Why are we seeing abnormally high opt-out rates in email campaigns?

Key findings

• Technical Anomaly: Sudden spikes in opt-out rates (e.g., 27-28%) are typically not due to subscriber behavior, but rather automated processes.
• Link Scanners: Email security scanners and other bots (like Google Read Aloud) are known to crawl and click all links within emails, including unsubscribe links.
• HTTP GET vs. POST: The primary culprit is often an unsubscribe mechanism that processes an opt-out with a simple HTTP GET request, which bots perform automatically.
• Multi-ISP Impact: This issue is not confined to a single Internet Service Provider (ISP), as observed with opt-out requests originating from both Microsoft and Google IPs.

Key considerations

• Robust Unsubscribe Mechanism: Ensure your unsubscribe process requires an explicit user action, such as a confirmation click on a landing page or using an HTTP POST request, instead of a simple GET. Learn more about why opt-in email marketing is essential.
• Monitor Bot Activity: Implement logging to differentiate between human and bot-initiated clicks on your unsubscribe links, including the user agent and IP address.
• Review Deliverability Settings: A sudden drop in open rates or a surge in unsubscribes may point to wider deliverability issues that need investigation.
• ISP-Specific Behavior: Be aware of how different ISPs (like Microsoft or Google) handle email scanning and link pre-fetching, as this can impact reported metrics.
• Compliance with Opt-Out Requests: Ensure your processes comply with regulations regarding unsubscribe preferences, preventing accidental or bot-driven opt-outs while respecting user choices.

Key opinions

• Observing High Rates: Many marketers report seeing unusually high opt-out rates, sometimes as high as 27-28%, shortly after delivery.
• Suspecting Scanners: A common initial thought is that link scanners are aggressively clicking unsubscribe links, potentially due to a lack of a confirmation step.
• Link Click Volume: Marketers frequently note that many links within the email body are being clicked, indicating automated interaction.
• ISP Source: Unsubscribe requests originating from diverse IPs, including those associated with Microsoft and Google, indicate a widespread issue rather than isolated incidents.
• Identified Cause: Google Read Aloud has been identified as a specific crawler that aggressively follows links, contributing to these false opt-outs.

Key considerations

• Distinguish Bot Activity: It's crucial to differentiate between genuine subscriber opt-outs and those triggered by automated systems. This can impact your reported email open rates.
• Review Unsubscribe Flow: If a simple click triggers an unsubscribe, consider adding a confirmation step to prevent unintended opt-outs from bots.
• Segment Unsubscribe Data: Analyze unsubscribe data by ISP or email client to identify patterns that might indicate bot activity rather than user dissatisfaction, especially for Hotmail and Outlook users.
• Technical vs. Content: Distinguish between high opt-out rates caused by technical issues (like bot clicks) and those signaling content or frequency problems.
• Stay Updated: Keep abreast of new email client features or security measures, such as Google Read Aloud's behavior, that could impact your metrics. Understand factors affecting unsubscribe rates.

Key opinions

• Link Processing: It is common for email providers' spam filtering bots to click on all links within an email body for security analysis.
• Single-Click Action: If an unsubscribe link leads to a single-click action without requiring further user interaction, it is vulnerable to bot-triggered opt-outs.
• HTTP GET Vulnerability: The core problem lies in treating an HTTP GET request to an unsubscribe URL as a confirmed opt-out, as bots commonly perform GET requests.
• Microsoft/MSN Issue: Microsoft (and its associated brands like MSN) has a known history of aggressive link crawling that can lead to such issues.
• RFC 8058 Differentiator: Experts often inquire whether opt-outs are via body links or RFC8058 (List-Unsubscribe) headers, as their handling differs for bots.

Key considerations

• Implement POST Method: Always ensure that critical actions like unsubscribing require an HTTP POST request, which bots are less likely to perform automatically on links.
• Confirmation Steps: Require a confirmation on a landing page for unsubscribe requests, providing a safeguard against bot activity.
• Analyze Bot Signatures: Use web server logs to identify common user agents and IP ranges associated with automated link crawling to filter out false positives.
• Understand ISP Differences: Be aware of the specific bot behaviors of major ISPs, as these can vary and impact your metrics.
• General Deliverability: While resolving bot-induced unsubscribes is key, continuously improve overall deliverability to ensure legitimate emails reach the inbox effectively.

Key findings

• RFC 8058: The RFC 8058 standard provides a clear mechanism for one-click unsubscribe via the List-Unsubscribe-Post header, explicitly designed for a POST request.
• Secure Action Requirement: Sensitive actions like unsubscribing should ideally not be executed by a simple HTTP GET, which can be inadvertently triggered by pre-fetching agents.
• User Intent: Documentation emphasizes the importance of ensuring that unsubscribe actions reflect genuine user intent, not automated clicks.
• Bot Behavior: While not always specified by name, general documentation on email security often implies that automated bots will follow links for security scanning.

Key considerations

• Adhere to RFC 8058: For one-click unsubscribes, implement the List-Unsubscribe-Post header in conjunction with an HTTP POST method to prevent bot-triggered unsubscribes. Understand the list of DMARC tags to further secure your email.
• Require Confirmation: If using a standard unsubscribe link in the body, ensure it leads to a landing page where a user must explicitly confirm their unsubscribe action.
• Monitor Deliverability: Regularly review deliverability reports to identify any abnormal trends in unsubscribe rates, distinguishing between technical errors and content issues.
• Security Best Practices: Apply web security best practices to all links within emails, especially those leading to sensitive actions, to protect against unintended automated triggers.