Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Is plain text email safer?

Question:

Do you think that disabling HTML provides much extra safety in using
email?

A small amount.

HTML (and rich text) email allows you to specify various attributes in your
email like bold, italics and even color text red.

Plain text is, well, it’s plain.

The “problem” is that because HTML is also the way that web pages are
encoded, it can often do more than just change the look of your text. Much
more.

Become a Patron of Ask Leo! and go ad-free!

In the past, the problem was fairly large, as things could be embedded in
HTML that could in turn compromise your system when the message was simply
displayed. In fact, it was even worse, because the original versions of the
“preview pane” would display messages automatically, and thus give that
embedded malware an automatic opportunity to infect you.

Nowadays with anti-virus, coupled with preview and image display being off
by default, and further coupled with keeping your machine up to date with the
latest patches and updates – the threat is extremely small.

But, technically, it is still there.

“There is no way to embed malware into plain text email
other than by using attachments …”

Not long ago an exploit was discovered in the VRML renderer that could be
used with in HTML email. If you displayed the email, you were vulnerable. A
patch resulted, but there was a window of opportunity. (As always, that window
remains wide open for those who do not stay up to date.)

But there’s no vulnerability associated with plain text email. There is no
way to embed malware into plain text email other than by using attachments
which in turn must be manually executed to have any effect.

So there’s some legitimacy to the issue. Certainly in highly
sensitive areas, I would expect HTML to be disabled as no risk is acceptable,
especially one that can be so easily worked around. However, personally, I deal
with HTML email all the time. I prefer to send plain text, but for different
reasons:

  • plain text looks the same everywhere (most definitely not guaranteed for
    HTML mail)

  • email messages using only plain text are smaller

  • overuse of fancy formatting can easily detract from the message

  • 9 times out of 10, it’s simply not necessary

If security is an issue, and you don’t want to risk displaying HTML email,
an alternative is to use an email client which will display HTML email as
text
. By that I mean that there are email clients that will display the
text contents of an HTML mail without trying to interpret or display the HTML
itself.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

2 comments on “Is plain text email safer?”

  1. You could also use any email anti-theft software. Basically it’ll ensure that all the emails you receive are well protected and virus/malware free!

    Reply
  2. Where the recipients can receive HTML, I generally recommend it for formatting. I don’t like plain text except in certain circumstances:

    Most companies that insist on plain text email will accept HTML format but will deliver plain text to its end users, who then of course reply in plain.

    For space reasons some methods of internet access will only allow plain, such as WAP phones or webmail, even if the ISP normally handles HTML.

    But the only time I’ll choose to use plain text is if I’m forwarding text-only jokes to a number of people – I always send in plain text so it won’t take up so much space at the recipients.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.