[TheCycoONE]

DKIM, SPF, and DMARC are old hat and implemented by anyone serious for years. What's buried in this article is the required https://datatracker.ietf.org/doc/html/rfc8058 support for one-click unsubscribe posts. I don't see many messages in my inbox yet with that.

[pests]

I've seen a perverse dark pattern on one click unsubscribe. The page you land at has a button that lets you resubscribe! It looks non-obvious you've already unsubscribed and it looks like the regular two-click flow needing to enter your email address to confirm. Very sneaky.

[mullingitover]

If unsubscribing requires even two clicks I always flag it as spam. The rule is one-click to unsubscribe and I ruthlessly enforce it. Make it their problem.

[hospitalJail]

Huh, I am an individual who is a scientist, not a web dev.

I paid some company to do my email.

I email 3 times per year and get 'spam' warnings from AWS every time despite everyone subscribing through a: "SUBSCRIBE TO OUR NEWSLETTER"

No bait, just an email field and submit.

I wonder if its your type that makes it so I have to be Amazon for forgiveness. Or at least that is how it used to be, now I sell addicting clicking casino games. No emails needed. I make way more money than back when I was giving away free content via email.

[pests]

I tried that once with Nextdoor. They will group their mailings into different lists. The unsubscribe button only removes you from that list. To disable them all is 30+ clicks on the site once logged in. It's horrible.

[malka]

For this kind, my 'unsubscribe' button is labelled 'report spam'

[jeromegv]

Facebook too, unsubscribe is just a single of one of their hundred marketing emails.

[croutonwagon]

My rule is I unsubscribe once. Then I block the sender or in the case of places like nextdoor, the entire domain.

[alright2565]

I just went through this with Nextdoor in October. Well, I personally didn't do all 50 clicks, but I asked their customer service to do it and they confirmed I was unsubscribed.

Of course, I got a new message from them yesterday because they've added a dozen different lists since then and automatically opted everyone into them.

[xur17]

Is this technically permitted behavior under CANSPAM? Seems like a company could just create a new "newsletter / list" for every new marketing email they send.

[chuckadams]

It'd be up to a judge and/or jury to decide. If one can establish that the intent was to ignore one's attempts to unsubscribe, it'd be a pretty clear-cut violation. Most reputable senders have an "opt out of all further communications" checkbox (with some fine print about legally required and transactional emails). Pretty much the only way to bring a private action under CAN-SPAM though is to be an ISP and show "actual damages".

[classified]

It could have been that you clicked that tiny, greyed-out, hidden unsubscribe link by accident.

[dotancohen]

Or forwarded the mail to 256 of your closest friends and one of them clicked the unsubscribe link.

[buttocks]

Worse, the unsubscribe link is behind a tracker url so pi-hole blocks it. Drives me nuts.

[boplicity]

> I've seen a perverse dark pattern on one click unsubscribe.

The new requirement specifically sidesteps this, by making it possible for the email client to send a POST request directly. No need to visit the website at all; just click a button in the email client. In Gmail, senders that have this implemented now have a big blue UNSUBSCRIBE button next to their email address at the top of the message.

[jasonjayr]

I understand that the request happens in the background by the MUA at the user's express consent, and the unsubscribe is not allowed to send back any ui/html/whatever to present to the user, but the RFC is missing any information about how a response ought to be handled, HTTP Status code wise? Retry if 400/500? Give user any affirmative or negative response that it succeeded or failed?

[chuckadams]

That's up to the MUA, but I imagine that they would at least show an error dialog. If the backend of that POST is broken, then the spam complaints are going to rack up, which will get the list blocked, List-Unsubscribe header or no (some of the most notorious spammers around were actually quite scrupulous about having said header, which they would actually obey ... temporarily)

[zie]

You can't send back anything? oops. I better re-read the RFC's, that's not how I implemented it...

[Analemma_]

That's very odd to me. Where are you located? I'm in the United States and virtually all my newsletter/marketing emails have one-click unsubscribe these days. The only ones which don't are from foreign companies, e.g. I bought a day planner from Hobonichi and found they put their unsubscribe behind a login, to my irritation.

[OkGoDoIt]

I’d say somewhere around half of the marking emails I receive in the USA have one-click unsubscribe. It’s still very common to have unsubscribe links that require you to enter your email address and then select that you actually want to unsubscribe from everything, etc. And some of them still require logins, although those are getting rarer. Not sure if it’s actually a loophole, but one of the dark patterns I’m seeing often is one-click unsubscribe generally only unsubscribes you from a very specific type of notification or topic of the mailing list, and you’ll still get other types of emails unless you fully log into your account and go in your email settings and unsubscribe from everything. Not sure exactly how Google and Yahoo treat those, but it feels kind of like marketers found a loophole that seems to work for them.

