What is HTML sanitization in email clients?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

HTML sanitization is what email clients do before they show your message to the reader. They strip out code that could be malicious or break the inbox's interface. Scripts get removed. Embedded forms get removed. Certain CSS properties get removed. Anything that could let a sender hijack the user's session, steal data, or mess with the inbox itself.

This is why you can't put JavaScript in a marketing email and expect it to run. Gmail, Outlook, Yahoo, and every other client sanitize incoming HTML as a security measure. The rules vary by client, which is why an email can look perfect in Gmail and broken in Outlook.

What typically gets stripped:

  • JavaScript (all <script> tags, onclick, onerror, any event handlers)
  • Forms (<form>, <input>, <textarea>)
  • Iframes (for security, though some clients allow them from specific domains)
  • Object and embed tags (Flash, Java, other plugins)
  • Certain CSS (position: fixed, z-index above certain thresholds, some animation properties)
  • External stylesheets (linked CSS gets ignored, everything has to be inline or in a <style> block)
  • Meta tags (viewport, refresh, etc.)

Why this matters for senders: if you're building emails with advanced interactive features, they probably won't work. Countdown timers that rely on JavaScript? Stripped. Embedded video players? Stripped. CSS animations? Maybe, depends on the client. The safest approach is to code like it's 2004: tables for layout, inline styles, images as fallbacks for anything fancy.

The other reason this matters: sanitization rules change. A CSS property that worked last year might get stripped this year if a client tightens security. This is why testing across clients isn't optional.

If you're hitting rendering issues in specific clients, check what's getting stripped with our free Source Analyzer (shows you the raw HTML that actually landed). And if you're building interactive emails and want to know what's possible across clients, Can I email tracks CSS and HTML support by client.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Paste your details above (the more specific, the better the advice)

I read this on the Email Almanac about HTML sanitization in email clients: "HTML sanitization is what email clients do before they show your message to the reader. They strip out code that could be malicious or break the inbox's interface. Scripts, forms, iframes, certain CSS properties, anything that could let a sender hijack the user's session or mess with the inbox." Help me understand how this affects MY email campaigns: 1. What I'm sending: - Type of email: [newsletter / transactional / promotional / automated sequence] - Current design approach: plain HTML / drag-and-drop builder / custom coded / template - Interactive elements I'm using or want to use: forms / animations / countdown timers / video embeds / other - Email builder/ESP: Mailchimp / Klaviyo / custom / other 2. What's breaking or what I'm worried about: - Specific rendering issues: describe what's not displaying correctly - Clients where it's broken: Gmail / Outlook / Apple Mail / other - Features that aren't working: be specific 3. What I need: - Explanation of what's getting stripped in MY emails - Safe alternatives for interactive features - Testing strategy for cross-client compatibility - Whether my current approach is even possible in email

Edit the yellow boxes, then send to the AI of your choice.