Published in


A proposal for an Email Avatar Header

It came up in discussion, upon a large group of people reading Google’s article about how it is tightening email security and making the absence of certain best practices visible to users, that Avatars are a very common thing tied to emails.

There are some existing ad-hoc usages of email headers for this use case, and there are services that allow an email address to be associated with an avatar. We’ll cover those first.

  • X-Face — an old Usenet feature where an encoded 48x48 bitmap was included as part of the message in an X-Face header. This is pretty neat, but it doesn’t really do as much as the “modern web” would want such a feature to do moving forward.
  • Face — a newer take on X-Face, Face would allow a 48x48 PNG to be base-64 encoded and attached to the message as a “Face” header.
  • X-Image-URL — Similar to Face and X-Face, X-Image-URL separated from the rest as a way to set a URL to be sent instead of the image encoded. This was adopted by Mail.app, but was later removed.
  • Gravatar — Gravatar is a free service that lets you register your emails with them and attach an avatar to said email. These avatars can have various age ratings that services that use Gravatar may enforce to keep explicit avatars out of PG services, for example.
  • Google+ — Inbox by Gmail, and Gmail (to a lesser extent) use

These are all pretty okay. But that’s just it — they’re “okay.” X-Face, Face, and X-Image-URL are definitely the better options. They’re not tied to a third party service and they can change between emails (even from the same sender).

My proposal is basically the same as X-Image-URL, but updated to be slightly more modern.

My proposal is best shortened to “a signed srcset header.” That is, you take the contents of an <img /> srcset attribute, you put it into an email header, and you sign it using DKIM.

I’ve gone with this decision because, ultimately, srcset supports everything an avatar would need (chiefly: the ability to provide multiple resolutions)

The name of this email header would be “X-Image-Srcset” — to be changed to “Image-Srcset” whenever appropriate.

Requirements of this header:

  • Implementations MUST NOT process the header unless it is DKIM signed
  • Implementations MUST NOT process the header unless the email passes SPF
  • The header MUST be preferred to third party services (such as Gravatar and Google+)
  • Implementations MUST support PNG
  • Implementations SHOULD support APNG, WEBP, AWEBP, and JPG
  • Implementations SHOULD allow the user to disable animations
  • Implementations MAY support gif

Of particular note in these details is the requirement for DKIM and SPF. Care should be especially taken to thwart Phishing schemes as avatar images may help lend undeserved credibility to the email.

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMIfamily. We are now accepting submissions and happy to discuss advertising &sponsorship opportunities.

To learn more, read our about page, like/message us on Facebook, or simply, tweet/DM @HackerNoon.

If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!



Elijah McClain, George Floyd, Eric Garner, Breonna Taylor, Ahmaud Arbery, Michael Brown, Oscar Grant, Atatiana Jefferson, Tamir Rice, Bettie Jones, Botham Jean

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store