One-Click Unsubscribe Guide (RFC 8058)
Implement one-click unsubscribe to comply with Gmail and Yahoo requirements and improve user experience while maintaining deliverability.
What is One-Click Unsubscribe?
One-Click Unsubscribe is a technical implementation defined in RFC 8058 that allows email recipients to unsubscribe from mailing lists with a single click, without requiring additional steps like visiting a website, logging in, or confirming the action.
It works through special email headers (List-Unsubscribe and List-Unsubscribe-Post) that email clients can use to provide an easy unsubscribe button directly in their interface, making it simple for users to opt out without marking your messages as spam.
Benefits
- Reduces spam complaints by providing easy opt-out
- Improves sender reputation and deliverability
- Enhances user experience with frictionless unsubscribe
- Meets mandatory requirements from Gmail and Yahoo
- Builds trust with recipients
Gmail and Yahoo Requirements (Mandatory Since Feb 2024)
Starting February 2024, Gmail and Yahoo require all bulk senders (those sending more than 5,000 messages per day to Gmail addresses) to implement one-click unsubscribe for marketing emails.
Requirement 1: List-Unsubscribe Headers
All marketing emails must include both List-Unsubscribe and List-Unsubscribe-Post headers
Requirement 2: Immediate Processing
Unsubscribe requests must be processed within 2 days (48 hours maximum)
Requirement 3: Visible Link
Email body must still contain a visible unsubscribe link (one-click headers are supplementary)
Important: Non-compliance can result in emails being blocked, significant deliverability issues, and potential sender reputation damage. This is not optional for bulk senders.
List-Unsubscribe Header Format
The List-Unsubscribe header specifies the URL or email address that recipients can use to unsubscribe. You can provide an HTTPS URL, a mailto address, or both.
HTTPS URL Method (Recommended)
Provide a unique HTTPS URL that immediately unsubscribes the user when accessed:
Mailto Method (Alternative)
Provide an email address that processes unsubscribe requests automatically:
Combined Method (Best Practice)
Provide both methods for maximum compatibility:
<mailto:unsubscribe@example.com?subject=unsubscribe>
List-Unsubscribe-Post Header (One-Click Method)
The List-Unsubscribe-Post header is required for true one-click unsubscribe functionality. It tells email clients that the unsubscribe URL supports a POST request with a specific parameter.
Header Format
The header value is always the same:
How It Works
When a user clicks the unsubscribe button in their email client:
- The email client sends a POST request to your List-Unsubscribe URL
- The POST body contains: List-Unsubscribe=One-Click
- Your server must immediately process the unsubscribe
- Return HTTP 200 or 201 status code to confirm
- No redirect or HTML page should be shown to the user
Key Point: Your unsubscribe endpoint must accept both GET requests (for mailto fallback and user clicking links) and POST requests (for one-click functionality). The List-Unsubscribe-Post header only applies to POST requests.
Traditional Unsubscribe Links
While implementing one-click unsubscribe headers, you must still include a visible unsubscribe link in your email body. This serves as a backup and is required by CAN-SPAM and other regulations.
Footer Placement
Include a clear, visible unsubscribe link in your email footer:
Unsubscribe from this list
</a>
One-Click vs Traditional
The footer link can be the same URL as your List-Unsubscribe header. Users clicking this link should be immediately unsubscribed with a simple confirmation message - no login, no survey, no additional steps required.
URL Security
Always use unique, tokenized URLs for each recipient to prevent abuse and ensure you can identify who is unsubscribing. Never use a generic unsubscribe page requiring email address entry.
Implementation Examples
Here are complete examples of implementing one-click unsubscribe in your email headers:
Complete Header Example
Add both headers to your email messages:
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Node.js / Nodemailer Example
Configure headers in Nodemailer:
from: 'newsletter@example.com',
to: recipient.email,
subject: 'Monthly Newsletter',
html: emailContent,
headers: {
'List-Unsubscribe':
`<https://example.com/unsubscribe?id=${recipient.token}>`,
'List-Unsubscribe-Post': 'List-Unsubscribe=One-Click'
}
};
Python / Flask Example
Handle POST requests for one-click unsubscribe:
def unsubscribe():
token = request.args.get('id')
# Verify token and unsubscribe user
user = verify_and_unsubscribe(token)
if request.method == 'POST':
# One-click unsubscribe (no page shown)
return '', 200
else:
# GET request (show confirmation)
return render_template('unsubscribed.html')
PHP Example
Add headers using mail() or PHPMailer:
'From: newsletter@example.com',
'List-Unsubscribe: <https://example.com/unsubscribe?id=' . $token . '>',
'List-Unsubscribe-Post: List-Unsubscribe=One-Click'
];
mail($to, $subject, $message, implode("\r\n", $headers));
Best Practices
1. Immediate Processing
Process unsubscribe requests immediately - within seconds, not hours or days. Gmail and Yahoo require processing within 2 days, but instant processing is best practice. Update your suppression list in real-time to prevent sending additional emails.
