It came up in discussion, upon a large group of people reading Google’s article about how it is tightening email security and making the absence of certain best practices visible to users, that Avatars are a very common thing tied to emails.
There are some existing ad-hoc usages of email headers for this use case, and there are services that allow an email address to be associated with an avatar. We’ll cover those first.
- X-Face — an old Usenet feature where an encoded 48x48 bitmap was included as part of the message in an X-Face header. This is pretty neat, but it doesn’t really do as much as the “modern web” would want such a feature to do moving forward.
- Face — a newer take on X-Face, Face would allow a 48x48 PNG to be base-64 encoded and attached to the message as a “Face” header.
- X-Image-URL — Similar to Face and X-Face, X-Image-URL separated from the rest as a way to set a URL to be sent instead of the image encoded. This was adopted by Mail.app, but was later removed.
- Gravatar — Gravatar is a free service that lets you register your emails with them and attach an avatar to said email. These avatars can have various age ratings that services that use Gravatar may enforce to keep explicit avatars out of PG services, for example.
- Google+ — Inbox by Gmail, and Gmail (to a lesser extent) use
These are all pretty okay. But that’s just it — they’re “okay.” X-Face, Face, and X-Image-URL are definitely the better options. They’re not tied to a third party service and they can change between emails (even from the same sender).
My proposal is basically the same as X-Image-URL, but updated to be slightly more modern.
My proposal is best shortened to “a signed srcset header.” That is, you take the contents of an <img /> srcset attribute, you put it into an email header, and you sign it using DKIM.
I’ve gone with this decision because, ultimately, srcset supports everything an avatar would need (chiefly: the ability to provide multiple resolutions)
The name of this email header would be “X-Image-Srcset” — to be changed to “Image-Srcset” whenever appropriate.
Requirements of this header:
- Implementations MUST NOT process the header unless it is DKIM signed
- Implementations MUST NOT process the header unless the email passes SPF
- The header MUST be preferred to third party services (such as Gravatar and Google+)
- Implementations MUST support PNG
- Implementations SHOULD support APNG, WEBP, AWEBP, and JPG
- Implementations SHOULD allow the user to disable animations
- Implementations MAY support gif
Of particular note in these details is the requirement for DKIM and SPF. Care should be especially taken to thwart Phishing schemes as avatar images may help lend undeserved credibility to the email.