Interesting. I've always thought that images within emails would also serve as a read receipt to the server that sent them when enabled or shown. Would this still apply? Google providing a proxy for this could totally pollute this data (which could be a good thing!).
> I've always thought that images within emails would also serve as a read receipt to the server that sent them when enabled or shown
Yes, that's exactly what happens. Proxying the image only hides the user's IP address. If the images in the email load from external resources like https://example.com/fetch-resource?id=something_unique GMail has no way of knowing if something_unique uniquely identifies a user.
This is why disabling images is helpful. Of course Gmail also lets you enable images per sender, and you may find that quite acceptable for sites you have a relationship with (e.g. a shopping site which already knows your IP address and is sending you delivery notifications).
Someone tested [0] and the result agrees with you. And this Gmail help article [1] elaborates on the scope of protection, which is equivalent to "IP address and HTTP headers":
> Google scans images for signs of suspicious content before you receive them.
> These scans make images safer because:
> - Senders can’t use image loading to get information about your computer or location.
> - Senders can't use the image to set or read cookies in your browser.
> - Gmail checks the images for known harmful software.
Sometimes, senders may know whether you've opened an email that has an image. Gmail scans every message for suspicious content. If Gmail thinks that a sender or message is suspicious, images aren’t shown and you’ll be asked if you want to see the images.".
###
Personally, I think this is quite silly, because I routinely disclose my IP address and HTTP headers without considering it particularly sensitive, but I don't want senders to know that their their email messages have been opened.
To validate a signature, the code doing that validation needs direct access to the message prior to any rewriting. I don't think the proxy introduces any barriers to that access, assuming the validation occurs on Gmail servers, as the Gmail interface can present the results of that server-side validation.
If you wanted to validate it yourself instead of trusting Gmail to do it for you, you'd use the "Show original" feature which gives you the original (per its namesake) without any rewriting as well. I assume (but haven't tested) that connecting to your mailbox via IMAP, POP, etc. also causes you to retrieve the original, with the rewriting only coming into play when using the Gmail web interface.