Verified Compatibility
RFC 6068: The Complete Guide to the Mailto URI Scheme Standard
If you’ve ever wondered what rules govern mailto links, the answer lies in RFC 6068. This document, published by the Internet Engineering Task Force (IETF), is the official specification that defines how email links work on the web.
In this guide, we’ll break down RFC 6068 in plain English, explaining what it allows, what it prohibits, and how to create compliant mailto links.
What is RFC 6068?
RFC 6068 is an Internet Standard published in October 2010. It formally defines the mailto: URI scheme—the protocol that allows web pages to create clickable links that open email clients.
| Specification | Details |
|---|---|
| Full Title | The ‘mailto’ URI Scheme |
| Authors | M. Duerst, L. Masinter, J. Zawinski |
| Status | Proposed Standard |
| Obsoletes | RFC 2368 |
| Published | October 2010 |
| Official Link | RFC 6068 |
The History of Mailto Standards
The mailto scheme has evolved over time:
| Era | Standard | Key Changes |
|---|---|---|
| 1998 | RFC 2368 | Original mailto specification |
| 2010 | RFC 6068 | Current standard; added IRI support, security considerations |
RFC 6068 was created to address ambiguities in the original specification and to improve internationalization support.
RFC 6068 Structure Breakdown
1. Basic Syntax
The basic structure of a mailto URI is:
mailto:addr-spec?header=value&header2=value2Components:
mailto:— The URI scheme (required)addr-spec— One or more email addresses (comma-separated)?— Delimiter before query parametersheader=value— Key-value pairs for email headers
2. Allowed Headers
RFC 6068 explicitly defines which email headers can be included:
| Header | Description | Example |
|---|---|---|
to | Additional recipients | [email protected] |
cc | Carbon copy | [email protected] |
bcc | Blind carbon copy | [email protected] |
subject | Email subject line | ?subject=Hello%20World |
body | Pre-filled message content | ?body=Hi%20there |
in-reply-to | Message-ID for threading | ?in-reply-to=<msg-id> |
keywords | Keywords for the message | ?keywords=urgent |
3. Prohibited Headers
For security reasons, RFC 6068 prohibits certain headers:
| Header | Reason for Prohibition |
|---|---|
from | Could be used for spoofing |
date | Should be set by the email client |
received | Internal routing header |
content-type | Could inject malicious content |
content-transfer-encoding | Internal encoding header |
Any X- header | Unpredictable behavior |
4. No Attachment Support
Critical: RFC 6068 does not support file attachments.
“The ‘mailto’ URI scheme is designed for simple message composition… It does not provide a mechanism for including attachments.”
This is a security feature. If mailto links could attach files, malicious websites could:
- Distribute malware
- Exfiltrate local files
- Bypass security scanners
Learn more: Why Mailto Links Cannot Have Attachments
Character Encoding
RFC 6068 requires proper URL encoding (percent-encoding) for special characters:
| Character | Encoded | Must Encode? |
|---|---|---|
| Space | %20 | Yes |
| Line break | %0A | Yes |
| Tab | %09 | Yes |
| & | %26 | Yes (in body text) |
| = | %3D | Yes (in body text) |
| ? | %3F | Yes (in body text) |
| # | %23 | Yes |
| @ | %40 | No (in addresses) |
| , | , | No (between addresses) |
Example: Properly Encoded Mailto
<a href="mailto:[email protected]?subject=Bug%20Report%3A%20Login%20Issue&body=Steps%20to%20reproduce%3A%0A1.%20Go%20to%20login%20page%0A2.%20Enter%20credentials%0A3.%20Click%20submit">
Report Bug
</a>Security Considerations
RFC 6068 Section 4 addresses security:
1. Header Injection
Attackers cannot inject arbitrary headers because:
