I love RFC 8058 and you should, too

Last week I talked about one-click unsubscribe and why I don't think it's a great process. Basically, my concern is bot clicks. I've seen it happen too many times -- email security software will scan an email message body and follow all the links in the message. This triggers a one click unsub and can result in people falling off of an email list. Does it happen in the millions? Possibly not, but when it happens to the client when trying to send to themselves, and suddenly their CEO or CMO is mad that messages are no longer being received, it results in a client angry at the CRM or ESP platform. It's pain, and it's self-inflicted pain, and a smart sending platform should try to prevent this pain.

TL;DR? One click should really be two click. Go read my prior "hot take" for more details.

Anyway, a couple of ISP/MBP (mailbox provider) folks expressed concern about my post. Specifically, they were worried that I was telling people that "list unsubscribe post" functionality was bad and should be avoided. That's specifically defined in RFC 8058, which provides details of how to utilize the list-unsubscribe header with an additional header and "POST" functionality to allow for a mailbox provider to offer up a special "one click unsubscribe" method. This "Signaling One-Click Functionality for List Email Headers" method, as described in RFC 8058, is safe (or safe enough) from bot clicks and -- let me be very clear -- I do strongly encourage CRMs, ESPs, ISPs and MBPs to support RFC 8058.

The net here is that if you run an email sending platform, you SHOULD add list-unsub and list-unsub POST functionality as described in RFC 8058. And, reading through what's allowed in RFC 8058 + adding a heaping spoonful of my own opinion, I think it should work like this:

  • IF a user clicks the list-unsubscribe URL (meaning it's a GET, not a POST), the sending platform should display a landing page and confirm the unsub by asking the user to click.
  • IF a user clicks the "one click" unsub button in the mailbox provider UI, and the mailbox provider UI does a "POST" call to the list-unsub URL, then the send platform should immediately unsubscribe the requested user. (What status information is displayed then is probably a moot point as I doubt the mailbox provider is going to show that result.)

Meaning, let Gmail perform a one-click unsub (properly, using POST), but don't let Joe User (or a bot) perform a one-click unsub (by just visiting the link/i.e. performing a GET).

I see some smart email sending platforms handling things this way today, and I think that's the safest, best way to get to the spirit of RFC 8058, and as close to one-click unsub as you can safely do.

I hope that helps to clear things up a bit. Let me know in the comments (or on Twitter or Linkedin) if you think I got any part of this wrong. And thanks for reading.

Post a Comment