Where the HELO are my images?

  • Article

Have you ever developed an application that sends HTML formatted email messages to users in your organization, but when the messages are received, your users can't render the images or are prompted before the images are rendered? It can be very difficult to figure out what is going on and why your images won't render. There are a few reasons why this happens, and a few more ways you can work around the issue.

Chances are, you've already found the Security tab under Tools>Options and fiddled around with the Automatic Download Settings. (If you haven't, do so now...) You've no doubt noticed that in that dialog, it leads you to believe that as long as the message is coming from a Safe Sender or the site the images are coming from is in your Trusted Security Zone, the images should be rendered, no problem. And that's true...at least it's half the truth.

What you may not have realized is that just above the Automatic Download Settings button is the Security Zone section. Outlook uses mshtml.dll to render HTML content. It also uses the Security Zone settings from IE, but probably not in the way you are thinking it does.

A common reason for developers experiencing this scenario is when they are referencing images stored on a SharePoint image library or another web application that is protected by Integrated Windows Authentication. You think that because your web app or SharePoint site is in your Trusted Sites zone, users should not be prompted for authentication in order to download the content. By default, Outlook will use the Restricted Sites zone to render the HTML message as if it were a page in the Restricted Sites Zone. Outlook gives you the option of choosing the Internet security zone instead of the Restricted Sites zone, but for simplicity in this article, I'll assume you are using the Restricted Sites zone. If your Restricted Sites zone settings dictate to Prompt for username and password you will be prompted to download images if it is set to Anonymous Logon in the User Authentication/Logon section, you will not be prompted and images will not be downloaded. This all assumes, of course that you have allowed images to be downloaded at all in the Automatic Download Settings section.

So it doesn't matter that your images are in a Trusted Site or are on your Local Intranet where your security zone settings specify that you should be automatically logged on. Outlook treats everything as if it were in the Restricted Sites zone.

How can you view your images in your email without being prompted? There are a few options, but none of them (at least none of the good ones) are a flip of a switch.

  1. Recommended: Move your images to a location where they are not protected with Integrated Windows Authentication (or Basic)...basically, make them anonymously accessible.
  2. You could embed the images in the message (this is Outlook's behavior). The downside to this approach is that every byte of that image is now taking up space in your Inbox. This could also be a fairly decent change to the code you have running that generates the email. Or if you are creating the message from OE, I'm not sure this is even possible.
  3. You could attach the images to the message and reference them with a relative path, so <img src="img1.gif"/> instead of <img src="https://servername/images/img1.gif"/>. This has the same downside as (2).
  4. Not Recommended: This is as close to a flip-switch/immediate gratification answer as you'll get, but it also opens you up to huge security risk...you could change the security settings for your Restricted Sites zone to Automatic Logon. Realize that the security zone settings do not just apply to Outlook, but to Outlook, OE, Internet Explorer and probably other places I'm not thinking of.