One-Click Unsubscribe

Definition

One-click unsubscribe is the standard, defined in RFC 8058, that lets a recipient opt out of a mailing list with a single click, with no landing page, login, or confirmation form. The mail client sends one HTTPS POST to your server, which suppresses the address. Gmail and Yahoo have required it from bulk senders since 2024, and it is built on the List-Unsubscribe header.

  • A single click removes the recipient, with no landing page or login
  • The client sends one HTTPS POST request, defined by RFC 8058
  • Needs both the List-Unsubscribe and List-Unsubscribe-Post headers, DKIM-signed
  • Required by Gmail and Yahoo for bulk senders, fully enforced from June 2024
At a glance
Defined in RFC 8058 (2017)
Built on List-Unsubscribe (RFC 2369)
Method HTTPS POST, never a GET
Signal header List-Unsubscribe-Post: List-Unsubscribe=One-Click
Requires A valid DKIM signature
Required by Gmail & Yahoo bulk senders (2024)

How one-click unsubscribe works

RFC 8058 solves a real problem. The original List-Unsubscribe header carried a URL, but security software and mail clients sometimes fetch URLs in headers automatically, which could trigger accidental unsubscribes. One-click fixes this by requiring a deliberate, unambiguous action: the client sends an HTTPS POST request (not a GET that a scanner might trip) only when the user actually clicks unsubscribe.

To advertise that the link is safe for one-click, the sender adds a second header, List-Unsubscribe-Post, containing exactly List-Unsubscribe=One-Click. When the client sees both headers, it shows the native unsubscribe control; on a click, it POSTs to the HTTPS URL with that same key-value pair in the body, and your server suppresses the address. No second click, no form, no landing page is shown to the recipient.

The two headers it needs

One-click is not a single header; it is the pairing of List-Unsubscribe (which carries the HTTPS URL) with List-Unsubscribe-Post (which marks that URL as one-click capable). The URL must be HTTPS, and the message must carry a valid DKIM signature that covers both headers.

The two headers that enable RFC 8058 one-click unsubscribe
List-Unsubscribe: <https://example.com/unsub?id=8a3f&t=9c1e>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

The rules that trip senders up

RFC 8058 is strict about a few details, and getting any of them wrong means the click does nothing:

  • POST, not GET. The client sends an HTTP POST so passive URL-fetching never fires the unsubscribe by accident.
  • No redirects. The endpoint must not return an HTTPS redirect, because many browsers turn a redirected POST into a GET and lose the body.
  • Must be DKIM-signed. The message needs a valid DKIM signature covering the List-Unsubscribe headers, or receivers will not trust the one-click action.
  • HTTPS only. The one-click URL has to be HTTPS; a plain HTTP URL does not qualify.

And the obligation does not end at the POST: Gmail and Yahoo expect the request to be honored within two days. Wiring up the headers but failing to actually suppress the address defeats the entire mechanism and invites spam complaints.

What happens on a one-click unsubscribe

A DKIM-signed message includes both List-Unsubscribe headers
The mail client shows a native Unsubscribe link by the sender
The recipient clicks it once
The client sends a single HTTPS POST to your URL
No redirect allowed POST body: List-Unsubscribe=One-Click
Your server suppresses the address within two days

One-click vs traditional unsubscribe

One-click (RFC 8058) Traditional link
Steps for the user One click Click, then a landing page
Where it appears Native client link, top of message Inside the email body
Method HTTPS POST Opens a web page (GET)
Needs DKIM? Yes No
Required by Gmail/Yahoo? Yes, for bulk senders Not sufficient alone

By the numbers

1 POST
The single HTTPS POST request the client sends to opt the recipient out, with no GET and no redirect.
2017
The year RFC 8058 standardised one-click functionality for List email headers.
2 days
The window Gmail and Yahoo give bulk senders to honor a one-click unsubscribe.

Common mistakes

Returning a redirect from the endpoint
RFC 8058 forbids the one-click URL from returning an HTTPS redirect, because browsers can turn a redirected POST into a GET and drop the body. Handle the POST directly at the URL.
Treating it as a GET link
One-click is a POST, not a page load. Building the endpoint to act on a GET reintroduces the accidental-unsubscribe problem the standard was created to solve and can fail validation.
Skipping the DKIM signature
Without a valid DKIM signature covering the List-Unsubscribe headers, receivers will not honor the one-click action. The headers must be signed so they cannot be forged or stripped.
Logging the opt-out but still mailing
Recording a one-click request but not actually suppressing the address misses the point and breaches the two-day expectation. Stop sending, fast.

Frequently asked questions

What is one-click unsubscribe?
It is a standard, defined in RFC 8058, that lets a recipient leave a mailing list with a single click on a link the mail client shows next to the sender name. The client sends one HTTPS POST request to the sender’s server, which removes the address. There is no landing page, login, or confirmation step for the recipient.
Is one-click unsubscribe required?
For bulk senders, yes. Since 2024 Gmail and Yahoo require any domain sending 5,000 or more messages a day to their users to support one-click unsubscribe in commercial and promotional mail, with full enforcement from June 1, 2024. It needs both the List-Unsubscribe and List-Unsubscribe-Post headers, a DKIM signature, and the request honored within two days.
How is one-click unsubscribe different from a normal unsubscribe link?
A normal unsubscribe link sits in the email body and opens a web page, often asking the recipient to confirm or manage preferences. One-click removes those steps: the mail client shows a native link, and a single click POSTs straight to your server to suppress the address, with nothing else for the user to do. The two can coexist, but bulk senders must support one-click.
Why does one-click use a POST instead of a GET?
Because security scanners and mail clients sometimes fetch URLs in headers automatically with a GET, which could trigger an unsubscribe by accident. Requiring an HTTPS POST means the opt-out only fires on a deliberate click. RFC 8058 also forbids redirects, since a redirected POST can be downgraded to a GET and lose its body.
Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026 ← Back to glossary