1
2
3
4
5
6
7Internet Engineering Task Force (IETF) J. Levine
8Request for Comments: 8058 Taughannock Networks
9Category: Standards Track T. Herkula
10ISSN: 2070-1721 optivo GmbH
11 January 2017
12
13
14 Signaling One-Click Functionality for List Email Headers
15
16Abstract
17
18 This document describes a method for signaling a one-click function
19 for the List-Unsubscribe email header field. The need for this
20 arises out of the actuality that mail software sometimes fetches URLs
21 in mail header fields, and thereby accidentally triggers
22 unsubscriptions in the case of the List-Unsubscribe header field.
23
24Status of This Memo
25
26 This is an Internet Standards Track document.
27
28 This document is a product of the Internet Engineering Task Force
29 (IETF). It represents the consensus of the IETF community. It has
30 received public review and has been approved for publication by the
31 Internet Engineering Steering Group (IESG). Further information on
32 Internet Standards is available in Section 2 of RFC 7841.
33
34 Information about the current status of this document, any errata,
35 and how to provide feedback on it may be obtained at
36 http://www.rfc-editor.org/info/rfc8058.
37
38Copyright Notice
39
40 Copyright (c) 2017 IETF Trust and the persons identified as the
41 document authors. All rights reserved.
42
43 This document is subject to BCP 78 and the IETF Trust's Legal
44 Provisions Relating to IETF Documents
45 (http://trustee.ietf.org/license-info) in effect on the date of
46 publication of this document. Please review these documents
47 carefully, as they describe your rights and restrictions with respect
48 to this document. Code Components extracted from this document must
49 include Simplified BSD License text as described in Section 4.e of
50 the Trust Legal Provisions and are provided without warranty as
51 described in the Simplified BSD License.
52
53
54
55
56
57
58Levine & Herkula Standards Track [Page 1]
59
60RFC 8058 One-Click Unsubscribe January 2017
61
62
63Table of Contents
64
65 1. Introduction and Motivation . . . . . . . . . . . . . . . . . 2
66 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3
67 3. Implementation . . . . . . . . . . . . . . . . . . . . . . . 4
68 3.1. Mail Senders . . . . . . . . . . . . . . . . . . . . . . 4
69 3.2. Mail Receivers . . . . . . . . . . . . . . . . . . . . . 5
70 4. Additional Requirements . . . . . . . . . . . . . . . . . . . 5
71 5. Header Syntax . . . . . . . . . . . . . . . . . . . . . . . . 5
72 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5
73 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
74 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 7
75 8.1. Simple . . . . . . . . . . . . . . . . . . . . . . . . . 7
76 8.2. Complex . . . . . . . . . . . . . . . . . . . . . . . . . 7
77 8.3. Complex with 'multipart/form-data' . . . . . . . . . . . 7
78 9. Normative References . . . . . . . . . . . . . . . . . . . . 8
79 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
80
811. Introduction and Motivation
82
83 A List-Unsubscribe email header field [RFC2369] can contain HTTPS
84 [RFC7230] URIs. In that header field, the HTTPS URI is intended to
85 unsubscribe the recipient of the message from the list. But anti-
86 spam software often fetches all resources in mail header fields
87 automatically, without any action by the user, and there is no
88 mechanical way for a sender to tell whether a request was made
89 automatically by anti-spam software or manually requested by a user.
90 To prevent accidental unsubscriptions, senders return landing pages
91 with a confirmation step to finish the unsubscribe request. A live
92 user would recognize and act on this confirmation step, but an
93 automated system would not. That makes the unsubscription process
94 more complex than a single click.
95
96 Operators of broadcast marketing lists tend to be primarily concerned
97 about deliverability of their mail: whether the mail is delivered to
98 the recipients and how the messages are presented, e.g., whether in
99 the primary inbox or in a junk folder. Many mail systems allow
100 recipients to report mail as spam or junk, and mail streams from
101 senders whose mail is often reported as junk tend to have poor
102 deliverability. Hence, the mailers want to make it as easy as
103 possible for recipients to unsubscribe; if an unsubscription process
104 is too difficult, the recipient's alternative is to report mail from
105 the sender as junk until the mail no longer appears in the
106 recipient's inbox.
