1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
|
<pre>Internet Engineering Task Force (IETF) J. Levine
Request for Comments: 8058 Taughannock Networks
Category: Standards Track T. Herkula
ISSN: 2070-1721 optivo GmbH
January 2017
<span class="h1">Signaling One-Click Functionality for List Email Headers</span>
Abstract
This document describes a method for signaling a one-click function
for the List-Unsubscribe email header field. The need for this
arises out of the actuality that mail software sometimes fetches URLs
in mail header fields, and thereby accidentally triggers
unsubscriptions in the case of the List-Unsubscribe header field.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc7841#section-2">Section 2 of RFC 7841</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc8058">http://www.rfc-editor.org/info/rfc8058</a>.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Levine & Herkula Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc8058">RFC 8058</a> One-Click Unsubscribe January 2017</span>
Table of Contents
<a href="#section-1">1</a>. Introduction and Motivation . . . . . . . . . . . . . . . . . <a href="#page-2">2</a>
<a href="#section-2">2</a>. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-3">3</a>. Implementation . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3.1">3.1</a>. Mail Senders . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3.2">3.2</a>. Mail Receivers . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-4">4</a>. Additional Requirements . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-5">5</a>. Header Syntax . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-6">6</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-7">7</a>. IANA Considerations . . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-8">8</a>. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-8.1">8.1</a>. Simple . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-8.2">8.2</a>. Complex . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-8.3">8.3</a>. Complex with 'multipart/form-data' . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-9">9</a>. Normative References . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction and Motivation</span>
A List-Unsubscribe email header field [<a href="./rfc2369" title=""The Use of URLs as Meta-Syntax for Core Mail List Commands and their Transport through Message Header Fields"">RFC2369</a>] can contain HTTPS
[<a href="./rfc7230" title=""Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing"">RFC7230</a>] URIs. In that header field, the HTTPS URI is intended to
unsubscribe the recipient of the message from the list. But anti-
spam software often fetches all resources in mail header fields
automatically, without any action by the user, and there is no
mechanical way for a sender to tell whether a request was made
automatically by anti-spam software or manually requested by a user.
To prevent accidental unsubscriptions, senders return landing pages
with a confirmation step to finish the unsubscribe request. A live
user would recognize and act on this confirmation step, but an
automated system would not. That makes the unsubscription process
more complex than a single click.
Operators of broadcast marketing lists tend to be primarily concerned
about deliverability of their mail: whether the mail is delivered to
the recipients and how the messages are presented, e.g., whether in
the primary inbox or in a junk folder. Many mail systems allow
recipients to report mail as spam or junk, and mail streams from
senders whose mail is often reported as junk tend to have poor
deliverability. Hence, the mailers want to make it as easy as
possible for recipients to unsubscribe; if an unsubscription process
is too difficult, the recipient's alternative is to report mail from
the sender as junk until the mail no longer appears in the
recipient's inbox.
Operators of recipient mail systems are aware that their users do not
make a clear distinction between unsubscription and junk. In some
cases, they allow trustworthy mailers to request notification when
<span class="grey">Levine & Herkula Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc8058">RFC 8058</a> One-Click Unsubscribe January 2017</span>
their mail is reported as junk so they can unsubscribe the recipient,
but the process of identifying trustworthy mailers and notifying them
does not scale well to large numbers of small mailers. This
specification provides a way for recipient systems to notify the
mailer automatically, using only information within the mail message,
and without prearrangement. Some recipient systems might wish to
send an unsubscription notice to mailers whenever a user reports a
message as junk, or they might offer the user the option of reporting
and unsubscribing.
If a mail recipient is unsubscribing manually and the unsubscription
process requires confirmation, the resulting web page is presented to
the recipient who can then click the appropriate button. But when
the unsubscribe action is combined with a user junk report, there is
no direct user interaction with the mailer's website. Similarly, if
a mail system automatically unsubscribes recipient mailboxes that
have been closed or abandoned, there can be no interaction with a
user who is not present. In those cases, the unsubscription process
has to work without manual intervention, and in particular without
requiring that software attempt to interpret the contents of a
confirmation page.
This document addresses this part of the problem, with an HTTPS POST
action for mail receivers. Mail senders can distinguish this action
from other unsubscribe requests and handle it as a one-click
unsubscription without manual intervention by the mail recipient.
This document has two goals:
o Allow email senders to signal that a List-Unsubscribe header field
[<a href="./rfc2369" title=""The Use of URLs as Meta-Syntax for Core Mail List Commands and their Transport through Message Header Fields"">RFC2369</a>] has one-click functionality.
o Allow MUA (Mail User Agent) users to unsubscribe from mailing
lists in a familiar environment and without leaving the MUA
context. A receiving system can process an unsubscription request
in the background without further interaction and know that it can
be fully processed by the mail sender's system.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Definitions</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>] when written
in all capital letters.
