Security requirements

To ensure user safety and privacy, dynamic emails are subject to additional security requirements and restrictions.

Sender Authentication

To ensure the sender of an AMP email is legitimate, emails containing AMP need to pass the following checks:

DKIM, SPF and DMARC each appear as separate lines within the "Show Original" menu option in Gmail Web. See Check if your Gmail message is authenticated for more information.

HTTP proxy

All XMLHttpRequests (XHRs) that originate from an AMP email are proxied. This is done to protect the user's privacy.

CORS Headers

The AMP for Email Cross-Origin Resource Sharing (CORS) requirements are slightly different than the existing AMP CORS requirements.

In terms of Gmail, there are two possible sources of XHR requests:

The following describes what headers to expect in a request from each source and the headers that are included in the response by the server.

Gmail

Requests

Requests coming from Gmail's proxy servers contain the following header:

Origin: https://mail.google.com

They also contain the following query parameter:

__amp_source_origin=<sender email address>

For example, an XHR request from an amp-list to https://example.com/data.json that originats from an email sent by sender@example.com looks like this:

Request URL: https://example.com/data.json?__amp_source_origin=sender@example.com
Request Method: GET
Origin: https://mail.google.com

Your endpoint must verify these values and reject any requests that don't contain them.

Responses

All responses must contain the following three headers:

Access-Control-Allow-Origin: https://mail.google.com
AMP-Access-Control-Allow-Source-Origin: <your sender email address>
Access-Control-Expose-Headers: AMP-Access-Control-Allow-Source-Origin

For example, if the email was sent by sender@example.com, then the headers should include the following:

Access-Control-Allow-Origin: https://mail.google.com
AMP-Access-Control-Allow-Source-Origin: sender@example.com
Access-Control-Expose-Headers: AMP-Access-Control-Allow-Source-Origin

If the response doesn't contain these headers, the Gmail proxy server rejects the response and AMP doesn't render it.

Optionally, to use proxy assertion tokens, the following header is required:

Access-Control-Allow-Headers: Amp4Email-Proxy-Assertion

AMP for Email Playground

Requests

Requests coming from the playground contains the following header:

Origin: https://amp.gmail.dev

Playground requests also contain the following query parameter:

__amp_source_origin=amp@gmail.dev

To be able to work in the playground, your test endpoint must verify these values and reject any requests that don't contain them.

Responses

All responses must echo the origin and __amp_source_origin values from above if they are valid:

Access-Control-Allow-Origin: https://amp.gmail.dev
AMP-Access-Control-Allow-Source-Origin: amp@gmail.dev
Access-Control-Expose-Headers: AMP-Access-Control-Allow-Source-Origin

If the response doesn't contain these values, the CORS request fail, resulting in a browser console warning message.

Restrictions

The following describes additional URL restrictions.

Redirects

XHR URLs mustn't return HTTP Status code 302 Found. Requests that return status code 302 fail, resulting in a browser console warning message.