- Only allowed headers are processed
- Values are URL-decoded, not executed
2. Phishing Prevention
Email clients should:
- Display the recipient address before sending
- Not automatically send emails from mailto links
- Allow users to edit the pre-filled content
3. User Awareness
The specification recommends that:
- Users should always review the email before sending
- Email clients should clearly show all recipients
- BCC recipients should be visible to the sender
Internationalization (IRI Support)
RFC 6068 supports Internationalized Resource Identifiers (IRIs), allowing non-ASCII characters:
<!-- Unicode characters in email addresses -->
<a href="mailto:用户@例子.中国">联系我们</a>However, for maximum compatibility, ASCII encoding is recommended:
<!-- Percent-encoded version -->
<a href="mailto:%E7%94%A8%E6%88%B7@%E4%BE%8B%E5%AD%90.%E4%B8%AD%E5%9B%BD">联系我们</a>Real-World Implementation
Compliant Example
<a href="mailto:[email protected],[email protected][email protected]&[email protected]&subject=Partnership%20Inquiry&body=Hello%2C%0A%0AI%20am%20interested%20in%20discussing%20a%20partnership.%0A%0ABest%20regards">
Contact Us
</a>This is RFC 6068 compliant because:
- ✅ Uses allowed headers only (cc, bcc, subject, body)
- ✅ Properly percent-encodes special characters
- ✅ Multiple recipients separated by commas
- ✅ No prohibited headers
Non-Compliant Examples
<!-- ❌ Trying to set 'from' (prohibited) -->
<a href="mailto:[email protected][email protected]">Click Me</a>
<!-- ❌ Trying to attach a file (not supported) -->
<a href="mailto:[email protected]?attach=/path/to/file.pdf">Send Resume</a>
<!-- ❌ Content-type injection attempt (prohibited) -->
<a href="mailto:[email protected]?content-type=text/html">Send HTML</a>Email Client Compliance
How well do popular email clients follow RFC 6068?
| Client | to | cc | bcc | subject | body | Notes |
|---|---|---|---|---|---|---|
| Gmail (Web) | ✅ | ✅ | ✅ | ✅ | ✅ | Full compliance |
| Outlook (Desktop) | ✅ | ✅ | ✅ | ✅ | ✅ | 2000 char limit |
| Apple Mail | ✅ | ✅ | ✅ | ✅ | ✅ | Full compliance |
| Thunderbird | ✅ | ✅ | ✅ | ✅ | ✅ | Full compliance |
| Yahoo Mail | ✅ | ✅ | ⚠️ | ✅ | ✅ | BCC sometimes ignored |
Tools for RFC 6068 Compliance
Creating compliant mailto links manually is error-prone. Use our tools:
Free Mailto Link Generator
- ✅ Automatic percent-encoding
- ✅ Character counter (for Outlook limit)
- ✅ Validates against RFC 6068
- ✅ Generates QR codes
Summary
| Topic | RFC 6068 Position |
|---|---|
| Allowed headers | to, cc, bcc, subject, body, in-reply-to, keywords |
| Prohibited headers | from, date, content-type, X-headers |
| Attachments | Not supported |
| Encoding | Percent-encoding required |
| IRI support | Yes (internationalized addresses) |
| Security | User must review before sending |
Related Reading
- Why Mailto Cannot Have Attachments
- CC and BCC Parameters Guide
- Mailto HTML Tutorial
- Free Mailto Generator
Last Updated: December 2025
References & Citations
Read Next
Why Mailto Links Cannot Send Attachments (RFC 6068 Explained)
Learn why the mailto: URI scheme does not support file attachments per RFC 6068, and discover secure alternatives for sending files via email links.
Mailto BCC and CC Parameters: Complete RFC 6068 Guide
Learn how to use the cc and bcc parameters in mailto links per RFC 6068. Includes syntax examples, encoding tips, and email client compatibility notes.
Does Mailto Still Work in 2026? Yes - Here's Why Email Links Are Essential
Wondering if mailto links still work? Yes! Learn why mailto remains the universal standard for email in 2026 and how it beats Slack, Teams, and chatbots for business communication.