[petre]

Github unsubscribe is behind a login. Very annoying. We have an account with a company e-mail that is an alias to admins and it was subscribed to a few issues. One morning I got so annoyed with Thunderbird's not working message filters that I took the time to look up the password, login, unsubscribe and disable all nuisance e-mail communication.

[dtech]

That is not marketing email though

[petre]

Of course. But if I do my own service that notifies clients over e-mail, then it is "marketing e-mail".

[thayne]

I also get a fair number where there is am unsubscribe link, but it doesn't work. Or I unsubscribe and then a few months later am somehow resubscribed. It might be malicious. But I think in many cases the cause is just that the company doesn't really care that much, and don't prioritize fixing the unsubscribe flow if it breaks.

[TheCycoONE]

I'm in Canada, but I don't think that's it.

- Docker Newsletter: `List-Unsubscribe: <mailto:redacted@unsub-sj.mktomail.com>` - but missing http post/one-click header

- Java Weekly: link in body but no header Expensify: compliant

- Gradle: compliant

- Confluence Digest: No unsubscribe header

- Apache Mailing Lists: mailto header, but missing required http post / one-click

I think the confusion is that it's not just having a link, it's a specific set of headers, dkim signed fields, and form response that allows a mail client to unsubscribe with no user interaction.

[MBCook]

Same. Basically everything that comes from a legitimate mailing list/subscription has it. Even stuff I would personally consider spam like political mailing lists have it.

It’s only the worst spam stuff that doesn’t. The obvious scam stuff sent to any email address they can find, containing every language I don’t speak, with lots of bad obfuscation to stop keyword scanners from 2002.

[bediger4000]

> Basically everything that comes from a legitimate mailing

There's the fly in the ointment. "Legitimate" shades off very slowly into bottom feeding Sanford Wallace-ass spamming. The temptation to become worse and worse is real, economics favor spamming, as it externalizes advertising costs. Until the torches and pitchforks come out.

[pixelesque]

A lot of the spam from the US I get (I'm in NZ), for things like US Political fundraisers for politicians, to car dealerships in the US in various states have links to click, but you often then seem to have to enter your email address when I do click them before submitting the form.

[swiftcoder]

My favoutite thing is when the unsubscibe page itself blocks my country due to GDPR...

[kragen]

also it violates longstanding security measures against malicious prank unsubscribes; it means that if you forward an email list message to someone else, they can unsubscribe you without your consent as a prank

[cameldrv]

Requiring the user to login to unsubscribe also has the nice effect of requiring them to know the password, otherwise they have to go through the reset procedure. Of course you need to be really secure and do 2FA as well.

Hey, if this reduces the number of people who successfully unsubscribe, don't blame me, I'm just over here trying to make sure things are secure!

[kugelblitz]

Yep.

Don't want these marketing emails? Unsubscribe here.

Oh, you need to login in order to do that.

No, that's the wrong password for your account. Forgot password?

Hm, we don't see your account existing. Probably a different email address?

... sigh... sent a couple of emails to the data protection contact listed, but after 5 years, I still get the emails and I occasionally try to login again.

So I just automatically mark it as spam every time.

But probably because they're a small provider and don't have the resources; this is the largest telecommunications provider in Germany.

[kragen]

the standard approach is that unsubscribing sends an unsubscribe confirmation mail to the subscribed email address, replying to which confirms the unsubscription. nothing about logins or passwords or the web. this has been standard practice for 25–30 years

[murderfs]

I have never seen anyone do that and I believe it has been literally illegal in the U.S. for the last 20 years. From https://www.ftc.gov/business-guidance/resources/can-spam-act...:

"You can’t [...] make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request."

[kragen]

this is not 'taking any step other than sending a reply email' and it's the standard way mailing lists managed with mailman or majordomo or ezmlm have worked for quite a bit longer than 20 years

also, according to that page, the can-spam act only applies to 'any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service', not to mailing lists

[ghusbands]

You keep talking about a particular style as though it is standard practice that's essential for security, even though it is both unusual and now illegal in many parts of the world.

I have not seen such an unsubscribe flow in more than a decade, at this point. I assume you're thinking of mailman or some other similar solution that was already dated two decades ago, let alone now.

[kragen]

something can simultaneously be standard practice in one community, essential for security, unusual in another community, and illegal in many parts of the world, though nobody seems to have found any laws against the standard mailman unsubscription mechanism in this thread

it is understandable that people who are not familiar with a cultural practice might seek to marginalize it, but that does not make it right

i don't really care about making life easier for people who send email advertisements (a cultural practice i am sadly all too familiar with) but i think discussion email lists are important and valuable, even if you personally don't participate in them

[QuadmasterXLII]

That’s gonna catch a report spam from me dawg

[kragen]

hopefully people like you won't be able to figure out how to subscribe to the mailing list in the first place

[LinAGKar]

Not only that, it also requires then to accept your EULA/Privacy Policy before you let them unsubscribe.

