To ensure user safety and privacy, dynamic emails are subject to additional security requirements and restrictions.
To ensure the sender of an AMP email is legitimate, emails containing AMP need to pass the following checks:
- Domain Keys Identified Mail (DKIM) authentication, matching the exact domain of the sender email address (the
- Sender Policy Framework (SPF) authentication
- Domain-based Message Authentication, Reporting and Conformance (DMARC) pass with DKIM and SPF
DKIM, SPF and DMARC each appear as separate lines within the "Show Original" menu option in Gmail Web. See Check if your Gmail message is authenticated for more information.
All XMLHttpRequests (XHRs) that originate from an AMP email are proxied. This is done to protect the user's privacy.
The AMP for Email Cross-Origin Resource Sharing (CORS) requirements are slightly different than the existing AMP CORS requirements.
In terms of Gmail, there are two possible sources of XHR requests:
- Gmail (via a proxy server)
- AMP for Email Playground (which simulates the behavior of the proxy server)
The following describes what headers to expect in a request from each source and the headers that are included in the response by the server.
Requests coming from Gmail's proxy servers contain the following header:
They also contain the following query parameter:
__amp_source_origin=<sender email address>
For example, an XHR request from an amp-list to
that originats from an email sent by
email@example.com looks like this:
Request URL: https://firstname.lastname@example.org Request Method: GET Origin: https://mail.google.com
Your endpoint must verify these values and reject any requests that don't contain them.
All responses must contain the following three headers:
Access-Control-Allow-Origin: https://mail.google.com AMP-Access-Control-Allow-Source-Origin: <your sender email address> Access-Control-Expose-Headers: AMP-Access-Control-Allow-Source-Origin
For example, if the email was sent by
email@example.com, then the headers
should include the following:
Access-Control-Allow-Origin: https://mail.google.com AMP-Access-Control-Allow-Source-Origin: firstname.lastname@example.org Access-Control-Expose-Headers: AMP-Access-Control-Allow-Source-Origin
If the response doesn't contain these headers, the Gmail proxy server rejects the response and AMP doesn't render it.
Optionally, to use proxy assertion tokens, the following header is required:
Requests coming from the playground contains the following header:
Playground requests also contain the following query parameter:
To be able to work in the playground, your test endpoint must verify these values and reject any requests that don't contain them.
All responses must echo the
__amp_source_origin values from above
if they are valid:
Access-Control-Allow-Origin: https://amp.gmail.dev AMP-Access-Control-Allow-Source-Origin: email@example.com Access-Control-Expose-Headers: AMP-Access-Control-Allow-Source-Origin
If the response doesn't contain these values, the CORS request fail, resulting in a browser console warning message.
The following describes additional URL restrictions.
XHR URLs mustn't return HTTP Status code
302 Found. Requests that return
302 fail, resulting in a browser console warning message.