Hacker News new | past | comments | ask | show | jobs | submit login

HTML email allows an unreasonable level of deception. How does your mail client render this?

    <a href="http://evil.host">http://trustworthy.host</a>
If you can't get your message across in a plain text email, you may want to reconsider whether your intent is to mislead.



> HTML email allows an unreasonable level of deception. How does your mail client render this?

How does your browser render that? This isn't something unique to emails, and we didn't end up deciding that text only web pages were the way to go. That said, email clients could catch a number of simple cases like that and warn the user (yes, I realize there are ways around that).

> If you can't get your message across in a plain text email, you may want to reconsider whether your intent is to mislead.

While this is true, the reality is that html emails are, basically, required in many cases due to marketing. Generally speaking, html emails are not being created by legitimate business because they want to mislead people. They are being created because they look better (leaving aside the caveat that some businesses aren't very good at the "make it look better" aspect).


HTML e-mail is required for marketing? Hardly. Also "look better" is massively subjective.


Let me rephrase. HTML email is often required due to the requirements of the marketing department at many companies.

As for "look better" - yes, it is subjective. However, given that html email capabilities are a super set of text email capabilities, anything you can do in a text email you can do in an html email. Anything you can do in an html email, though, you cannot necessarily do in a text email. Quite simply, an html email can look better and often does.

Edit: Given that an email can contain both text and html versions, and given that best practices dictate sending both, is this not good enough? You can always set your client to show you the text version by preference. You get your text version, most everyone else gets the html version.


You'll always have that threat. The users don't want simple text. It looks great in html most people wont even know about the risk or even understand it.


The desire for pretty isn't an excuse to be insecure.


Considering that html emails simply are not going away, no matter how much one hates them, isn't the best course of action for us developers to mitigate, as best as possible, the risks presented?

Yes, text-only emails make things much simpler from a security standpoint. Text-only websites were also much simpler from a security standpoint.


Not to the Business. I am required to have links in my signature so at the very least I will always have one hyperlink on every email I send.


I wholeheartedly agree, and we had a discussion about plain text vs html emails at my org a while back.

The problem is that marketing wants designed emails to the customer that catches the customer's eye. For the most part, plain text marketing emails end up TL;DR.


So send both!

Multi-part mime types for a html and a text email for those of us who don't read HTML in our email :)


If you can't get your message across on a plain text web page you may want to reconsider whether you intent is to mislead.

(I love plain text email, but this proves too much.)


Company wide emails or email signatures give a better impression to people if they are pretty, leadership likes that.


Your favourite spam filter should be catching that already.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: