Serving your images via HTTPS has been a best practice for many years — but now it’s becoming more important than ever. Here’s why.

HTTPS — or Hypertext transfer protocol secure — is the encrypted and secure version of HTTP, the protocol that’s used to move data between a website and your browser. With HTTPS, any traffic is protected through encryption technologies like TLS and SSL, making it much harder for information to be snooped.

HTTPS isn't new. It was introduced back in 1994 and today the majority of websites use it. But too often, files and resources that are embedded on a website aren’t. This is what we call mixed content, and it’s what can cause issues. If an image, a PDF download, or an audio file live on a secure website but the resources themselves aren’t provided via HTTPS, that’s a potential security risk. The idea is simple: if a secure website hosts insecure resources, the website as a whole actually isn’t really secure — and that’s why Google is now tightening its grip on mixed content.

In a series of steps starting in Chrome 79, Chrome will gradually move to blocking all mixed content by default. To minimize breakage, we will autoupgrade mixed resources to https://

— Google on the Chromium Blog in October 2019

Over the past couple of months, Chrome would only show a “Not Secure” warning on pages with mixed content, without taking any additional action. Now, with Chrome Version 85, we’re seeing the first reports of Google putting their tighter rules into action — and the first email geeks are starting to run into issues with imagery in their email campaigns.

Missing (or incorrectly set up) HTTPS can now break your emails

Let’s break down what Google’s autoupgrade of mixed resources will do: If you’ve got an image in your email that’s on an insecure connection (HTTP), Chrome will automatically try the HTTPS version of that image URL instead. If your HTTPS is properly configured and your image is available via HTTPS as well, your image will load just fine and you won’t have any issues.

If you don’t have a HTTPS infrastructure set up — or if it’s not properly configured — your images will no longer display in the most recent version of Chrome.


#emailgeeks, Google is doubling-down on banning mixed content, so now is the time to make sure you’re providing your email images via HTTPS

Tweet this →

For subscribers who’re viewing your emails in a webmail client in Chrome will start seeing broken images as their Chrome browser starts to block HTTP resources by default. 

This test email here, for example, includes an image (http://place-puppy.com/600x200) that’s provided via HTTP:

If this email is opened in a web client via Chrome, the insecure image won’t display:

When investigating the code, we see that Chrome is trying the HTTPS version of the image, and because the secure version of that image isn’t provided, the image simply won’t show in the inbox.

So far, we haven’t seen this issue in Gmail, likely because Gmail caches all email images and serves them from their own servers instead. So far, HTTP resources don’t seem to run into any issues when being re-hosted via Gmail’s image cache. But as Google takes additional steps towards banning mixed content, we might see changing behavior in Gmail’s inboxes, too. 

But issues in the inbox might not be the only reason why now is the time to double-check your HTTPS setup. You might also experience similar behavior in your email building tools as you create your emails. If your ESP or email editor lives on a secure connection and you’re adding in images that are not, you’re creating mixed content. The result? Your images might no longer display when working in your ESP in Chrome. 

Fixing your HTTPS setup 

When figuring out whether or not you need to take any action, the first step is to find out where your images are currently hosted. If you’re hosting your images with your ESP, they’ll have to make sure that all images are provided via a secure connection with up-to-date certificates. Reach out to your ESP to see if they’re providing all images via HTTPS, and all certificates are up-to-date. 

If you’re using Taxi, for example, and choose to host your images with us, we’re making sure that all images are on a secure connection so you won’t run into any issues. 

If you’re hosting your images on your own custom domain though, the responsibility for making sure that those are provided via HTTPS (and all SSL certificates are up-to-date) lies with your team. 

How to find out if you have HTTPS set up for your images?

Take a look at the image URL for one of the images included in your campaigns. Does your URL include HTTPS?  If it doesn’t, try adding the s manually — just like Chrome would do in their effort to auto-update your links— and copy that new HTTPS URL into a new Chrome tab. 

Does your image load okay? In this case, you’re all set. 

Does Chrome show a “not secure” warning or doesn’t load your image at all? In this case, your HTTPS is either not set up, or it’s not set up correctly. 

Let’s look at our puppy image example from our test email above: The original image we included has the url http://place-puppy.com/600x200. If we’re adjusting it to read https://place-puppy.com/600x200, the image won’t load. It turns out that for this image, HTTPS isn’t set up correctly — so it will be broken in your email, as we saw in the GMX inbox. 


Finding the right person to get your HTTPS setup fixed

So you’ve uncovered an issue with your HTTPS setup for your images, but what now? Most marketers won’t have the technical skills to fix this issue themselves. In general, it’s your website or DevOps team that can help with setting up HTTPS (and making sure that all SSL certificates stay up-to-date), so reach out to them to find the right person to bring your image hosting to HTTPS. 

Google is banning mixed content — what’s next?

So far, we’ve only seen a few reports of email marketers running into issues with mixed content. It appears that Google is rolling out those changes slowly, with a roll-out to more users likely coming in October. We’ll continue to update this post as we find out more. 

But it’s also safe to assume that a development towards blocking mixed content won’t be limited to just Chrome. Other browsers too are constantly working towards creating a safer browsing environment for their users and with mixed content being a risk to users, it’s likely that we’ll see more browsers following this path. 

So while fixing your email image hosting might feel like an annoying extra task today, it’s an important step to provide a safe and reliable email experience for your subscribers going forward. 

Additional resources you or your team might find helpful: 

See how Taxi can help your team

Taxi helps marketing teams make better quality email, quicker, at a larger scale.

Let's set up a conversation→


44,916 email campaigns and counting.

Join the smart marketers using Taxi to make better email.