The solution assumed mail clients would be adapted to enforce this. So if you send me a forged email claiming to be from hsbc, the mail client would allow showing html content only from a https connection to somewhere on hsbc. Kind of like the same-origin policy but where the origin is the domain the email claims it came from.