<span class="grey">Levine & Herkula Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc8058">RFC 8058</a> One-Click Unsubscribe January 2017</span>
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Implementation</span>
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Mail Senders</span>
A mail sender that wishes to enable one-click unsubscriptions places
one List-Unsubscribe header field and one List-Unsubscribe-Post
header field in the message. The List-Unsubscribe header field MUST
contain one HTTPS URI. It MAY contain other non-HTTP/S URIs such as
MAILTO:. The List-Unsubscribe-Post header MUST contain the single
key/value pair "List-Unsubscribe=One-Click". As described below, the
message MUST have a valid DomainKeys Identified Mail (DKIM) signature
that covers at least the List-Unsubscribe and List-Unsubscribe-Post
headers.
The URI in the List-Unsubscribe header MUST contain enough
information to identify the mail recipient and the list from which
the recipient is to be removed, so that the unsubscription process
can complete automatically. Since there is no provision for extra
POST arguments, any information about the message or recipient is
encoded in the URI. In particular, one-click has no way to ask the
user what address or from what list the user wishes to unsubscribe.
The POST request MUST NOT include cookies, HTTP authorization, or any
other context information. The unsubscribe operation is logically
unrelated to any previous web activity, and context information could
inappropriately link the unsubscribe to previous activity.
The URI SHOULD include an opaque identifier or another hard-to-forge
component in addition to, or instead of, the plaintext names of the
list and the subscriber. The server handling the unsubscription
SHOULD verify that the opaque or hard-to-forge component is valid.
This will deter attacks in which a malicious party sends spam with
List-Unsubscribe links for a victim list, with the intention of
causing list unsubscriptions from the victim list as a side effect of
users reporting the spam, or where the attacker does POSTs directly
to the mail sender's unsubscription server.
The mail sender needs to provide the infrastructure to handle POST
requests to the specified URI in the List-Unsubscribe header, and to
handle the unsubscribe requests that its mail will provoke.
The mail sender MUST NOT return an HTTPS redirect, since redirected
POST actions have historically not worked reliably, and many browsers
have turned redirected HTTP POSTs into GETs.
This document does not update [<a href="./rfc2369" title=""The Use of URLs as Meta-Syntax for Core Mail List Commands and their Transport through Message Header Fields"">RFC2369</a>], so the usage of List-
Unsubscribe URIs other than for one-click remains unchanged.
<span class="grey">Levine & Herkula Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc8058">RFC 8058</a> One-Click Unsubscribe January 2017</span>
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Mail Receivers</span>
A mail receiver can do a one-click unsubscription by performing an
HTTPS POST to the HTTPS URI in the List-Unsubscribe header. It sends
the key/value pair in the List-Unsubscribe-Post header as the request
body.
The POST content SHOULD be sent as 'multipart/form-data' [<a href="./rfc7578" title=""Returning Values from Forms: multipart/ form-data"">RFC7578</a>] or
MAY be sent as 'application/x-www-form-urlencoded'. These encodings
are the ones used by web browsers when sending forms. The target of
the POST action is the same as the one in the GET action for a manual
unsubscription, so this is intended to allow the same server code to
handle both.
The mail receiver MUST NOT perform a POST on the HTTPS URI without
user consent. When and how the user consent is obtained is not part
of this specification.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Additional Requirements</span>
The message needs at least one valid authentication identifier. In
this version of the specification, the only supported identifier type
is DKIM [<a href="./rfc6376" title=""DomainKeys Identified Mail (DKIM) Signatures"">RFC6376</a>]. Hence, senders MUST apply at least one valid DKIM
signature to the message.
The List-Unsubscribe and List-Unsubscribe-Post headers MUST be
covered by the signature and included in the "h=" tag of a valid
DKIM-Signature header field.
If the message does not have the required DKIM signature, the mail
receiver SHOULD NOT offer a one-click unsubscribe for that message.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Header Syntax</span>
The following ABNF imports fields, WSP, and CRLF from [<a href="./rfc5322" title=""Internet Message Format"">RFC5322</a>].
fields =/ list-unsubscribe-post
list-unsubscribe-post = "List-Unsubscribe-Post:" 0*1WSP postarg CRLF
postarg = "List-Unsubscribe=One-Click"
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Security Considerations</span>
The List-Unsubscribe header can contain a plaintext or encoded
version of the recipient address, but that address is usually also in
the To: header. This specification allows anyone with access to a
<span class="grey">Levine & Herkula Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc8058">RFC 8058</a> One-Click Unsubscribe January 2017</span>
message to unsubscribe the recipient of the message, but that's
typically the case with existing List-Unsubscribe, just with more
steps.
A malicious mailer could send spam with content intended to provoke
large numbers of unsubscriptions and with suitably crafted headers to
send POST requests to servers that perhaps don't want them. But it's
been possible to provoke GET requests in a similar way for a long
time (and much easier, due to spam filter auto-fetches), so the
chances of significantly increased annoyance seem low. The content
of the List-Unsubscribe-Post header is limited to a single known key/
value pair to prevent an attacker from creating malicious messages
where the POST operation could simulate a user filling in an
arbitrary form on a victim website.
