One-Click List-Unsubscribe: Difference between revisions
No edit summary |
No edit summary |
||
Line 35: | Line 35: | ||
* [https://datatracker.ietf.org/doc/html/rfc8058 RFC 8058] | * [https://datatracker.ietf.org/doc/html/rfc8058 RFC 8058] | ||
* [https://inboxsys.com/introducing-the-one-click-unsubscribe-to-inboxsys/ InboxSys blog article about One-Click List-Unsubscribe] | |||
* [https://certified-senders.org/wp-content/uploads/2017/07/CSA_one-click_list-unsubscribe.pdf CSA whitepaper] | * [https://certified-senders.org/wp-content/uploads/2017/07/CSA_one-click_list-unsubscribe.pdf CSA whitepaper] |
Revision as of 23:26, 11 June 2024
One-Click List-Unsubscribe was invented as a solution to solve a fatal flaw in the https-method of the List-Unsubscribe mechanism. The unsubscribe https-links in the List-Unsubscribe header require a one-click GET mechanism. That means, when the link is clicked, the unsubscription is immediate and all parameters involved are visible from the URL. This mechanism is vulnerable to mistakes and abuse. The List-Unsubscribe link can easily be executed by accident or malicious intent.
This vulnerability can be combated, by adding a specific header to your messages, in addition to the List-Unsubscribe header. The One-Click List-Unsubscribe-header:
List-Unsubscribe:<mailto:listrequest@example.com?subject=unsubscribe>,<https://example.com/unsubscribe.html?opaque=123456789> List-Unsubscribe-Post: List-Unsubscribe=One-Click
This header simply says, that the displayed GET variables should be sent in a POST request, instead of a GET request. The POST request from the example to your unsubscription-landing-page would look like this:
POST /unsubscribe.html?opaque=123456789 HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Content-Length: 26 List-Unsubscribe=One-Click
On your landing page it's very important to:
- Process POST requests
- Ignore GET requests
One-Click List-Unsubscribe in InboxSys
In the content-section of InboxSys campaign tests, you can see:
- If your One-Click List-Unsubscribe header is present
- If your One-Click List-Unsubscribe header is syntactically correct