cyberpunk_networks/nsa-proof-your-
email-2017-edition-f11a89697722)

------
TheAceOfHearts
There's a certain zen to going back to basics and using plaintext. It's always
my default choice whenever I'm given the option.

I'd argue in most cases you really don't need any fancy styles and markup.
Although upon writing this I'm now wondering if unstyled HTML might provide
improved accessibility over plaintext. What are people's experiences on the
matter?

Although I respect that some people may find greater value in carefully styled
marketing emails, to me it just feels a bit overengineered at times. How many
man-hours have been spent trying to get marketing emails to look the same
across all major clients? Are slight variations really such a horrible thing?

As we're on the subject, I'll add the following suggestion to gmail users: go
to Settings and changing the Images option to "Ask before displaying external
images". External images are regularly abused to track if the email has been
viewed, which I consider creepy.

~~~
andyjohnson0
> External images are regularly abused to track if the email has been viewed,
> which I consider creepy.

My understanding was that external images are automatically fetched and cached
on their servers by Google, so they can't be reliably used to track message
views [1]. Has this changed?

[1] [https://gmail.googleblog.com/2013/12/images-now-
showing.html](https://gmail.googleblog.com/2013/12/images-now-showing.html)

~~~
scaasic
AFAIK tracking images are usually sent via a recipient-unique URL, which
allows services like Mailchimp to provide open stats for individuals. Since
the URLs are unique, the host servers will get hit at least once per recipient
that opens the email, as Google downloads and caches the image.

------
ameliaquining
This is silly. The authors establish that phishing is a serious problem (duh),
and that this problem is caused by the absence of reliable authentication of
messages (a worthwhile observation, albeit one that the industry is already
aware of and doing its best to patch over), but they fail to establish that
text-only email solves this problem in any meaningful way.

Text-only emails can and will still contain links, which users will still
click on. Misleading domain names will work just as well in the email body as
they do in the address bar. Even if (as this article seems to imply should be
done) mail clients don't make the links clickable, users will still copy-paste
them. (Not to mention that the usability benefits of making links clickable
are significant enough that mail clients won't forgo them just for a
speculative hypothetical security benefit.)

The authors seem to think that inserting a "speed bump" here will cause users
to pay closer attention and not be fooled. This is not how humans work,
especially very busy humans who get too much email and just want to get
through it as quickly as possible.

Also, the reference to JavaScript in email leads me to question whether the
authors have any idea what they're talking about. Mail clients don't execute
JavaScript.

~~~
cozzyd
At least with plain-text, it's a slightly harder to forge links. (i.e. you
have to do
[http://www.megabank.com.phishingattempt.io](http://www.megabank.com.phishingattempt.io)
instead of <a
href="[http://www.phishingattempt.io"><img](http://www.phishingattempt.io"><img)
src="megabank.com/logo.png"></a> )

Speaking of JavaScript in e-mail, gmail doesn't allow you to send or receive
.js files (even tarred up), which is somewhat inconvenient, and I'm not really
sure what attack that prevents. Maybe there is a mail client out there that
will happily execute attached js?

~~~
diggernet
Also, I gather that non-text emails make it possible to disguise the link
target when you hover over it to see where the link goes. Whether that is
using css or js, I'm not sure.

~~~
toast0
On mobile, there's no hover, so HTML mail means I just have to guess if I
think the link will go where it says or not.

~~~
extra88
In iOS Mail, you don't have to guess where the link goes, press and hold on a
link will show the URL.

------
mmagin
Every time I use some kind of graphical/web email client, I'm appalled by how
hard it is for me to find the "show me all the headers" feature. In mutt when
I have doubts about something I just hit "h".

Admittedly this requires a level of knowledge that the average user may be
missing. But I find it really helps inform my opinion of any borderline-
suspicious emails.

------
coldouthere
Reminds me of the ascii ribbon campaign against non-human readable formats in
email.

I switched to a text only email client a few months back. I really don't think
I am missing anything. HTML content tends to be chaff/advertising.

~~~
jasonkostempski
In my experience, for personal email, text-only is a non-issue; for work
stuff, it's not even an option.