107
108 Operators of recipient mail systems are aware that their users do not
109 make a clear distinction between unsubscription and junk. In some
110 cases, they allow trustworthy mailers to request notification when
111
112
113
114Levine & Herkula Standards Track [Page 2]
115
116RFC 8058 One-Click Unsubscribe January 2017
117
118
119 their mail is reported as junk so they can unsubscribe the recipient,
120 but the process of identifying trustworthy mailers and notifying them
121 does not scale well to large numbers of small mailers. This
122 specification provides a way for recipient systems to notify the
123 mailer automatically, using only information within the mail message,
124 and without prearrangement. Some recipient systems might wish to
125 send an unsubscription notice to mailers whenever a user reports a
126 message as junk, or they might offer the user the option of reporting
127 and unsubscribing.
128
129 If a mail recipient is unsubscribing manually and the unsubscription
130 process requires confirmation, the resulting web page is presented to
131 the recipient who can then click the appropriate button. But when
132 the unsubscribe action is combined with a user junk report, there is
133 no direct user interaction with the mailer's website. Similarly, if
134 a mail system automatically unsubscribes recipient mailboxes that
135 have been closed or abandoned, there can be no interaction with a
136 user who is not present. In those cases, the unsubscription process
137 has to work without manual intervention, and in particular without
138 requiring that software attempt to interpret the contents of a
139 confirmation page.
140
141 This document addresses this part of the problem, with an HTTPS POST
142 action for mail receivers. Mail senders can distinguish this action
143 from other unsubscribe requests and handle it as a one-click
144 unsubscription without manual intervention by the mail recipient.
145
146 This document has two goals:
147
148 o Allow email senders to signal that a List-Unsubscribe header field
149 [RFC2369] has one-click functionality.
150
151 o Allow MUA (Mail User Agent) users to unsubscribe from mailing
152 lists in a familiar environment and without leaving the MUA
153 context. A receiving system can process an unsubscription request
154 in the background without further interaction and know that it can
155 be fully processed by the mail sender's system.
156
1572. Definitions
158
159 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
160 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
161 document are to be interpreted as described in [RFC2119] when written
162 in all capital letters.
163
164
165
166
167
168
169
170Levine & Herkula Standards Track [Page 3]
171
172RFC 8058 One-Click Unsubscribe January 2017
173
174
1753. Implementation
176
1773.1. Mail Senders
178
179 A mail sender that wishes to enable one-click unsubscriptions places
180 one List-Unsubscribe header field and one List-Unsubscribe-Post
181 header field in the message. The List-Unsubscribe header field MUST
182 contain one HTTPS URI. It MAY contain other non-HTTP/S URIs such as
183 MAILTO:. The List-Unsubscribe-Post header MUST contain the single
184 key/value pair "List-Unsubscribe=One-Click". As described below, the
185 message MUST have a valid DomainKeys Identified Mail (DKIM) signature
186 that covers at least the List-Unsubscribe and List-Unsubscribe-Post
187 headers.
188
189 The URI in the List-Unsubscribe header MUST contain enough
190 information to identify the mail recipient and the list from which
191 the recipient is to be removed, so that the unsubscription process
192 can complete automatically. Since there is no provision for extra
193 POST arguments, any information about the message or recipient is
194 encoded in the URI. In particular, one-click has no way to ask the
195 user what address or from what list the user wishes to unsubscribe.
196
197 The POST request MUST NOT include cookies, HTTP authorization, or any
198 other context information. The unsubscribe operation is logically
199 unrelated to any previous web activity, and context information could
200 inappropriately link the unsubscribe to previous activity.
