• Define Allowed Elements: Specify supported tags, including metadata, forms, and scripts from trusted sources, while prohibiting insecure elements like <iframe> and <object>.
• Restrict Event Handlers: Limits event handlers (e.g., onload) to prevent unauthorized script execution and malicious content.
• Control Resource Usage: Define attributes for resources like CSS, and scripts, ensuring they comply with the structure and standards specified by the DTD.
• Validation Mechanism: Ensure that emails adhere to Open Email Standards and enable email clients to validate messages, reducing risks and ensuring compatibility across platforms.

The DTD framework for Open Email Standards establishes clear rules for secure and consistent email content across clients. It defines permissible elements, attributes, and behaviors while ensuring compliance with modern security practices and organizing content into a structured hierarchy.

HTML Structure

• HTML: Starts with <!DOCTYPE> and wraps the entire structure within the <html> tag, containing <head> and <body>.
• Head: Supports <meta>, <link>, <title>, and optional <style> elements for metadata and stylesheets. Scripts must originate from trusted sources and comply with the Open Email Standards.
• Body: Contains the interactive and visual components of the email. All content must adhere to structural, styling, and security guidelines defined in the Open Email Standards.

Allowed Body Elements

• Content Tags: <a>, <abbr>, <address>, <area>, <article>, <aside>, <b>, <bdi>, <bdo>, <blockquote>, <br>, <caption>, <cite>, <code>, <col>, <colgroup>, <data>, <dd>, <del>, <details>, <dfn>, <dialog>, <div>, <dl>, <dt>, <em>, <figure>, <figcaption>, <footer>, <h1>, <h2>, <h3>, <h4>, <h5>, <h6>, <header>, <hgroup>, <hr>, <i>, <img>, <ins>, <kbd>, <li>, <main>, <map>, <mark>, <menu>, <meter>, <nav>, <ol>, <output>, <p>, <picture>, <pre>, <progress>, <q>, <rp>, <rt>, <ruby>, <s>, <samp>, <section>, <small>, <span>, <strong>, <sub>, <summary>, <sup>, <svg>, <table>, <tbody>, <td>, <tfoot>, <th>, <thead>, <time>, <tr>, <u>, <ul>, <var>, <wbr>.
• Forms: <button>, <datalist>, <fieldset>, <form>, <input>, <label>, <legend>, <optgroup>, <select>, <textarea>.
• Custom Tags: The <embed-email> tag is allowed for embedding third-party content.
• Media Elements: Elements such as <audio>, <video>, and <canvas> are allowed with strict limitations. Their use of <source> and <track> is permitted only when external files are loaded from trusted sources and rendered safely by the email client under sandboxed conditions.
• Scripts: Only pre-approved JavaScript libraries from trusted CDNs are permitted. Raw JavaScript is disallowed. The <noscript> tag is allowed for fallback content when scripts are blocked or unsupported. The <output> tag is permitted in static form contexts but must not rely on raw JavaScript. Only certain structural and formatting tags may be created dynamically via JavaScript.

Security-Restricted Features

• Elements: Tags like <iframe>, <embed>, <object>, <param>, <template> and <base> are restricted due to their potential to introduce security risks, such as phishing or XSS attacks.
• Event Handlers: Event handlers that can trigger unauthorized actions—such as onload in <body>, or keyboard-based handlers like onkeydown, onkeyup, and onkeypress—are restricted. Only event handlers explicitly allowed within approved frameworks are permitted.
• Forms: Sensitive input types like <input type="password"> and <input type="search">, along with the <search> tag, are explicitly prohibited due to limited utility and potential misuse.

Validation Rules

• Inline CSS: Allowed but must follow secure practices. Unsafe patterns (e.g., JavaScript URLs or base64-encoded images) are disallowed. Properties like cursor are also prohibited.
• SVG Usage: Only static inline <svg> tags are allowed. Scripts, animation, interactivity, or external references within SVGs are strictly prohibited. All SVGs must be sanitized (e.g., using SVGO) prior to inclusion.