~~~
dvfjsdhgfv
Can you elaborate why? I sometimes abuse this option by including screenshots
in the body of e-mail, but I could as well add it as an attachment. Other than
that I see no reason to use HTML in e-mail conversations at work.

~~~
dingaling
Intra-corporate e-mail is often used as an ad hoc document collaboration tool.

"See my comments in blue", strikethroughs, inline diagrams, bullet points, big
red font for emphasis.

Of course that should all be done in a dedicated application, but who is going
to provision and authorise users for that versus just adding Bob to the cc
line and giving him implicit editing capabilities?

The functional overloading of corporate e-mail is a user-driven reaction to
the awfulness of most " collaborative' software.

------
ams6110
I've always used plain text for email. Text is for email; HTML is for web
pages.

~~~
mnw21cam
Yeah, I have used alpine for email since the year dot. I don't feel like I'm
missing anything important.

------
stephenr
I've always thought native handling of markdown for email would be pretty
cool.

The MUA could strip out any HTML embedded in the actual markdown, render to
HTML locally (for display) and you have nice formatting without the risks or
cruft of email HTML.

And of course if you choose to view in text only mode, you don't actually lose
any semantic meaning.

~~~
zwp
Huh, looks like text/markdown email is coming slowly:

[https://stackoverflow.com/a/25812177](https://stackoverflow.com/a/25812177)

[https://tools.ietf.org/html/rfc7763](https://tools.ietf.org/html/rfc7763)

[https://tools.ietf.org/html/rfc7764](https://tools.ietf.org/html/rfc7764)

(March 2016)

Previous HN discussion:
[https://news.ycombinator.com/item?id=13176743](https://news.ycombinator.com/item?id=13176743)

~~~
stephenr
The RFC's are just about defining the Media Type 'text/markdown' aren't they?

Just because they used to be called MIME types and were designed for email, I
wouldn't treat those RFC's as being about email support specifically.

~~~
zwp
Sure, it could be used elsewhere. OTOH 7763 calls out email as a use case
three times and in section 5 Examples "email attachment" is the only example.

------
wheresvic1
I switched to using mutt with gmail and have never looked back. Mutt actually
does a brilliant job of converting all html to plaintext.

Here's the entry that I wrote about it (includes my mutt config):
[https://smalldata.tech/blog/2016/09/10/gmail-with-
mutt](https://smalldata.tech/blog/2016/09/10/gmail-with-mutt)

------
alkonaut
This might be true, but I think that ship has sailed. Email for 99% of
internet users is html. Thinking that some large fraction of news letters,
outlook emails will ever be plaintext is just naive. I use html emails in
outlook simply because I don't want my emails within the corporation to appear
differnet from anyone elses. I certainly don't want to _return_ something that
looks different from what the sender wrote,.

The mail client is a web browser. In many cases it's an actual web app in an
actual web browser. The solution has to be to make them safer for the user.
Maybe a subset of html can be whitelisted, maybe link targets should be
rendered more clearly, maybe something else.

~~~
dm319
I'm not sure the ship has sailed. If HSBC switched to only mailing out text-
only emails with URLs written out in full, after a while HSBC users would get
used to only receiving text correspondence from their bank. I think that would
be a step towards reducing phishing attempts, though certainly not a complete
answer.

~~~
alkonaut
That would require HSBC to value some kind of improved security so much that
they'd accept not having the HSBC logo in the email. _That 's_ what I think is
out of the question.

You could maybe see banks having plaintext communication as an optional, but I
doubt they'd make it default (allowing users to switch to html).

Isn't this problem already solved with certificates online? Shouldn't this be
solvable the same way? E.g. a bank sends an email containing a link to the
content with some special attribute. The web browser displays the content if
and only if the sender domain of the email (e.g. hsbc.com) is also the domain
from which the content will be downloaded.

