One-Click List-Unsubscribe: Difference between revisions

From InboxSys document library
Jump to navigation Jump to search
No edit summary
No edit summary
Line 35: Line 35:


* [https://datatracker.ietf.org/doc/html/rfc8058 RFC 8058]
* [https://datatracker.ietf.org/doc/html/rfc8058 RFC 8058]
* [https://inboxsys.com/introducing-the-one-click-unsubscribe-to-inboxsys/ InboxSys blog article about One-Click List-Unsubscribe]
* [https://certified-senders.org/wp-content/uploads/2017/07/CSA_one-click_list-unsubscribe.pdf CSA whitepaper]
* [https://certified-senders.org/wp-content/uploads/2017/07/CSA_one-click_list-unsubscribe.pdf CSA whitepaper]

Revision as of 23:26, 11 June 2024

One-Click List-Unsubscribe was invented as a solution to solve a fatal flaw in the https-method of the List-Unsubscribe mechanism. The unsubscribe https-links in the List-Unsubscribe header require a one-click GET mechanism. That means, when the link is clicked, the unsubscription is immediate and all parameters involved are visible from the URL. This mechanism is vulnerable to mistakes and abuse. The List-Unsubscribe link can easily be executed by accident or malicious intent.

This vulnerability can be combated, by adding a specific header to your messages, in addition to the List-Unsubscribe header. The One-Click List-Unsubscribe-header:

List-Unsubscribe:<mailto:listrequest@example.com?subject=unsubscribe>,<https://example.com/unsubscribe.html?opaque=123456789>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

This header simply says, that the displayed GET variables should be sent in a POST request, instead of a GET request. The POST request from the example to your unsubscription-landing-page would look like this:

POST /unsubscribe.html?opaque=123456789
HTTP/1.1 Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 26 List-Unsubscribe=One-Click

On your landing page it's very important to:

  • Process POST requests
  • Ignore GET requests

One-Click List-Unsubscribe in InboxSys

In the content-section of InboxSys campaign tests, you can see:

  • If your One-Click List-Unsubscribe header is present
  • If your One-Click List-Unsubscribe header is syntactically correct

Useful links