Another way of looking at this scoreboard is as an approximate inverse ranking of webmail client security and leak vectors, with Gmail stripping far more dangerous elements than most webmail clients.
This is actually a great tool to find vulnerabilities in various webmail clients such as ProtonMail and Hey, just compare the HTML or CSS features they do not yet filter compared to Gmail, then do a search for "[feature] + exploit" to see how a feature could be abused, and then submit a bounty report.
For example, there are alot of good reasons that you may not want your webmail rendering SVG images (mXSS, appcache poisoning) or allowing CSS variables or imports.
And I'm pretty sure the list supported by Gmail could also be narrowed down further. There are some fantastic bounties lurking in here, just waiting to be discovered.
>This page ranks email clients based on their support among the 182 HTML and CSS features
No thanks. I still recoil at the sight of a read-receipt and the only reason most companies include any of this dreck in an email in 2021 is to either track me or market to me.
That ship sailed the instant it got named "email" instead of something like "etelegram".
With mail, I can send anything that my printer can print, which is everything my word processor can handle (fonts, text decoration, foreground and background colors, inline images, graphs, tables, and more) and attach anything that fits in the envelope (a CD-ROM of arbitrary data in any format).
It was inevitable that email would end up being able to handle the electronic equivalent of all those things.
The problem with email is not that it now handles more than just plain text. The problem is that there was no early agreement on how to handle those things, so different implementors came up with different ways to do it, which eventually converged on using HTML. Not because HTML was necessarily the best way to do it, but because it was something they all already implemented for other things or was already available on the systems their mail clients ran on.
But modern HTML engines are designed for the web, so there still really needs to be some sort of agreement on a subset of HTML that handles the things necessary to make email like mail, without including things that make sense for the web but not for mail.
If companies want to have inline images in their emails, they should have to send the image data along with the rest of the message. Email clients should not allow emails to load third party resources.
"Outlook (Windows)" is dead last in the "rankings". That's pretty much the only page on there that matters sadly; Determining which features work on Outlook for Windows and that's the maximum that can go into an HTML EMail.
Sure, I'd love to only send txt mails but that sadly does not align with the expectations/desires of the companies I've worked with.
If Microsoft could just bundle their Edge/Chromium renderer instead of their ancient WordHTML engine, or even the EdgeHTML engine of the previous Edge, they'd do the whole industry a huge favor. It's so frustrating their holding us back. Instead, they allow Google to push technologies like AMP for email for things that could probably be solved with standard HTML.
Why is MJML a non-option? It was a huge time saver for me. Combine it with react-mjml and you can get typesafe email templates that work in pretty much any browser. I managed templates by hand for a long time, and it took me a couple weeks to replace everything with MJML, but it was worth it.
Settings → Preferences → Show advanced preferences → Reading → View HTML, select Always display messages in plain text.
Settings → Preferences → Show advanced preferences → Compose & Reply → Compose format, select Plain text, plus untick When replying, use the same format as the original message.
I don’t think this is such a rare feature, though it’s generally not made obvious at least.
I really don't like HTML emails as they very often break with my dark theme. Especially those in Outlook, dark blue on dark gray is not very visible. I'd like to have only plain text emails, but some website do not put text version of their mails (notifications...).
I've been using thunderbird for probably 15 years and have forgotten about html emails. I can imagine they are popular but it is probably the great fishing surface the average user is exposed to.
I would say that, generally, higher complexity results in more possible attack vectors. Give that assumption, any client high on the list has more attack vectors than ones down the list.
I also think, though, that any open source client likely does a good job regardless of feature density, since its likely going to use well vetted code in core components.
Saying that, for example, Microsoft's or Apple's code isnt well vetted is unfair, but the amount of eyes that have seen the Microsoft html renderer vs the, say, WebKit one, is likely smaller and less diverse.
…as long as they contain the same content. I've seen e-mails where the HTML content is up to date, and the plain text part contains whatever was being sent a couple years ago, and hasn't been updated since then. Got me quite confused until I figured it out.
Its arbitrary cause there is no RFC about the ah-hoc choices email client softwares have made over the years that have kinda become de facto "standards"
Targeting HTML rendering engines which are email clients.
Fortunately (at least for some of the newer features to be included)
Links to MDN are available, and caniuse both link to we spec). CSS min for example is working draft.
https://www.w3.org/TR/css-values-4/#math-function
With 90% desktop/mobile browser general usage support, 50% email usage support.
I made the mistake of giving too many companies my email address when those stupid black-the-page popups come up asking for my email. I am in the process of unsubscribing from every one of those emails; there is usually a small “unsubscribe” link at the bottom of them, and they are usually pretty good about honoring unsubscription requests.
These days, I disable Javascript on any site which has the audacity to put a popup in the middle of the page as I am reading it. Any site with is not readable without Javascript is one I leave and don’t go back to.
The kinds of sleazy outfits which do not honor unsubscribes are the kinds of places email providers are really good about black listing.
[+] [-] _vvhw|4 years ago|reply
This is actually a great tool to find vulnerabilities in various webmail clients such as ProtonMail and Hey, just compare the HTML or CSS features they do not yet filter compared to Gmail, then do a search for "[feature] + exploit" to see how a feature could be abused, and then submit a bounty report.
For example, there are alot of good reasons that you may not want your webmail rendering SVG images (mXSS, appcache poisoning) or allowing CSS variables or imports.
And I'm pretty sure the list supported by Gmail could also be narrowed down further. There are some fantastic bounties lurking in here, just waiting to be discovered.
[+] [-] felixfbecker|4 years ago|reply
[+] [-] jb1991|4 years ago|reply
[+] [-] stephenr|4 years ago|reply
Those nth-child* selectors Gmail strips out are a real security nightmare.
