[snowwrestler]

The one-click policy is actually about sending the list-unsubscribe header so the email client can render an opt-out button.

An unsubscribe link in the body of an email can have a confirm step.

In fact if you are serving a B2B audience it is essential that you do, since an increasing number of security services like Barracuda, Fortra, etc. auto-click every link in the email body to check for phishing. If you have one-click unsubscribe links in your email body, those people will be constantly unsubscribed without their knowledge.

[Ciunkos]

To stay CAN-SPAM compliant, the sender MUST NOT require anything else but an email and a single visit to a webpage. A confirmation page is OK but requiring an auth or any other information or steps is simply illegal.

As a rule of thumb, one-click List-Unsubscribe with List-Unsubscribe-Post headers and a plain opt-out page (with confirmation if you risk such security solutions clicking on them, applicable only in B2B as you say) for the unsubscribe link in the email body.

These links should ideally be personalized (i.e. encode recipient’s email/account ID) so the opt-out page would not even require users to put their emails.

And please keep List-Unsubscribe via mailto as well, some clients may not support HTTPS POST.

[natpalmer1776]

Realistically, even in B2B how many people legitimately want marketing emails or mailing lists at all?

[snowwrestler]

One of the B2B newsletters I used to help manage costs $25k per year to subscribe to. When email security systems started auto-clicking, we fielded a bunch of angry phone calls before we figured it out.

I know there’s a vocal contingent here on HN that hates all email, but the reality is that email is heavily used for things that people want.

[venusenvy47]

I just learned about the list-unsubscribe header in this article. Is this what allows Gmail to provide its own "Unsubscribe" button on certain emails next to the Subject line?? I've seen this button on certain emails and never knew how they decide when to implement it, or what it does.

[kirb]

That’s indeed what it is. It sends an automatic email to the List-Unsubscribe address, which if implemented correctly per the spec/regulations, authorises an immediate unsubscribe. More secure too because your email address is confirmed by SPF/DKIM. Nobody else with a copy of the email can unsubscribe you via List-Unsubscribe, like how just anyone can click the unsubscribe footer link if you forward it.