It came up in discussion, upon a large group of people reading , that Avatars are a very common thing tied to emails. Google’s article about how it is tightening email security and making the absence of certain best practices visible to users There are some existing ad-hoc usages of email headers for this use case, and there are services that allow an address to be associated with an avatar. We’ll cover those first. email Previous/Current Solutions — an old Usenet feature where an encoded 48x48 bitmap was included as part of the message in an X-Face header. This is pretty neat, but it doesn’t really do as much as the “modern web” would want such a feature to do moving forward. X-Face — a newer take on X-Face, Face would allow a 48x48 PNG to be base-64 encoded and attached to the message as a “Face” header. Face — Similar to Face and X-Face, X-Image-URL separated from the rest as a way to set a URL to be sent instead of the image encoded. This was adopted by Mail.app, but was later removed. X-Image-URL — Gravatar is a free service that lets you register your emails with them and attach an avatar to said email. These avatars can have various age ratings that services that use Gravatar may enforce to keep explicit avatars out of PG services, for example. Gravatar + — Inbox by Gmail, and Gmail (to a lesser extent) use Google These are all pretty okay. But that’s just it — they’re “okay.” X-Face, Face, and X-Image-URL are definitely the better options. They’re not tied to a third party service and they can change between emails (even from the same sender). My proposal is basically the same as X-Image-URL, but updated to be slightly more modern. My Proposal My proposal is best shortened to “a signed srcset header.” That is, you take the contents of an <img /> srcset attribute, you put it into an email header, and you sign it using DKIM. I’ve gone with this decision because, ultimately, srcset supports everything an avatar would need (chiefly: the ability to provide multiple resolutions) The name of this email header would be “ ” — to be changed to “Image-Srcset” whenever appropriate. X-Image-Srcset Requirements of this header: Implementations process the header unless it is DKIM signed MUST NOT Implementations process the header unless the email passes SPF MUST NOT The header be preferred to third party services (such as Gravatar and Google+) MUST Implementations support PNG MUST Implementations support APNG, WEBP, AWEBP, and JPG SHOULD Implementations allow the user to disable animations SHOULD Implementations support gif MAY Of particular note in these details is the requirement for DKIM and SPF. Care should be especially taken to thwart Phishing schemes as avatar images may help lend undeserved credibility to the email. is how hackers start their afternoons. We’re a part of the family. We are now and happy to opportunities. Hacker Noon @AMI accepting submissions discuss advertising &sponsorship To learn more, , , or simply, read our about page like/message us on Facebook tweet/DM @HackerNoon. If you enjoyed this story, we recommend reading our and . Until next time, don’t take the realities of the world for granted! latest tech stories trending tech stories

Facebook

Google

Too Long; Didn't Read

Get free API security automated scan in minutes

A proposal for an Email Avatar Header

Too Long; Didn't Read

Companies Mentioned

@Navarr

RELATED STORIES