[+] [-] defaultname|4 years ago|reply
[deleted]
[+] [-] nimbius|4 years ago|reply
No thanks. I still recoil at the sight of a read-receipt and the only reason most companies include any of this dreck in an email in 2021 is to either track me or market to me.
make email text again.
[+] [-] tzs|4 years ago|reply
That ship sailed the instant it got named "email" instead of something like "etelegram".
With mail, I can send anything that my printer can print, which is everything my word processor can handle (fonts, text decoration, foreground and background colors, inline images, graphs, tables, and more) and attach anything that fits in the envelope (a CD-ROM of arbitrary data in any format).
It was inevitable that email would end up being able to handle the electronic equivalent of all those things.
The problem with email is not that it now handles more than just plain text. The problem is that there was no early agreement on how to handle those things, so different implementors came up with different ways to do it, which eventually converged on using HTML. Not because HTML was necessarily the best way to do it, but because it was something they all already implemented for other things or was already available on the systems their mail clients ran on.
But modern HTML engines are designed for the web, so there still really needs to be some sort of agreement on a subset of HTML that handles the things necessary to make email like mail, without including things that make sense for the web but not for mail.
[+] [-] surround|4 years ago|reply
[+] [-] breakfastduck|4 years ago|reply
[+] [-] traspler|4 years ago|reply
Sure, I'd love to only send txt mails but that sadly does not align with the expectations/desires of the companies I've worked with.
[+] [-] felixfbecker|4 years ago|reply
[+] [-] greyhair|4 years ago|reply
Send me plain text email.
Add attachments that I can scan for issues before I open them.
If you send me links, I will be very wary of visiting them outside a sandboxed tab. I will not 'click through' from the email client.
[+] [-] andrewmcwatters|4 years ago|reply
[+] [-] andrei_says_|4 years ago|reply
I customized them, extracted them into modules and created a design system which I then translated to an email CMS.
Coverage is pretty good although Outlook still glitches in some circumstances.
https://tedgoas.github.io/Cerberus/
FWIW caniemail is unreliable and does not have full coverage.
Also with this level of complexity I’d rather start with a few tested patterns than navigate the insane labyrinth of email client inconsistencies.
[+] [-] mattwad|4 years ago|reply
[+] [-] hokumguru|4 years ago|reply
[+] [-] chiefalchemist|4 years ago|reply
https://get.foundation/emails/zurb-stack.html
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] saos|4 years ago|reply
[+] [-] urban_alien|4 years ago|reply
[+] [-] dsr_|4 years ago|reply
I suppose "Your mail program is broken and can't read our message. Please go to this URL" is worse, though.
[+] [-] _jal|4 years ago|reply
[+] [-] sebmellen|4 years ago|reply
[+] [-] chrismorgan|4 years ago|reply
Settings → Preferences → Show advanced preferences → Reading → View HTML, select Always display messages in plain text.
Settings → Preferences → Show advanced preferences → Compose & Reply → Compose format, select Plain text, plus untick When replying, use the same format as the original message.
I don’t think this is such a rare feature, though it’s generally not made obvious at least.
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] intc|4 years ago|reply
(Preferences -> Mail -> Composition -> Default method to compose messages: "Plain Text")
[+] [-] dang|4 years ago|reply
Can I Email: ‘Can I Use’ for email - https://news.ycombinator.com/item?id=20948826 - Sept 2019 (196 comments)
[+] [-] overspeed|4 years ago|reply
[+] [-] larsnystrom|4 years ago|reply
[+] [-] mvlpn|4 years ago|reply
[+] [-] kuon|4 years ago|reply
[+] [-] paultopia|4 years ago|reply
[+] [-] ipaddr|4 years ago|reply
[+] [-] Grustaf|4 years ago|reply
[+] [-] danellis|4 years ago|reply
But don't put every keypress from my searches into my browser history.
[+] [-] qwertox|4 years ago|reply
Am I wrong with this assumption?
[+] [-] lionkor|4 years ago|reply
I also think, though, that any open source client likely does a good job regardless of feature density, since its likely going to use well vetted code in core components.
Saying that, for example, Microsoft's or Apple's code isnt well vetted is unfair, but the amount of eyes that have seen the Microsoft html renderer vs the, say, WebKit one, is likely smaller and less diverse.
[+] [-] stjohnswarts|4 years ago|reply
[+] [-] timvisee|4 years ago|reply
[+] [-] Liskni_si|4 years ago|reply
[+] [-] tyingq|4 years ago|reply
[+] [-] paxys|4 years ago|reply
[+] [-] edoceo|4 years ago|reply
[+] [-] Forge36|4 years ago|reply
This is specifically focused at HTML specs/features, and a fork of https://github.com/Fyrd/caniuse
Targeting HTML rendering engines which are email clients.
Fortunately (at least for some of the newer features to be included) Links to MDN are available, and caniuse both link to we spec). CSS min for example is working draft. https://www.w3.org/TR/css-values-4/#math-function
With 90% desktop/mobile browser general usage support, 50% email usage support.
[+] [-] azernik|4 years ago|reply
The feature definitions seem to be maintained manually, at https://github.com/hteumeuleu/caniemail/tree/master/_feature... assuming it follows the caniuse.com community model, information about supported browsers is similarly crowdsourced.
[+] [-] josteink|4 years ago|reply
(And what about Linux?)
[+] [-] zekica|4 years ago|reply
From my experience, all versions (Windows, macOS, Linux) have the same features.
[+] [-] strenholme|4 years ago|reply
These days, I disable Javascript on any site which has the audacity to put a popup in the middle of the page as I am reading it. Any site with is not readable without Javascript is one I leave and don’t go back to.
The kinds of sleazy outfits which do not honor unsubscribes are the kinds of places email providers are really good about black listing.