Carl S. Gutekunst answers me and ultimately Dave Crocker:
<http://www.email-standards.org/>
which seeks to rate MUAs and webmail sites for standards compliance.
Not quite. It rates them for HTML display standards compliance. If a
mail reader has perfect HTML, CSS and javascript support, it gets
full points from that site.
... and probably fails any reasonable security/privacy test.
Actually it's not all that bad.
If you accept as a premise that email messages are put together by
"designers" using HTML and CSS for rendering on the screens of
"readers" (both words from email-standards.org), then I don't think you
can improve very much on what the email-standards.org people are doing.
They don't seem to care much about being able to quote in a reply, and
so on, and so forth, so there's certainly scope for improvement, but
most HTML/mail proposals I've seen are much worse than theirs.
I could only think of one easy security attack that their test affords.
(Lazy implementers may allow more attacks, but isn't that always the
case?)
Arnt