[kragen]

requiring web access to subscribe or unsubscribe is unacceptable

[bulbosaur123]

There is a special place in hell for people who require login to unsubscribe

[stubish]

Forwarding an email should strip this header, probably along with most of the other irrelevant ones potentially containing sensitive information the user isn't aware of. Forwarding an email with GMail only keeps the From, To, Date and Subject headers.

[kragen]

i feel like if we're talking about a header the user isn't aware of, most users probably won't be able to use it to unsubscribe either

[stubish]

End users won't use the header. Email clients will use the header when you hit the report spam or unsubscribe buttons they will display.

[calfuris]

Users don't need to be aware of the header, they just need to use a client that knows what to do with it.

[rstuart4133]

> it means that if you forward an email list message to someone else, they can unsubscribe you without your consent as a prank

Surely that is a bug in the email client that forwarded the email. It should have replaced the headers, including List-Unsubscribe, with its own.

That looks to be what's happened in the emails I receive. The one exception would be if someone forwarded an email as an attachment, but in practice almost no one does that.

[kragen]

what does your user interface for interacting with the list-unsubscribe header look like?

[rstuart4133]

I haven't unsubscribed from a list in years, perhaps decades, despite being subscribed to a few. So I can only tell you from memory. In Thunderbird, I believe I've see a "List Unsubscribe" button in the list of actions available, alongside "Reply-All", "Edit as New" and so on.

In GMail I believe senders that have this implemented now have a big blue UNSUBSCRIBE button next to their email address at the top of the message.

Neither appear if the headers aren't there.

[SpaghettiCthulu]

Ideally a big green "Unsubscribe" button. Make it promise cookies too for good measure.

[SpaghettiCthulu]

What real harm could come from such a prank? I hardly see the need for such "security" measures.

[kragen]

- we're just about to discuss a contentious topic and vote on it. i bet bob and lauren will be opposed to our suggested solution. wouldn't it be nice if they accidentally happened to get unsubscribed for a few days without notice, so they can't rebut our arguments?

- adding a new member to the list requires a vote of approval of the existing members. bob apparently unsubscribed last week and now he wants to resubscribe. can we take a vote on whether to let him back in or not?

- when someone who isn't a member of the list attempts to post to it, we add their domain to the spam blacklist and report them to vipul's razor. hmm, weird that bob.example.com is on our spam blacklist, how could that happen?

- bob, i'm afraid i have to write you up for having violated the new company policy i posted to the policy-announce-important list last week. well, if you didn't read it, that's your problem

[Thiez]

So in other words, there is no plausible scenario.

[kragen]

if you think these are unrealistic, i've got news for you; the world is a lot bigger than you think it is

[SpaghettiCthulu]

In other words, you made these scenarios up and you know perfectly well that they're unrealistic, but now the onus is on everyone else to prove you wrong.

[gbalduzzi]

What kind of newsletters are you subscribed to

[falserum]

Malicious compliance, to make unsubscription more annoying, so spam can continue to flow.

[AlexandrB]

As far as pranks go, this is one where I'll probably thank the prankster instead of being annoyed. Even stuff I'm subscribed to intentionally, I can live without if it went away.

[RockRobotRock]

It would be nice to have something you can put in the footer which email clients recognize and strip when you are forwarding an email

[riffraff]

I think unsubscription without requiring login should be already mandated by some regulations (CAN-SPAM law and maybe GDPR).

[kragen]

according to https://www.ftc.gov/business-guidance/resources/can-spam-act... the can-spam act only applies to 'any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service' so it's irrelevant to mailing list discussions

[callalex]

Is this a real problem in your life?

[atesti]

I have seen Outlook and other systems click on every link in our mailings. Using a sandboxed browser.

How can one click unsubscribe work here? Mail scanners, virus scanners and even Microsoft's own spam filters would probably click these links!

[zie]

The unsubscribe links are POST, not GET's. That's basically the entire safety net.

[atesti]

Really? I have not seen a <form> html element in an email in decades! Do you mean a list-unsubscribe header? I mean the hyperlink at the end of an email with "unsubscribe". I think it would be good if that unsubscribe link opens a page where one would need to press one more button to prove that it is not automatically involved by url scanners. But this would not be "one click" unsubscribe anymore. So how can this be solved? Why is not everybody constantly auto-unsubscribed who uses office 365 or hotmail?

[zie]

I was talking about https://datatracker.ietf.org/doc/html/rfc8058. Where the URL is in the headers as List-Unsubscribe: <URL>

A 2 page overview is here: https://certified-senders.org/wp-content/uploads/2017/07/CSA...

[gwbas1c]

> required support for one-click unsubscribe posts

The article gets it wrong. They imply that emails have to have one-click unsubscribe links, which isn't true. Emails need to include headers (described in your link,) which the mail client can use.

[illiac786]

How does that interact with crawlers, like what Microsoft does? (They visit every link in every email it seems) does it automatically unsubscribes you by error then?

[pbronez]

Unsubscribe links make me nervous. Such an obvious attack vector.