Why does Klaviyo DKIM sign the List-Unsubscribe header, and what are the implications?

Key findings

• Compliance: DKIM signing of the List-Unsubscribe header is a requirement of RFC 8058, especially for one-click unsubscribe functionality.
• Security: Signing this header prevents malicious actors from tampering with the unsubscribe mechanism or performing replay attacks, where a legitimate email's header is modified to trick recipients into revealing engagement.
• Trust and reputation: By authenticating the unsubscribe link, senders build trust with mailbox providers and recipients, which can positively influence email deliverability and sender reputation. This is especially true as mailbox providers increasingly prioritize a smooth unsubscribe process.
• Deliverability advantage: While not directly boosting inbox placement on its own, adhering to such standards contributes to overall email authentication best practices, reducing the likelihood of emails being marked as spam or blocked. This is particularly important for meeting Gmail and Yahoo's new sender requirements.

Key considerations

• ESP responsibility: Email Service Providers (ESPs) like Klaviyo and SendGrid are expected to handle this DKIM signing automatically as part of their service, especially to comply with new industry mandates. Senders using these platforms typically do not need to manually configure this.
• Header integrity: The inclusion of the List-Unsubscribe and List-Unsubscribe-Post headers within the DKIM signature ensures that these critical headers cannot be altered post-signing, protecting the sender's reputation and recipient experience.
• RFC 8058: This RFC standardizes one-click unsubscribe functionality and explicitly states the need for DKIM signing of these headers to guarantee the authenticity of the unsubscribe request, which is essential for user trust and maintaining a clean sending list. You can review the full RFC 8058 specification on the IETF website.
• Migration and updates: As with any evolving standard, ESPs might be in various stages of implementing or updating their systems to fully comply. Senders should confirm with their ESPs if they encounter issues or have concerns about header signing.

Key opinions

• New requirements: Many marketers recognize this signing as a direct response to recent mandates from major mailbox providers like Google and Yahoo.
• Good practice: Beyond specific requirements, signing the List-Unsubscribe header is generally seen as a good email authentication practice that contributes to overall email health, regardless of immediate deliverability impacts.
• Reduced spam reports: Providing an easy, authenticated unsubscribe method (like a one-click unsubscribe via the List-Unsubscribe header) can significantly reduce spam complaints, which are detrimental to sender reputation.
• ESP role: Marketers expect their ESPs to manage these technical aspects seamlessly, as evidenced by questions about specific ESPs' implementation status.

Key considerations

• Deliverability impact: While some marketers might initially question the direct deliverability advantage, the consensus leans towards its importance in maintaining a good sending reputation and complying with evolving standards.
• Troubleshooting: Issues with missing headers in the DKIM signature, particularly for List-Unsubscribe-Post, highlight the need for clear communication and updates from ESPs regarding their compliance efforts.
• Authentication standards: Marketers are increasingly aware that robust email authentication, including proper DKIM, SPF, and DMARC configuration, is fundamental for successful email marketing in 2024 and beyond.
• User experience: The underlying goal of these requirements is to improve the subscriber experience by making unsubscribing easier and more reliable, thus reducing frustration and the likelihood of recipients marking emails as spam.

Key opinions

• RFC 8058 mandate: Experts affirm that DKIM signing of the List-Unsubscribe header is explicitly required by RFC 8058 if one-click unsubscribe functionality is implemented, directly addressing the query about why ESPs like Klaviyo do this.
• Preventing manipulation: A core reason for signing is to prevent bad actors from altering the unsubscribe link or other headers, thereby safeguarding recipients from deceptive practices and avoiding spam traps.
• ESP responsibility: It's widely expected that ESPs (like Klaviyo and SendGrid) should automatically handle the correct DKIM signing of all necessary headers, including List-Unsubscribe, as part of their service offering.
• Configuration insights: Experts highlight that DKIM signing configuration typically resides within the ESP's settings or the mail transfer agent (MTA) rather than the application generating the email content (e.g., ActionMailer).

Key considerations

• Authentication enforcement: DKIM signing of headers reinforces the authenticity of the entire email, making it harder for spammers to forge emails and ensuring that recipients can trust the source and content.
• Impact on forwarded emails: A DKIM signature embedded in the header persists even when an email is forwarded, unlike SPF authentication, providing continued verification of the original sender's identity. This is why proper DKIM setup is crucial.
• Vendor updates: If an ESP is not correctly signing all required headers, it indicates they are still catching up with the latest industry standards. Senders should follow up with their providers for updates.
• Holistic deliverability: While a single header's signing might seem minor, it's part of a larger ecosystem of email authentication and compliance that collectively impacts deliverability and prevents emails from landing in the spam folder.

Key findings

• RFC 8058 specifies: If the List-Unsubscribe header (and its List-Unsubscribe-Post counterpart for one-click) is used for HTTP-based unsubscribes, it MUST be covered by a valid DKIM signature to prevent tampering. This is a crucial element for ensuring the security and integrity of unsubscribe requests.
• Klaviyo's implementation: Documentation confirms that Klaviyo automatically includes the necessary code in the email header to enable one-click unsubscribes for supported inboxes, indicating their adherence to industry standards.
• DKIM's role: DKIM provides a digital signature in the email header, secured with encryption. This signature helps verify the message's authenticity and ensures it hasn't been altered in transit, which is particularly important for critical headers like List-Unsubscribe.
• Sender requirements: Major mailbox providers like Gmail and Yahoo have reinforced the mandatory nature of the List-Unsubscribe header, explicitly stating its importance for bulk senders. Proper DKIM signing supports compliance with these requirements.

Key considerations

• Email authentication: DKIM is a cornerstone of email authentication, providing a robust mechanism to verify sender identity and message integrity. Its application to critical headers like List-Unsubscribe strengthens the overall security posture of email.
• Impact on deliverability: While RFC 8058 focuses on the functionality and security of one-click unsubscribe, adherence to such standards indirectly supports deliverability by signaling trustworthiness to receiving mail servers, reducing the chances of landing on a blocklist or in spam.
• Automatic implementation: Most reputable ESPs, including Klaviyo, have integrated these requirements into their systems, relieving senders of the burden of manual configuration for these specific headers. Senders should still verify their ESP's compliance.
• Forwarding resilience: Unlike SPF, DKIM signatures remain valid even when an email is forwarded, ensuring that the integrity of signed headers, including List-Unsubscribe, is maintained throughout the email's lifecycle.