One-Click Unsubscribe
One-click unsubscribe is the standard, defined in RFC 8058, that lets a recipient opt out of a mailing list with a single click, with no landing page, login, or confirmation form. The mail client sends one HTTPS POST to your server, which suppresses the address. Gmail and Yahoo have required it from bulk senders since 2024, and it is built on the List-Unsubscribe header.
- A single click removes the recipient, with no landing page or login
- The client sends one HTTPS POST request, defined by RFC 8058
-
Needs both the List-Unsubscribe and
List-Unsubscribe-Postheaders, DKIM-signed - Required by Gmail and Yahoo for bulk senders, fully enforced from June 2024
POST, never a GET
List-Unsubscribe-Post: List-Unsubscribe=One-Click
How one-click unsubscribe works
RFC 8058 solves a real problem. The original List-Unsubscribe header carried a URL, but security software and mail clients sometimes fetch URLs in headers automatically, which could trigger accidental unsubscribes. One-click fixes this by requiring a deliberate, unambiguous action: the client sends an HTTPS POST request (not a GET that a scanner might trip) only when the user actually clicks unsubscribe.
To advertise that the link is safe for one-click, the sender adds a second header, List-Unsubscribe-Post, containing exactly List-Unsubscribe=One-Click. When the client sees both headers, it shows the native unsubscribe control; on a click, it POSTs to the HTTPS URL with that same key-value pair in the body, and your server suppresses the address. No second click, no form, no landing page is shown to the recipient.
The two headers it needs
One-click is not a single header; it is the pairing of List-Unsubscribe (which carries the HTTPS URL) with List-Unsubscribe-Post (which marks that URL as one-click capable). The URL must be HTTPS, and the message must carry a valid DKIM signature that covers both headers.
List-Unsubscribe: <https://example.com/unsub?id=8a3f&t=9c1e>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
The rules that trip senders up
RFC 8058 is strict about a few details, and getting any of them wrong means the click does nothing:
- POST, not GET. The client sends an HTTP POST so passive URL-fetching never fires the unsubscribe by accident.
- No redirects. The endpoint must not return an HTTPS redirect, because many browsers turn a redirected POST into a GET and lose the body.
- Must be DKIM-signed. The message needs a valid DKIM signature covering the List-Unsubscribe headers, or receivers will not trust the one-click action.
- HTTPS only. The one-click URL has to be HTTPS; a plain HTTP URL does not qualify.
And the obligation does not end at the POST: Gmail and Yahoo expect the request to be honored within two days. Wiring up the headers but failing to actually suppress the address defeats the entire mechanism and invites spam complaints.
What happens on a one-click unsubscribe
One-click vs traditional unsubscribe
| One-click (RFC 8058) | Traditional link | |
|---|---|---|
| Steps for the user | One click | Click, then a landing page |
| Where it appears | Native client link, top of message | Inside the email body |
| Method | HTTPS POST | Opens a web page (GET) |
| Needs DKIM? | Yes | No |
| Required by Gmail/Yahoo? | Yes, for bulk senders | Not sufficient alone |