List-unsub-post in your DKIM configuration

I grant you that this is a niche one. Will this tip be helpful to millions? No….but. Hey, it's my blog. Anyway: Do you manage your own email sending platform?

Is it a home grown thing? Maybe you’re using Postfix? Or maybe you’re using the fancy commercial MTA Momentum? Either way, you’re using OpenDKIM to authenticate mail by adding a DKIM signature to every outbound message, yes?

So, did you go into the opendkim.conf file and add “list-unsubscribe-post” to the “SignHeaders” parameter? Because it probably wasn’t there already, unless you already went in and added it previously. It certainly wasn’t in MY default OpenDKIM configuration.

Point being, if your DKIM signature doesn’t cover the list-unsubscribe header AND the list-unsubscribe-post header, you’re not in compliance with RFC 8058 and I wouldn’t expect good things to happen at Yahoo and Google, because you’re not in compliance with the latest version of their “one click unsubscribe” requirements.

As I write this today I can see emails delivered today to my inbox from well-known messaging platforms that don’t have this configured properly. Check for yourself. View that message source, and look for the DKIM header. Find the h= field in the DKIM header. Does it include list-unsubscribe AND list-unsubscribe-post? It should, if it’s a bulk marketing message sent by a legitimate email service provider platform. If not…oof.

KumoMTA users: For those folks using the new open source KumoMTA, I do believe you would look here or here as far as configuring what headers are included in your DKIM signature.

Thanks to MV Braverman (website, Linkedin) for the idea for this post.


  1. Hello Al !
    Does the RFC8058 check done by include the DKIM on the list unsub or you don't know yet? :)

  2. Yes, the Aboutmy.Email tester does check for this!


Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.