What is HTML sanitization in email clients?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
HTML sanitization is what email clients do before they show your message to the reader. They strip out code that could be malicious or break the inbox's interface. Scripts get removed. Embedded forms get removed. Certain CSS properties get removed. Anything that could let a sender hijack the user's session, steal data, or mess with the inbox itself.
This is why you can't put JavaScript in a marketing email and expect it to run. Gmail, Outlook, Yahoo, and every other client sanitize incoming HTML as a security measure. The rules vary by client, which is why an email can look perfect in Gmail and broken in Outlook.
What typically gets stripped:
- JavaScript (all
<script>tags,onclick,onerror, any event handlers) - Forms (
<form>,<input>,<textarea>) - Iframes (for security, though some clients allow them from specific domains)
- Object and embed tags (Flash, Java, other plugins)
- Certain CSS (
position: fixed,z-indexabove certain thresholds, some animation properties) - External stylesheets (linked CSS gets ignored, everything has to be inline or in a
<style>block) - Meta tags (viewport, refresh, etc.)
Why this matters for senders: if you're building emails with advanced interactive features, they probably won't work. Countdown timers that rely on JavaScript? Stripped. Embedded video players? Stripped. CSS animations? Maybe, depends on the client. The safest approach is to code like it's 2004: tables for layout, inline styles, images as fallbacks for anything fancy.
The other reason this matters: sanitization rules change. A CSS property that worked last year might get stripped this year if a client tightens security. This is why testing across clients isn't optional.
If you're hitting rendering issues in specific clients, check what's getting stripped with our free Source Analyzer (shows you the raw HTML that actually landed). And if you're building interactive emails and want to know what's possible across clients, Can I email tracks CSS and HTML support by client.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.