Is using the same URL for both List-Unsubscribe header and body compliant with RFC 8058 for one-click unsubscribe?

Key findings

• URL sharing: It is generally compliant and common practice for the List-Unsubscribe header's URL and the unsubscribe link in the email body to be identical.
• Method matters: RFC 8058 one-click unsubscribe functionality is achieved when the mail client sends a HTTPS POST request to the header's URL, resulting in an immediate, silent unsubscription without user interaction or opening a webpage.
• Body link behavior: Conversely, the unsubscribe link in the email body (or the List-Unsubscribe header's URL when accessed via a GET request) should lead to a landing page, typically a preference center, where the user confirms their unsubscription.Gmail's handling: Gmail's in-app unsubscribe button for RFC 8058 compliant emails performs a silent, one-click unsubscribe via a POST request to the List-Unsubscribe-Post URL, without directing the user to a separate page.
• Historical parsing: Google has historically parsed email bodies for unsubscribe links, but this behavior is distinct from the formal one-click unsubscribe (RFC 8058) facilitated by the header.

Key considerations

• Technical implementation: Ensure your server-side implementation correctly distinguishes between HTTPS POST and GET requests to the unsubscribe URL. POST requests should trigger silent unsubscription, while GET requests should display a preference page.
• Header configuration: Your email must include both List-Unsubscribe (with an HTTPS URL) and List-Unsubscribe-Post: One-Click headers for RFC 8058 compliance. Learn more about RFC 8058 requirements.
• User experience: While the header enables one-click unsubscription, maintaining a clear and easy-to-use unsubscribe link in the email body (even if it requires a second click on a landing page) remains a best practice for users who don't use the header option. It is part of email unsubscribe link best practices.
• Testing: Relying on external tools alone is insufficient. Actively test the one-click unsubscribe functionality in various email clients (e.g., Gmail for Android) to confirm it performs a silent, immediate unsubscription as expected. This helps verify your implementation matches the intended RFC 8058 behavior.

Key opinions

• Initial confusion: Some marketers initially believe that if the List-Unsubscribe header links to a preference center requiring a second click, it might not be RFC 8058 compliant, highlighting a common misunderstanding of how the header versus body links function.
• Reliance on tools: There's a tendency to rely on third-party compliance checkers (e.g., AboutMy.email) to confirm adherence to unsubscribe requirements, which can sometimes lead to a false sense of security if the underlying technical implementation isn't fully understood.
• Observing behavior: Marketers note that email clients, like Gmail, sometimes display preference center links even without a List-Unsubscribe header, based on parsing the email body. This historical behavior (pre-RFC 8058 enforcement) can further muddle understanding of the new standards.
• Prioritizing user experience: Many marketers still prioritize a clear, visible unsubscribe link in the email body, even if it leads to a preference center, as it's what most users are accustomed to. This is still a critical part of unsubscribe best practices.

Key considerations

• Educate engineering teams: Marketers need to ensure their software engineers clearly understand the distinction between POST (silent, one-click) and GET (preference page) requests for the List-Unsubscribe URL, particularly with the new Gmail and Yahoo requirements.
• Verify compliance: Beyond relying on external tools, marketers should conduct their own manual tests of the one-click unsubscribe functionality within various email clients to ensure it performs as required by RFC 8058. Microsoft, Gmail, and Yahoo are increasingly strict.
• Address misconceptions: Actively clarify that the one-click aspect of RFC 8058 primarily applies to the automatic action triggered by mail clients using the header, not necessarily to the user experience of clicking a link within the email body.

Key opinions

• Compliance specifics: Experts emphasize that the URL in the List-Unsubscribe header must perform a silent unsubscribe via a POST request to be RFC 8058 compliant, regardless of whether it's the same URL as the body link.
• URL commonality: It is very common for both the header and body unsubscribe links to use the same URL, as long as the server correctly handles POST and GET requests differently.
• Gmail's automatic unsubscription: When a user clicks Gmail's built-in unsubscribe option (for RFC 8058 compliant emails), it triggers a silent POST request to the sender's server, unsubscribing the user without opening a browser or requiring further clicks.
• Distinguishing requests: A critical point is that an HTTPS POST request to the List-Unsubscribe URL should silently unsubscribe the user, while an HTTPS GET request to the same URL (e.g., from the body link) should return an HTML page for user interaction.

Key considerations

• Server-side logic: The primary responsibility for RFC 8058 compliance lies with the server's ability to correctly process the POST request from the List-Unsubscribe-Post header and instantly unsubscribe the user.
• Independent verification: Experts advise senders to personally test their one-click unsubscribe implementation, rather than solely trusting internal engineering reports or external checkers, to ensure the silent POST behavior works as intended. Learn how to verify your List-Unsubscribe headers.
• Legacy behavior: While Google once parsed email bodies for unsubscribe links to power MUA (Mail User Agent) buttons, this is not the RFC 8058 standard. Senders should focus on proper header implementation. More on this is available from Word to the Wise's insights on one-click unsubscribe.

Key findings

• RFC 8058 purpose: RFC 8058 outlines a method for signaling a one-click unsubscription functionality specifically for the List-Unsubscribe email header field.
• Header requirement: To be RFC 8058 compliant, the List-Unsubscribe header must include an HTTPS URI, and importantly, the List-Unsubscribe-Post: One-Click header must be present.
• POST method: The core of one-click unsubscribe is that the mail user agent (MUA) sends an HTTPS POST request to the specified URI in the header, which should trigger an immediate unsubscription without user interaction.
• Non-interactive: The unsubscribe process initiated by the List-Unsubscribe-Post header is intended to be non-interactive. This means no pop-ups, confirmation pages, or additional clicks are required from the user.

Key considerations

• Distinguishing URI types: The RFC states that the List-Unsubscribe header can contain both a mailto: URI and an HTTPS URI. The HTTPS URI is crucial for the one-click functionality via a POST request.
• Server response: Upon receiving an HTTP POST request to the unsubscribe URI, the server should process the unsubscription and return an HTTP 200 OK status, possibly with minimal content like an empty response or a simple success message, but not a webpage for user interaction.
• Security (HTTPS): The requirement for HTTPS in the List-Unsubscribe header's URI ensures the security and integrity of the unsubscription request, preventing tampering or spoofing. This is a critical factor for compliance.
• Impact on deliverability: Mailbox providers are increasingly enforcing RFC 8058 compliance. Failure to implement proper one-click unsubscribe can lead to deliverability issues, including higher spam complaint rates or blocklisting.