If i send a message with a text/html part (either it's only text/html, or all parts are rendered, or it's multipart/alternative with only a text/html subpart) and that HTML has <img src="http://example.org/test.png"/> in it, then notmuch will make a network request for that image. This is a privacy disaster, because it enables an e-mail sender to use "web bugs" to tell when a given notmuch user has opened their e-mail. It's also a bit of a consistency/storage/indexing disaster because it means that what you see when you open a given message will change depending on the network environment you're in when you open it. It's also potentially a security problem because it means that anyone in control of the remote server (or the network between you and the remote server if the image isn't sourced over https) can feed arbitrary data into whatever emacs image rendering library is being used. (granted, this is not a unique problem because this can already be done by the original message sender with a multipart/mixed message, but it's an additional exposure of attack surface) I just raised this on #notmuch, and i don't have the time or the knowledge to look into it now, but i think the defaults here need to be to avoid network access entirely unless the user explicitly requests it. --dkg