Why is DKIM signing the List-Unsubscribe header important?

DKIM signing the List-Unsubscribe header is crucial for compliance with RFC 8058 and new ISP requirements from Google and Yahoo. It authenticates the unsubscribe link, preventing tampering and building trust with receiving mail servers, which significantly improves deliverability.

What is RFC 8058 and how does it relate to unsubscribe headers?

RFC 8058, also known as "Signaling One-Click Unsubscribe," is a standard that mandates the inclusion of a one-click unsubscribe mechanism for bulk senders. It specifically requires the List-Unsubscribe and List-Unsubscribe-Post headers to be covered by a valid DKIM signature to ensure their integrity.

How does this affect my email deliverability?

This practice positively affects deliverability by signaling to ISPs that your email's unsubscribe mechanism is legitimate and untampered. This trust reduces the likelihood of your emails being marked as spam, as recipients have an easy way to opt-out, leading to fewer spam complaints and a healthier sender reputation.

What should I do if my ESP isn't DKIM signing this header?

If your ESP is not DKIM signing this header, you should contact their support team to inquire about their roadmap for implementing RFC 8058 compliance. Failing to meet this requirement can lead to deliverability issues, including emails landing in spam folders or being blocked by major inbox providers.

Does this apply to all email types?

While the focus is primarily on bulk marketing emails, implementing a List-Unsubscribe header, even for transactional emails, is considered a best practice. The DKIM signing requirement applies to any email where a one-click unsubscribe mechanism (per RFC 8058) is used.

Why does Klaviyo DKIM sign the List-Unsubscribe header, and what are the implications? - Technical - Email deliverability - Knowledge base

The email landscape is constantly evolving, with major inbox providers like Google and

Yahoo recently introducing stringent new sender requirements. These updates aim to curb spam and enhance user experience, pushing email marketers to adopt best practices in authentication and unsubscribe mechanisms. One of the key aspects of these changes revolves around the List-Unsubscribe header, particularly how it interacts with DKIM.

Many email service providers (ESPs), including

Klaviyo, have adapted their sending infrastructure to meet these new guidelines. A common observation among deliverability professionals is that

Klaviyo now explicitly includes the List-Unsubscribe header within its DKIM signature's h= tag. This might seem like a small detail, but it carries significant weight in email deliverability and compliance.

The purpose of this article is to explore why

Klaviyo (and other forward-thinking ESPs) are taking this step, what the underlying technical and regulatory reasons are, and what implications it has for your email programs. Understanding this can help you ensure your emails land in the inbox reliably.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

The role of DKIM and List-Unsubscribe

DomainKeys Identified Mail (DKIM) serves as a digital signature for emails. It allows the receiving mail server to verify that an email was indeed sent by the domain it claims to be from and that it hasn't been tampered with in transit. This is achieved by adding a cryptographic signature to the email header, which is then verified against a public key published in the sender's DNS records. The h= tag within the DKIM-Signature header explicitly lists all the email headers that were included in the signature calculation. If any of these signed headers are altered after the signature is applied, the DKIM verification will fail.

The List-Unsubscribe header, on the other hand, is a critical component for ensuring a good user experience and maintaining sender reputation. It provides a standardized, automated way for recipients to opt out of email lists without having to scroll through an email to find an unsubscribe link or, worse, mark the email as spam. When this header is present, email clients like Gmail and Outlook often display a prominent unsubscribe button at the top of the message. This convenience significantly reduces the likelihood of spam complaints, which are highly detrimental to your domain's sending reputation.

Historically, the DKIM signature primarily focused on core headers like From, Subject, and Date. However, the increasing sophistication of email abuse, coupled with the drive for better user control, has led to a closer integration of these two mechanisms. When

Klaviyo DKIM signs the List-Unsubscribe header, it ensures that this crucial unsubscribe instruction cannot be altered after the email leaves

Klaviyo's servers, reinforcing its authenticity and trustworthiness.

RFC 8058 and compliance requirements

The primary driver behind

Klaviyo's approach is compliance with RFC 8058, Signaling One-Click Unsubscribe. This RFC specifies the technical requirements for a one-click unsubscribe mechanism, which has become a mandatory standard for bulk senders to Gmail and Yahoo. A core tenet of RFC 8058 is that the List-Unsubscribe and List-Unsubscribe-Post headers MUST be covered by a valid DKIM signature. Without this, the implementation is not compliant.

The integrity check provided by DKIM prevents malicious actors from altering the unsubscribe links. If the List-Unsubscribe header were not signed, an attacker could potentially modify the unsubscribe link to, for instance, lead to a phishing site or a page that confirms the recipient's activity, aiding in spam list validation. By signing this header,

Klaviyo ensures that the unsubscribe mechanism is authentic and trustworthy, protecting both the sender's reputation and the recipient's privacy.

The strict

Gmail and

Yahoo sender requirements, which came into effect in February 2024, mandate that bulk senders implement one-click unsubscribe. This requirement is explicitly tied to RFC 8058. Therefore,

Klaviyo's decision to DKIM sign the List-Unsubscribe header is a direct response to these industry-wide changes, ensuring their clients remain compliant and avoid deliverability penalties. You can learn more about these mandatory requirements.

Ensuring one-click unsubscribe compliance

To be recognized as compliant with RFC 8058 and the new ISP requirements, ESPs must ensure that the List-Unsubscribe header's integrity is verifiable. DKIM signing (or covering) this header within the DKIM-Signature header is the standard method for achieving this. It assures receiving mail servers that the unsubscribe link provided is legitimate and has not been tampered with since the email was signed by

Klaviyo.