2. Simple Confirmation Pages
For GET requests (traditional link clicks), show a simple confirmation message. Don't ask why they're leaving, don't offer alternatives, don't make them confirm again. Just acknowledge the unsubscribe and thank them.
3. Use Secure, Unique Tokens
Generate unique, cryptographically secure tokens for each recipient. Include the token in your unsubscribe URL to identify the user without requiring login. Tokens should be long enough to prevent guessing (at least 32 characters).
4. Support Both GET and POST
Your unsubscribe endpoint must handle both GET requests (from users clicking links) and POST requests (from one-click unsubscribe). Return HTTP 200/201 for POST requests without any redirect or HTML response.
5. Use HTTPS Only
Always use HTTPS for your List-Unsubscribe URLs to ensure security and meet modern email client requirements. HTTP-only URLs may not work with one-click unsubscribe in Gmail and other providers.
6. Keep URLs Active
Ensure unsubscribe URLs remain functional for at least 30 days after sending (CAN-SPAM requirement). Consider keeping them active indefinitely to handle delayed unsubscribes gracefully.
7. Don't Resubscribe
Once someone unsubscribes, never add them back to your list without explicit re-subscription. Maintain a permanent suppression list and check it before adding any email address to your active lists.
8. Log All Unsubscribes
Keep detailed logs of all unsubscribe requests including timestamp, method (GET/POST), IP address, and processing status. These logs are valuable for compliance audits and troubleshooting.
Common Issues and Solutions
Missing List-Unsubscribe-Post Header
Problem: Including List-Unsubscribe header but forgetting List-Unsubscribe-Post
Solution: Both headers are required for one-click functionality. Always include List-Unsubscribe-Post: List-Unsubscribe=One-Click when using HTTPS URLs.
Broken or Expired Links
Problem: Unsubscribe links returning 404 errors or expiring too quickly
Solution: Test your unsubscribe URLs before sending. Keep tokens valid for at least 30 days. Implement proper error handling and logging to catch broken links.
Slow Processing Times
Problem: Taking hours or days to process unsubscribe requests
Solution: Implement real-time unsubscribe processing. Update your suppression list immediately and ensure all sending systems check it before every send.
POST Request Not Supported
Problem: Unsubscribe endpoint only handles GET requests
Solution: Configure your endpoint to accept both GET and POST methods. For POST, return empty body with 200 status. For GET, show confirmation page.
Redirects or Login Required
Problem: Redirecting users to login page or requiring authentication
Solution: Use tokenized URLs that don't require login. For POST requests, don't redirect - just process and return 200. No authentication should be needed.
Using HTTP Instead of HTTPS
Problem: List-Unsubscribe URLs using http:// instead of https://
Solution: Always use HTTPS for unsubscribe URLs. Many email clients require HTTPS for one-click unsubscribe to work. HTTP URLs may be ignored or blocked.
Testing Your Implementation
Before sending emails to your subscribers, thoroughly test your one-click unsubscribe implementation:
1. Verify Headers
Send a test email to yourself and check the raw email headers. Verify that both List-Unsubscribe and List-Unsubscribe-Post headers are present and correctly formatted.
Use our Header Validator tool to analyze email headers and verify compliance.
2. Test GET Requests
Click the unsubscribe link in your test email. Verify that it unsubscribes you immediately and shows a simple confirmation page. The process should require no login and no additional clicks.
3. Test POST Requests
Manually test POST requests using curl or a similar tool:
-d "List-Unsubscribe=One-Click" \
-H "Content-Type: application/x-www-form-urlencoded"
Verify you receive HTTP 200 or 201 status with empty body.
4. Test in Gmail
Send a test email to a Gmail address. Check if the "Unsubscribe" link appears next to your sender name in the Gmail interface. Click it to test the one-click functionality from Gmail's perspective.
5. Verify Processing Time
After unsubscribing, verify that the email address is immediately added to your suppression list and that no additional emails are sent to it. Test that your system prevents re-sending within seconds, not minutes.
6. Monitor Logs
Check your server logs to ensure unsubscribe requests are being received and processed correctly. Look for any errors, failed requests, or unusual patterns that might indicate problems.
Next Steps
Test your one-click unsubscribe implementation and verify compliance: