Content-Expires: Wed, 01 Jan 2025 12:00:00 GMT

Benefits

• Enhanced Relevance: Enables email clients to identify and potentially archive or deprioritize expired content, ensuring users are not presented with outdated information.
• Improved User Experience: Avoids confusion by clearly marking messages as time-sensitive, ensuring recipients view only relevant content.
• Dynamic Content Handling: Supports use cases where email content may be replaced or invalidated after a specific time, aligning with modern interactive and event-driven email strategies.
• Efficient Email Management: Facilitates automated archiving or deletion policies in email clients, improving inbox organization and reducing clutter.

Implementation Guidelines

• Date Format: The value of the header follows the standardized RFC 822 format to ensure compatibility across email clients.
• Client Behavior: While email clients are not required to act on this header, it serves as a guideline to enable better handling of time-sensitive messages.
• Security Compliance: Email content flagged as expired must be rendered unavailable rather than deleted or archived, ensuring important information is preserved and protected against accidental loss.

Preview-Text: This is a brief preview of the email content.

Benefits

• Improved Engagement: Provides recipients with context before opening the email, increasing the likelihood of interaction.
• Consistent Previews: Eliminates reliance on email clients generating previews from arbitrary content, ensuring the intended message is shown.
• Streamlined Inbox Experience: Helps users quickly identify the relevance of emails.

Best Practice Guidelines

• Character Limit: The Preview-Text header should not exceed 255 characters. If the text exceeds this limit, email clients are advised to truncate it gracefully.
• Input Validation: The Preview-Text header must only contain plain text. No HTML, JavaScript, or other executable code should be allowed. This restriction helps prevent potential injection attacks and ensures the header functions as intended without security risks.
• Sensitive Information: Senders should avoid including any sensitive or confidential information in the Preview-Text header. Since preview text is often visible in email notifications or lock screens, sensitive content could inadvertently be exposed.

Privacy-Flags: no-reply; no-forwarding

Allowed Options

• no-reply: When set, this option indicates that the email client should disable the reply function, helping users avoid sending messages to non-operational addresses such as noreply@example.com.
• no-forwarding: This option disables the forward function for the message, enhancing privacy and protecting sensitive information from being shared with unintended recipients.

Benefits

• User Experience: The no-reply option enhances usability by clearly signaling when a response isn’t needed or will not be received.
• Privacy and Security: The no-forwarding option helps protect the integrity of sensitive information, providing control over who can view the email and preventing unauthorized sharing.
• Enhanced Email Handling: These flags empower email clients to apply visual indicators or disable certain actions, simplifying user interaction and enhancing privacy controls.

Profile-Image: https://example.com/logo.png

Benefits

• Accessibility: Unlike BIMI, this header does not require expensive Verified Mark Certificates (VMC), making it an inclusive option for individuals and smaller organizations.
• Simple Implementation: Adding a single header line with a secure URL simplifies the process compared to BIMI's multi-step requirements.
• Flexibility: Supports diverse use cases, from personal emails to small businesses, without requiring complex authentication setups.
• Enhanced Recognition: Displaying a logo or avatar makes emails stand out in crowded inboxes, improving user engagement and brand recall.

A Complementary Approach to BIMI

The Profile-Image header serves as a practical alternative, complementing BIMI by offering a simpler option for individuals and organizations without the resources for full BIMI implementation. Email clients are encouraged to prioritize BIMI logos if both BIMI and Profile-Image headers are present. For organizations that have the resources, adopting BIMI with DMARC and a Verified Mark Certificate offers the highest level of trust and brand visibility. The Profile-Image header complements BIMI by catering to individuals and smaller organizations, ensuring inclusivity across the email ecosystem.

Security Guidelines

To ensure safe implementation and mitigate potential risks, the Profile-Image header must adhere to the following security protocols:

• Strict Verification: The header must be ignored entirely if the sender fails SPF, DKIM, or DMARC verification, or if the email is flagged as spam or suspicious.
• Domain Validation: Ensure the image URL matches the sender’s domain or comes from pre-validated trusted sources to prevent misuse.
• File Validation: Only allow secure image formats such as PNG or JPEG. Reject potentially harmful formats like SVG, which could embed malicious code.
• Base64 Encoding: Base64-encoded images are strictly prohibited to prevent bypassing security measures, ensure compatibility with validation protocols, and maintain performance standards.
• Secure Protocols: All images must be served over HTTPS to ensure secure transmission and protect against tampering or interception during delivery.
• Privacy Note: The header must not expose personal or sensitive information about the sender or recipient. It should focus solely on public or brand-related images.

Optional DNS Validation

To enhance security, email clients can optionally validate the Profile-Image header using a DNS TXT record published by the sender. This record should include the authorized image URL and follow a standardized naming convention. Email clients may query the DNS record to confirm that the image URL matches the one specified by the sender's domain. If no match is found or the record is missing, the client can proceed with other verification methods or fallback measures, such as displaying a generic avatar.

_profileimage.example.com. IN TXT "https://example.com/logo.png"

Implementation Guidelines

• Size Recommendations: Square images with a resolution of at least 500 x 500 pixels are recommended to ensure compatibility with a wide range of devices, including high-resolution displays.
• File Size Validation: To ensure fast loading times and minimal bandwidth usage, the image file size should ideally not exceed 1MB.
  
  Note: While 1MB is recommended, email clients may implement stricter limits to optimize performance.
• Caching Considerations: Email clients may cache or store images for verified senders to enhance performance and reduce server load.
• Fallback Handling: When validation fails or no Profile-Image header is provided, email clients should display a generic placeholder avatar to maintain visual consistency.
• Reputation-Based Display: Email clients should prioritize displaying the Profile-Image header for senders with a strong domain reputation. For domains with poor reputations or a record of misuse, the header should be ignored or stripped.

Standard-Version: 1.0

Benefits

• Compatibility: This header enables email clients and services to apply the correct version, reducing inconsistencies and errors in how emails are displayed or handled.
• Version Control: Versioning allows for smoother upgrades by ensuring backward compatibility, so future iterations of the standards can be adopted without disrupting older systems.
• Standardized Framework: Including a version header promotes a cohesive approach to handling email content across various platforms, helping align email clients with the latest capabilities and security protocols.

Tracking-Link: https://tracker.example.com/email/98765

Benefits

• Enhanced Transparency: Improves user trust by replacing image-based tracking methods with a single, standardized URL, offering a clear and responsible alternative.
• User Privacy Management: Enables email clients to provide users with options to block or allow tracking, fostering privacy and compliance with standards.
• Standardization: Encourages email senders and platforms to align with a consistent and legitimate tracking method, reducing fragmented and inconsistent practices across the ecosystem.

Implementation Guidelines

• URL Declaration: The header must specify a valid HTTPS URL and include only the minimal data necessary for identifying user interactions, such as tokens or hashed identifiers.
• HTTP Request Handling: When the email is opened, the client initiates a GET request to the Tracking-Link. Email clients may optionally obfuscate IP and User-Agent details using proxies or relays.
• Distinction from Read Receipts: Unlike Disposition-Notification-To, which requests explicit user acknowledgment, the Tracking-Link automates email open tracking when permitted by the recipient.