Deliverability advantages and sender reputation

The primary benefit of

Klaviyo DKIM signing the List-Unsubscribe header is a direct improvement in email deliverability and sender reputation. When receiving mail servers see that the unsubscribe header is signed, it signals a commitment to legitimate email practices and subscriber preference. This builds trust with ISPs, making them more likely to deliver your emails to the inbox rather than the spam folder.

Furthermore, a robust, easily accessible unsubscribe mechanism leads to fewer spam complaints. Recipients who wish to opt-out are given a clear and simple path to do so, instead of resorting to the “report spam” button. Spam complaints are one of the most damaging signals for your sender reputation, potentially leading to your emails being directed to spam folders or even your domain being added to a blacklist (or blocklist).

By ensuring the integrity of the unsubscribe process,

Klaviyo helps its users maintain a healthy sender reputation, which is crucial for long-term email marketing success. This proactive approach benefits both the ESP and its clients, creating a more trustworthy and efficient email ecosystem.

No DKIM signing of List-Unsubscribe

Increased Spam Complaints: Recipients may mark emails as spam due to difficulty unsubscribing, damaging sender reputation.
Higher Blocklist Risk: Consistent spam complaints can lead to being added to email blocklists (or blacklists).
Diminished Trust: ISPs and recipients may view the sender as less trustworthy, impacting inbox placement.
Non-Compliance: Failure to meet RFC 8058 and new Gmail / Yahoo mandates, leading to blocked emails.

DKIM signing of List-Unsubscribe

Improved Deliverability: Compliance and authenticity signals lead to better inbox placement.
Reduced Spam Complaints: Easy unsubscribe options mean fewer users mark messages as spam.
Enhanced Sender Reputation: Demonstrates responsible sending practices and commitment to user experience.
Regulatory Compliance: Meets critical industry standards, avoiding penalties and blocks.

Technical aspects and troubleshooting

When an email is sent with DKIM authentication, the DKIM-Signature header contains an h= tag that lists all the message headers included in the digital signature. For

Klaviyo, this now includes list-unsubscribe and list-unsubscribe-post. This means that the content of these headers is part of the signed data, ensuring their integrity. You can verify this configuration by inspecting the full email headers of a message sent through

Klaviyo.

Example DKIM-Signature headerplain

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yourdomain.com;
h=content-type:from:mime-version:subject:list-unsubscribe:x-feedback-id:to;
 s=k1; bh=...; b=...

If you're using a third-party sending service like

SendGrid or

MailChimp (and not directly

Klaviyo), it's crucial to confirm that your provider is handling the DKIM signing of List-Unsubscribe headers correctly. Many ESPs are still in the process of rolling out these changes to ensure full compliance with the latest standards.

Issue	Cause	Solution
DKIM signature missing List-Unsubscribe	ESP hasn't updated its signing policy or configuration error.	Contact your ESP's support or check their documentation for updates.
DKIM verification fails	Header altered in transit or incorrect DNS setup.	Ensure DNS records are correct. Check for issues like DKIM oversigning.
Unsubscribe link not working	Problem with mailto or HTTP URL in header.	Review List-Unsubscribe header format and endpoint functionality.

Views from the trenches

Best practices

Ensure your ESP actively DKIM signs the List-Unsubscribe header for compliance.

Regularly monitor your email headers to confirm proper DKIM and List-Unsubscribe configuration.

Prioritize a smooth and prominent one-click unsubscribe experience for recipients to reduce spam complaints.

Stay informed about new RFCs and ISP requirements to adapt your email strategy promptly.

Common pitfalls

Assuming your ESP automatically handles all new sender requirements without verification.

Neglecting to monitor spam complaint rates, which are key indicators of unsubscribe issues.

Failing to understand the technical intricacies of DKIM and List-Unsubscribe header interaction.

Not testing unsubscribe links and functionality across various email clients.

Expert tips

Implement a DMARC policy with reporting to gain visibility into your email authentication status, including DKIM alignment.

Educate your marketing teams on the importance of email authentication and easy unsubscribe options to maintain deliverability.

Leverage postmaster tools from major ISPs like Google and Yahoo to track reputation metrics and compliance.

Automate checks for critical email headers to quickly identify and resolve any configuration discrepancies.

Expert view

Expert from Email Geeks says: It is now a requirement from Google and Yahoo that the List-Unsubscribe header is DKIM signed for compliance.

2023-12-26 - Email Geeks

Expert view

Expert from Email Geeks says: RFC 8058 mandates that if you implement one-click list-unsubscribe, the List-Unsubscribe and List-Unsubscribe-Post headers must be covered by a valid DKIM signature.

2023-12-26 - Email Geeks

Key takeaways

The practice of

Klaviyo DKIM signing the List-Unsubscribe header is a direct response to evolving email standards and the critical need for improved email deliverability. It's not just a technical tweak, but a strategic move that addresses both compliance requirements and the enhancement of user trust.

For email senders, this means that partnering with an ESP like

Klaviyo that prioritizes these authentication and unsubscribe best practices is essential. It helps ensure that your emails are not only delivered but also build and maintain a positive sender reputation with major inbox providers.

Proactive management of email authentication protocols, including DKIM, SPF, and DMARC, alongside user-friendly unsubscribe options, will be key to navigating the complexities of modern email deliverability and reaching your audience effectively.