What are security limitations of AMP emails?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Before your first AMP email reaches a single inbox, Gmail and Yahoo have already decided what it can and can't do. That might feel limiting at first, but those restrictions exist because AMP emails can call external servers and load live data, which creates real attack surface if left unchecked.
The first hard requirement is HTTPS everywhere. Any API endpoint your AMP email calls, any image it loads, any external resource it touches must be served over HTTPS. There's no exception. Beyond that, your server needs to send the right CORS headers explicitly permitting the email client's origin to make requests. Without those headers, the call fails silently and your subscriber sees the fallback HTML version instead of the dynamic AMP content.
On the component side, you can only use AMP components that appear on the approved list for email: amp-accordion, amp-carousel, amp-form, amp-list, and a small set of others. You can't import arbitrary web-focused AMP components, and there's no way to run custom JavaScript at all. The sandbox is intentional. It means a compromised email can't execute scripts or exfiltrate data beyond what the allowed components permit. CSS is also sandboxed, with certain selectors blocked for security reasons.
Then there's the sender approval process. Even if your AMP is technically perfect, it won't render as AMP until Gmail and Yahoo Mail have approved your sending domain. You submit a production email sample, meet minimum volume requirements, and pass their review. It's not automatic and it takes time. Until approval comes through, every subscriber gets the fallback HTML version, which is exactly why building a solid fallback isn't optional. Think of it as the version that ships to Apple Mail, Outlook, and any unapproved client regardless.
The practical checklist before you ship AMP: confirm all your endpoints are HTTPS, add CORS headers permitting mail.google.com and mail.yahoo.com, validate your markup against the official AMP validator, and check your sending domain's approval status with each provider. If any step fails, your subscribers see the fallback, so make that fallback good. If you're weighing whether AMP is worth the setup overhead, the CSS interactivity guide covers an alternative that skips the approval process entirely. And when you're ready to apply for approval, the AMP for Email overview walks through what providers look for in the review.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.