~~~
dm319
Problem is you've already received the rogue html before accessing the secure
webpage. It's a shame email signing and encryption never took off.

~~~
alkonaut
The solution assumed mail clients would be adapted to enforce this. So if you
send me a forged email claiming to be from hsbc, the mail client would allow
showing html content _only_ from a https connection to somewhere on hsbc. Kind
of like the same-origin policy but where the origin is the domain the email
claims it came from.

------
donohoe
If you like this approach and are using Mail.app on OSX then I recommend the
following:

First...

1\. In the menu, go: _Mail > Preferences > Viewing_.

2\. Uncheck "Load remote content in messages".

3\. Move to the "Composing" tab.

4\. Select "Plain Text" for _Message Format_.

5\. Uncheck "Use the same message format as the original message".

Second...

In Terminal, copy/paste this command to set plain-text preference to true:

    
    
      defaults write com.apple.mail PreferPlainText -bool true
    

Its not perfect, but short of switching to another email client, its a step in
the right direction.

------
discreditable
I use plaintext mail heavily. My only complaint is clients that don't support
format=flowed[1] wrap text weirdly and make it look bad. The biggest ones are
Outlook and the Windows 10 Mail app, though some webmail handles it poorly
too. It gets bad when conversations start accumulating nested quotes.

I've found a quick tell if someone uses Outlook is if I send them a text/plain
message, they'll send one back and there's no format=flowed. At that point
I'll usually send them HTML mail.

1\. [https://joeclark.org/ffaq.html](https://joeclark.org/ffaq.html)

------
thisrod
I was expecting to read about some brilliant new way to solve all of the
normalisation problems with Unicode, and make plain text safe again. What a
let down!

------
cozzyd
Annoyingly, the Gmail Android app sends things multipart, even though I'm not
sure it's really possible to have any formatting (except maybe links?). I wish
there wan option to send text only, it might even make a (small) difference
for people with limited data.

------
ElectronShak
I think this is entirely dependent on the context of that particular E-mail.
Email has evolved quite a lot.

A good example is a newsletter from say, Quora or Medium; Newsletters usually
have links to a story or a news feed article. If this was done using plain
text, the link would be one long mashup of characters, because they usually
include an authentication token or something like that. In this case, using an
html link or button is clearly the better option.

HTML is like structured text for web pages.

~~~
gkya
> A good example is a newsletter from say, Quora or Medium; Newsletters
> usually have links to a story or a news feed article. If this was done using
> plain text, the link would be one long mashup of characters, because they
> usually include an authentication token or something like that. In this
> case, using an html link or button is clearly the better option.

Well, that's a yet more hostile thing that one has to put up with. I follow
news through newsletters, and I'd prefer they were in plain text and with
normal links. My reader knows how to wrap lines and make link-like things in
plain text clickable. But unfortunately if I wanted to enforce that I'd have
to avoid news...

~~~
ElectronShak
Yah,consequently. But last week someone posted a link here, a text only
version of CNN, I looked it up, here it is;
[http://lite.cnn.io/en](http://lite.cnn.io/en). We could have more of these
soon, which is a good thing.

------
stevekemp
But even there you've got to be careful. For example if you're using GNU Emacs
to read your email you could have been vulnerable to arbitrary code execution
for the past few years:

[https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350)

~~~
CyberShadow
The vulnerability is in the handling of text/enriched parts - not quite
text/plain.

------
decasteve
Some client software hides the From and Reply-To addresses, only showing the
name by default. A friend's accountant got hit because the From had my
friend's name, but the address itself was bogus but hidden, so he opened the
attachment.

So keep the main headers text-only as well (which most sane software does
anyway).

------
yosito
I never click on any link in an email I didn't ask for. If I get a
notification email from a party I have business with, I go to their website
manually and check for messages.

------
nom
E-Mail should've been replaced by something more suitable more than a decade
ago.

I sometimes wonder how long it's going to stay. My guess is: until the end of
the internet.

------
paultopia
and to get there, we need email clients with usable UIs. Is there a way to
make outlook or apple mail or the gmail web app grab the equivalent of
`document.innerText` on every piece of email? Who can tell, without spending
hours hunting through increasingly obscure menu forests?

------
jghn
I never stopped using pine. Who knew that I was actually ahead of the game?

------
jasonmaydie
wouldn't it be easier to have your email reader only render it in plain text?

