The Ultimate Guide to Unsubscribe and List-Unsubscribe Best Practices.
Email deliverability is built on trust. One of the clearest ways to show respect for your subscribers is to give them a clear, simple, and standards-compliant unsubscribe option.
This isn’t just about compliance with laws like CAN-SPAM, GDPR, or CASL. A frictionless unsubscribe flow lowers spam complaints, improves sender reputation, and aligns you with strict requirements from mailbox providers like Gmail, Yahoo, Microsoft, and Apple.
In this guide, we’ll take a deep dive into:
– The RFC standards that define unsubscribe
– Provider and client support (mailto vs HTTP)
– Why RFC 8058 solved the infamous ‘bot problem’
– GET vs POST unsubscribe methods
– ESP and custom infrastructure requirements
– What the future looks like for unsubscribe management
1. What Is a List-Unsubscribe Header?
A List-Unsubscribe header is an email header that tells inbox providers how a
recipient can unsubscribe. Instead of hunting for a link buried at the bottom of an email, subscribers see a native ‘Unsubscribe’ button or banner inside their client.
Example: Gmail shows ‘Unsubscribe’ next to the sender’s name at the top of the message.
A simple header might look like:
List-Unsubscribe: <mailto:[email protected]>,
<https://example.com/unsub?id=12345>
Modern one-click headers use RFC 8058:
List-Unsubscribe: <https://example.com/unsub?id=12345>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
2. What Do the RFCs Say?
RFC | Focus | Relevance |
RFC 2369 (1998) | List-* headers | Introduced List-Unsubscribe, List-Help, List-Subscribe |
RFC 2919 (2001) | List-Id header | Standardized identifiers for mailing lists |
RFC 8058 (2017) | One-Click Unsubscribe | Defined List-Unsubscribe-Post for safe POST-based unsubscribes |
The big leap came with RFC 8058, which fixed the ‘bot problem.’
3. RFC 8058: Solving the Bot Problem
Before RFC 8058, unsubscribe URLs often used GET. Security scanners, spam filters, and anti-virus bots routinely pre-clicked every link in incoming mail. This meant users could be unsubscribed without ever choosing to opt out.
RFC 8058 defined One-Click Unsubscribe via POST:
1. Sender includes two headers:
List-Unsubscribe: <https://example.com/unsub/opaque-id>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
2. The recipient’s mail client performs an HTTPS POST to the unsubscribe endpoint with a body of:
List-Unsubscribe=One-Click
3. The sender’s server unsubscribes only on valid POST requests.
Why it works:
– GET requests from bots are ignored.
– Only POST requests with the specific body trigger unsubscribes.
– No cookies, redirects, or extra parameters are allowed.
– DKIM signatures must cover the unsubscribe headers for authenticity.
4. Who Supports List-Unsubscribe?
Provider / Client | Mailto | HTTP/HTTPS | One-Click POST (RFC 8058) |
Gmail | Yes | Yes | Yes (mandatory since June 2024) |
Yahoo / AOL | Yes | Yes | Yes (mandatory since June 2024) |
Outlook.com / Office 365 | Yes | Yes | Partial |
Apple Mail (macOS, iOS) | Yes | Yes | No |
Thunderbird | Yes | No | No |
ProtonMail | No | No | No |
Zoho Mail | Yes | Yes | No |
GMX / Web.de | Yes | Yes | No (GET-based) |
Mail.ru | Yes | Yes | No |
Fastmail | Yes | Yes | No |
Hey.com | No | No | No |
5. Mailto vs HTTP Unsubscribe
Method | How It Works | Strengths | Weaknesses |
Mailto | Generates an email to [email protected] | Simple, universal, legacy-friendly | Requires inbound parsing, slower, harder to automate |
HTTP/HTTPS | Uses a web endpoint | Fast, supports APIs, enables POST | Dangerous if GET-only (bot triggers) |
6. GET vs POST Unsubscribe
GET: Quick but unsafe. Bots trigger unsubscribes accidentally.
POST: Requires explicit user action. Safer and compliant with RFC 8058.
Example GET:
GET /unsub?id=12345
Example POST:
POST /unsub/opaque-id
Body: List-Unsubscribe=One-Click
Gmail and Yahoo now enforce POST only.
7. ESP and Custom Infrastructure Requirements
Major ESPs like Mailchimp, SendGrid, HubSpot, and Amazon SES automatically insert unsubscribe headers, manage suppression lists, process feedback loop complaints, and offer preference centers.
If you self-host using Postfix, PowerMTA, or KumoMTA, you must:
– Generate List-Unsubscribe and List-Unsubscribe-Post headers
– Maintain a suppression database
– Accept POST-only unsubscribe endpoints
– Reject or safely handle GET requests
8. The Future of Unsubscribe
Gmail – Moving toward centralized ‘Manage Subscriptions’ dashboard.
Yahoo – Testing an ‘Unsubscribe Folder’ for bulk opt-outs.
Microsoft – Uses unsubscribe signals to sort Focused vs Other vs Junk.
Apple – Prominent unsubscribe banners in Mail, privacy-first focus.
ESPs – Blocking campaigns without headers, expanding preference centers.
9. Best Practices Checklist
– Include both mailto and HTTP unsubscribe
– Implement RFC 8058 one-click POST
– Sign headers with DKIM
– Ignore GET requests for unsubscribes
– Maintain a suppression list with reason codes
– Offer preference centers when possible
– Monitor Gmail Postmaster and Yahoo rules closely
Final Word
Unsubscribe is not the end of a relationship. It is part of a healthy one. By making it easy to leave, you strengthen engagement with those who stay. RFC 8058 gave the industry the tools to separate real human intent from bot noise. Gmail and Yahoo made it a requirement, and the rest of the ecosystem is following.
For any sender serious about inbox placement in 2025 and beyond, unsubscribe is no longer optional. It is mission-critical.