What is the HTTP Referrer-Policy header and how does it relate to email sending and hosted images?

Key findings

• Definition: The Referrer-Policy HTTP header governs the information included in the Referer header, indicating the origin of a request.
• Purpose: It enhances user privacy and security by preventing sensitive URL information from being inadvertently leaked to third-party servers.
• Email Context: While emails themselves do not send this header, when an email client loads hosted images or tracking pixels (which are essentially tiny images), it initiates an HTTP request where this policy can come into play.
• Hosted Images: Servers hosting email images can define a Referrer-Policy, affecting how much originating information is received by the image server from the email client loading the image.
• Policy Values: There are multiple values such as no-referrer, same-origin, and strict-origin-when-cross-origin, which control the granularity of the information shared.

Key considerations

• Privacy: Implementing a restrictive Referrer-Policy on your image hosting servers can enhance recipient privacy by limiting the URL information shared when images are loaded.
• Tracking: If you rely on referrer information for tracking image opens or clicks, a stricter policy may impact your analytics accuracy. Consider the implications for HTTP tracking links and tracking pixels.
• Content Delivery Networks (CDNs): When using a CDN for images, ensure their configuration aligns with your desired Referrer-Policy. This also ties into how different domains for CDN hosted images affect deliverability.
• Security Risks: A lax policy like unsafe-url could potentially leak sensitive information if your email content or embedded URLs contain such data. Always review referrer best practices.

Key opinions

• Confusion about application: Many marketers are unsure why a web-specific header like Referrer-Policy would appear in email platform settings, leading to concerns about unknown impacts.
• Focus on hosted assets: The connection to email usually becomes clearer when explained in terms of hosted images and tracking pixels that are loaded from web servers.
• Impact on analytics: There's often a concern that a restrictive policy might hinder the collection of accurate email open rates or click-through data if referrer information is crucial for their analytics setup, especially when using tracking pixels.
• Desire for simplicity: Marketers prefer simple, clear guidance from their ESPs on how to configure such settings without negatively impacting campaign performance or privacy compliance.

Key considerations

• ESP documentation: Clear and detailed explanations from ESPs about why this header is present and its default behavior are essential for marketers.
• Balancing privacy and data: Marketers must weigh the benefits of enhanced recipient privacy (by restricting referrer information) against potential reductions in data available for campaign optimization. Chrome's new referrer policy provides a good case study of such impact.
• Testing: When making changes to referrer policies, marketers should test how this impacts image loading and any pixel-based tracking to avoid unexpected issues.
• Deliverability: While not directly affecting email deliverability (like SPF, DKIM, or DMARC), incorrect configurations that prevent images from loading can indirectly harm user experience and engagement, which can eventually reflect on sender reputation.

Key opinions

• Server-side control: Experts confirm that the Referrer-Policy is typically set by the web server hosting the content (like images or landing pages), not directly by the email sender.
• Data flow management: It's seen as a powerful tool for controlling what information about the originating context (e.g., the email where an image was loaded) is shared with third-party content providers.
• Privacy vs. functionality: Balancing stricter privacy policies (like no-referrer) with the need for analytics or security measures that rely on referrer data is a constant challenge.
• Evolving standards: The default referrer policies of browsers are becoming stricter over time, which means email marketers relying on older methods of tracking might need to adapt.

Key considerations

• Configuration for hosted assets: Ensure that your image hosting servers (or CDNs) have an appropriate Referrer-Policy configured to meet both privacy goals and functional requirements. For instance, consider how hosting images on S3 vs. CloudFront might affect this.
• Impact on deliverability metrics: If email clients block image loading due to referrer policy issues, it can indirectly affect reported open rates and user engagement, which are signals for domain reputation.
• Security implications: A poorly configured policy could potentially expose sensitive information from email links or image URLs if not handled correctly. HTTP security headers are key here.
• Compliance: Adhering to stricter referrer policies can contribute to overall data privacy compliance, which is increasingly important in email marketing.

Key findings

• Header Function: The HTTP Referrer-Policy header controls the level of referrer information sent with requests, influencing the 'Referer' header.
• Security Purpose: It is primarily a security header designed to prevent the leakage of sensitive data from URLs when navigating between web pages or loading external resources.
• Policy Directives: Numerous directives like no-referrer, origin, and strict-origin-when-cross-origin offer varying levels of control over referrer information disclosure.
• Browser Handling: Browsers interpret and enforce the Referrer-Policy when making requests for resources, including images embedded in emails.
• Default Behaviors: Modern browsers are increasingly adopting more privacy-preserving default referrer policies, often defaulting to strict-origin-when-cross-origin or similar.

Key considerations

• Server-side configuration: Documentation confirms that this header is typically sent by the server hosting the resource (e.g., email images hosted on a web server or CDN). This relates to how S3 buckets affect email deliverability.
• HTTPS importance: Many policies behave differently when transitioning between HTTPS and HTTP, emphasizing the importance of using HTTPS for links and images in email marketing.
• Cross-origin requests: Documentation details how referrer information is handled for cross-origin requests, which is common when images are hosted on domains separate from the email sender's primary domain.
• Best practices: Documentation often recommends using a privacy-preserving policy like strict-origin-when-cross-origin as a robust default. For more information on configuring your server for this header, refer to MDN Web Docs security guides.