Signalling one-click functionality for list email headers

An email header can contain HTTP or HTTPS URIs. In a List-Unsubscribe Header the HTTP or HTTPS URI should unsubscribe the recipient of the email from the list. But anti-spam software often fetches all resources in mail headers automatically, without any action by the user. As a result of this unintended malicious behavior, senders implement landing pages with a confirmation step to finish the unsubscribe request. This document addresses this part of the problem, with a POST action for receivers that can be distinguished by senders from other requests and therefore handled as a one-click unsubscription.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14, . One-click describes an action that directly triggers a change in a system's state, intended to be applied only with a user's intent.

This document has several goals. Allow email senders to signal "One-Click" functionality for specific HTTP and HTTPS URIs used in email headers. Allow MUA designers to implement independent user interface features for a better user experience. Allow MUA users to trigger intended actions in a familiar environment and without leaving the MUA context.

This document does not address problems associated with intended malicious behavior.

An entity which is responsible for sending an email that wishes to add an HTTP or HTTPS URI for one-click unsubscriptions places both a List-Unsubscribe and a List-Unsubscribe-Post header in the message. The List-Unsubscribe-Post header may contain multiple key value pairs needed by the sending entity. It also must contain the key value pair "List-Unsubscribe=One-Click" to adhere to this specification. The combination of the URI in the List-Unsubscribe header and the POST arguments in the List-Unsubscribe-Post header must identify the mail recipient, so that the unsubscription process knows what address to use. In particular, "one click" has no way to manually ask the user what address he or she wishes to unsubscribe. The sending entity needs to provide the infrastructure to handle POST requests to the specified URI in the List-Unsubscribe header. The "One-Click" action triggered by this URI must complete promptly and should never burden the requester in an inappropriate way. The sending entity cannot expect that HTTP redirects are followed by the requester.

A receiving entity which wants to use a List-Unsubscribe HTTP URI from an email that also contains a List-Unsubscribe-Post header shall perform an HTTP or HTTPS POST to the first HTTP or HTTPS URI in the List-Unsubscribe header and send the content of the List-Unsubscribe-Post header as request body with the content type set to "application/x-www-form-urlencoded". The receiving entity MUST NOT perform a POST on the the HTTP or HTTPS URI without user consent. When and how the user consent is obtained is not part of this specification. The Request must use the HTTP or HTTPS verb POST, other verbs are not permitted as especially the HEAD and GET requests should never be used in cases where a state change is triggered. PUT and DELETE would offer similar functionality but are often unavailable.

The email needs at least one valid authentication identifier. In this version of the specification the only supported identifier type is DKIM , that provides a domain-level identifier in the content of the "d=" tag of a validated DKIM-Signature header field. The List-Unsubscribe and List-Unsubscribe-Post headers need to be included in the "h=" tag of a valid DKIM-Signature header field. The domain used in the HTTP or HTTPS URI MUST align with the domain used in the "d=" tag of the valid DKIM-Signature header field in which the headers are included in the "h=" tag.

Header in Email List-Unsubscribe-Post: List-Unsubscribe=One-Click&recip=user@example.com ]]>

Resulting POST request

Header in Email , List-Unsubscribe-Post: List-Unsubscribe=One-Click ]]>

Resulting POST request

The List-Unsubscribe-Post header will typically contain the recipient address, but that address is usually also in the To: header. This specification allows anyone with access to a message to unsubscribe the recipient of the message, but that's typically the case with existing List-Unsubscribe, just with more steps.

[TODO]