HTML Email ought to be considered harmful: auDA shows us why

I’m the owner of two domain licenses, longlandclan.id.au and vk4msl.id.au, both purchased for personal use. The former I share with other family members where as the latter I use for my own use. Consequently, I’m on auDA’s mailing lists and receive the occasional email from them. No big deal. Lately, they’ve been pushing .au domains (i.e. dropping the .id bit out), which I’m not worried about myself, but I can see the appeal for businesses.

Anyway… I practice what I preach with regards to email: I do not send email in HTML format — and my email client is set to receive emails in plain text, not HTML, unless there is no plain-text component. This morning, I received what I consider, a textbook example of why I think HTML email is so bad for the Internet today.

From: .au Domain Administration <noreply@auda.com.au>
Subject: Notice: .au Direct Registration
Date: Wed, 10 Aug 2022 23:00:04 +0000
Reply-To: .au Domain Administration <noreply@auda.com.au>
X-Mailer: Mailchimp Mailer - **CID292f65320f63be5c3fcd**

The .au Domain Administration (auDA) recently launched Australia’s newest domain namespace – .au direct.

Dear Stuart Longland,

The .au Domain Administration (https://www.auda.org.au/)  (auDA), recently launched Australia’s newest domain namespace – .au direct. The new namespace provides eligible registrants the option to register domain names directly before the .au for the first time (e.g. forexample.au).

Registrants with an existing .au domain name licence are eligible to apply for a direct match of their .au direct domain name through the Priority Allocation Process (e.g. if you hold forexample.com.au (https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fforexample.com.au%2F&data=05%7C01%7Cprivate.address%40auda.org.au%7C95a9271d4eff4973013b08da3240a115%7C81810bc45d6845f6ba4e3d6c9fb37e43%7C0%7C0%7C637877550424818538%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2WhPYMxV3FI9nEpXDEk8KdyJwWGyqcI%2FwRd%2FNc7DQks%3D&reserved=0) , you can apply for Priority Status to register forexample.au). Information about your existing domain name licence is available here:  https://whois.auda.org.au/. The Priority Allocation Process is now open and will close on 20 Sept 2022.

That is the email, as it appeared in my email client (I have censored the unfortunate auDA employee’s email address). I can see what happened:

Someone composed an email (likely in HTML format) that would be part of the marketing campaign they were going to send via MailChimp. The person composing the email for MailChimp clearly is using Microsoft Outlook (or maybe that should be called Microsoft LookOut!). Microsoft’s software saw what it thought was a hyperlink and thought, “I need to ‘protect’ this”, and made it a “safe” link. A link with the user’s email address embedded in it!

Funnily enough, this seems to be the only place where a link was mangled by Microsoft’s mal^H^H^Hsoftware. I think this underscores the importance of verifying that you are indeed sending what you think you are sending — and highlights how difficult HTML (and Microsoft) have made this task.

  1. don’t assume that people will only see the HTML email
  2. don’t assume that what you see in the HTML view is identical to what will be seen in plain text

Might be better to compose the plain text, get that right… then paste that into the HTML view and “make it pretty”… or perhaps don’t bother and just go back to plain-text? KISS principle!