The unsubscribe operation provides a strong hint to the mailer that
the address to which the message was sent was valid, and could in
principle be used as a way to test whether an email address is valid.
In practice, though, there are simpler ways such as embedding image
links into the HTML of a message and seeing whether the recipient
fetches the images.
Since the mailer's server that receives the POST request cannot in
general tell where the request is coming from, the URI SHOULD contain
an opaque identifier or another hard-to-forge component to identify
the list and recipient address. That can ensure that the request
originated from the List-Unsubscribe and List-Unsubscribe-Post
headers in a message the mailer sent. Also, the request MUST NOT
include cookies or other context information to prevent the server
from associating the request with previous web requests.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. IANA Considerations</span>
IANA has added a new entry to the "Permanent Message Header Field
Names" registry.
Header field name: List-Unsubscribe-Post
Applicable protocol: mail
Status: standard
Author/Change controller: IETF
Specification document: <a href="./rfc8058">RFC 8058</a>
<span class="grey">Levine & Herkula Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc8058">RFC 8058</a> One-Click Unsubscribe January 2017</span>
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Examples</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Simple</span>
Header in Email
List-Unsubscribe: <https://example.com/unsubscribe/opaquepart>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Resulting POST request
POST /unsubscribe/opaquepart HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
List-Unsubscribe=One-Click
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Complex</span>
Header in Email
List-Unsubscribe:
<mailto:listrequest@example.com?subject=unsubscribe>,
<https://example.com/unsubscribe.html?opaque=123456789>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Resulting POST request
POST /unsubscribe.html?opaque=123456789 HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
List-Unsubscribe=One-Click
<span class="h3"><a class="selflink" id="section-8.3" href="#section-8.3">8.3</a>. Complex with 'multipart/form-data'</span>
Header in Email
List-Unsubscribe:
<mailto:listrequest@example.com?subject=unsubscribe>,
<https://example.com/unsubscribe.html/opaque123456789>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
<span class="grey">Levine & Herkula Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc8058">RFC 8058</a> One-Click Unsubscribe January 2017</span>
Resulting POST request
POST /unsubscribe.html/opaque=123456789 HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---FormBoundaryjWmhtjORrn
Content-Length: 124
---FormBoundaryjWmhtjORrn
Content-Disposition: form-data; name="List-Unsubscribe"
One-Click
---FormBoundaryjWmhtjORrn--
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>,
DOI 10.17487/RFC2119, March 1997,
<<a href="http://www.rfc-editor.org/info/rfc2119">http://www.rfc-editor.org/info/rfc2119</a>>.
[<a id="ref-RFC2369">RFC2369</a>] Neufeld, G. and J. Baer, "The Use of URLs as Meta-Syntax
for Core Mail List Commands and their Transport through
Message Header Fields", <a href="./rfc2369">RFC 2369</a>, DOI 10.17487/RFC2369,
July 1998, <<a href="http://www.rfc-editor.org/info/rfc2369">http://www.rfc-editor.org/info/rfc2369</a>>.
[<a id="ref-RFC5322">RFC5322</a>] Resnick, P., Ed., "Internet Message Format", <a href="./rfc5322">RFC 5322</a>,
DOI 10.17487/RFC5322, October 2008,
<<a href="http://www.rfc-editor.org/info/rfc5322">http://www.rfc-editor.org/info/rfc5322</a>>.
[<a id="ref-RFC6376">RFC6376</a>] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
"DomainKeys Identified Mail (DKIM) Signatures", STD 76,
<a href="./rfc6376">RFC 6376</a>, DOI 10.17487/RFC6376, September 2011,
<<a href="http://www.rfc-editor.org/info/rfc6376">http://www.rfc-editor.org/info/rfc6376</a>>.
[<a id="ref-RFC7230">RFC7230</a>] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
<a href="./rfc7230">RFC 7230</a>, DOI 10.17487/RFC7230, June 2014,
<<a href="http://www.rfc-editor.org/info/rfc7230">http://www.rfc-editor.org/info/rfc7230</a>>.
[<a id="ref-RFC7578">RFC7578</a>] Masinter, L., "Returning Values from Forms: multipart/
form-data", <a href="./rfc7578">RFC 7578</a>, DOI 10.17487/RFC7578, July 2015,
<<a href="http://www.rfc-editor.org/info/rfc7578">http://www.rfc-editor.org/info/rfc7578</a>>.
<span class="grey">Levine & Herkula Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc8058">RFC 8058</a> One-Click Unsubscribe January 2017</span>
Authors' Addresses
John Levine
Taughannock Networks
PO Box 727
Trumansburg, NY 14886
United States of America
Phone: +1 831 480 2300
Email: standards@taugh.com
URI: <a href="http://jl.ly">http://jl.ly</a>
Tobias Herkula
optivo GmbH
Wallstrasse 16
Berlin 10179
Germany
Phone: +49 30 768078 129
Email: t.herkula@optivo.com
URI: <a href="https://www.optivo.com">https://www.optivo.com</a>
Levine & Herkula Standards Track [Page 9]
</pre>
|