201
202 The URI SHOULD include an opaque identifier or another hard-to-forge
203 component in addition to, or instead of, the plaintext names of the
204 list and the subscriber. The server handling the unsubscription
205 SHOULD verify that the opaque or hard-to-forge component is valid.
206 This will deter attacks in which a malicious party sends spam with
207 List-Unsubscribe links for a victim list, with the intention of
208 causing list unsubscriptions from the victim list as a side effect of
209 users reporting the spam, or where the attacker does POSTs directly
210 to the mail sender's unsubscription server.
211
212 The mail sender needs to provide the infrastructure to handle POST
213 requests to the specified URI in the List-Unsubscribe header, and to
214 handle the unsubscribe requests that its mail will provoke.
215
216 The mail sender MUST NOT return an HTTPS redirect, since redirected
217 POST actions have historically not worked reliably, and many browsers
218 have turned redirected HTTP POSTs into GETs.
219
220 This document does not update [RFC2369], so the usage of List-
221 Unsubscribe URIs other than for one-click remains unchanged.
222
223
224
225
226Levine & Herkula Standards Track [Page 4]
227
228RFC 8058 One-Click Unsubscribe January 2017
229
230
2313.2. Mail Receivers
232
233 A mail receiver can do a one-click unsubscription by performing an
234 HTTPS POST to the HTTPS URI in the List-Unsubscribe header. It sends
235 the key/value pair in the List-Unsubscribe-Post header as the request
236 body.
237
238 The POST content SHOULD be sent as 'multipart/form-data' [RFC7578] or
239 MAY be sent as 'application/x-www-form-urlencoded'. These encodings
240 are the ones used by web browsers when sending forms. The target of
241 the POST action is the same as the one in the GET action for a manual
242 unsubscription, so this is intended to allow the same server code to
243 handle both.
244
245 The mail receiver MUST NOT perform a POST on the HTTPS URI without
246 user consent. When and how the user consent is obtained is not part
247 of this specification.
248
2494. Additional Requirements
250
251 The message needs at least one valid authentication identifier. In
252 this version of the specification, the only supported identifier type
253 is DKIM [RFC6376]. Hence, senders MUST apply at least one valid DKIM
254 signature to the message.
255
256 The List-Unsubscribe and List-Unsubscribe-Post headers MUST be
257 covered by the signature and included in the "h=" tag of a valid
258 DKIM-Signature header field.
259
260 If the message does not have the required DKIM signature, the mail
261 receiver SHOULD NOT offer a one-click unsubscribe for that message.
262
2635. Header Syntax
264
265 The following ABNF imports fields, WSP, and CRLF from [RFC5322].
266
267 fields =/ list-unsubscribe-post
268
269 list-unsubscribe-post = "List-Unsubscribe-Post:" 0*1WSP postarg CRLF
270
271 postarg = "List-Unsubscribe=One-Click"
272
2736. Security Considerations
274
275 The List-Unsubscribe header can contain a plaintext or encoded
276 version of the recipient address, but that address is usually also in
277 the To: header. This specification allows anyone with access to a
278
279
280
281
282Levine & Herkula Standards Track [Page 5]
283
284RFC 8058 One-Click Unsubscribe January 2017
285
286
287 message to unsubscribe the recipient of the message, but that's
288 typically the case with existing List-Unsubscribe, just with more
289 steps.
290
291 A malicious mailer could send spam with content intended to provoke
292 large numbers of unsubscriptions and with suitably crafted headers to
293 send POST requests to servers that perhaps don't want them. But it's
294 been possible to provoke GET requests in a similar way for a long
295 time (and much easier, due to spam filter auto-fetches), so the
296 chances of significantly increased annoyance seem low. The content
297 of the List-Unsubscribe-Post header is limited to a single known key/
298 value pair to prevent an attacker from creating malicious messages
299 where the POST operation could simulate a user filling in an
300 arbitrary form on a victim website.
301
302 The unsubscribe operation provides a strong hint to the mailer that
303 the address to which the message was sent was valid, and could in
304 principle be used as a way to test whether an email address is valid.
305 In practice, though, there are simpler ways such as embedding image
306 links into the HTML of a message and seeing whether the recipient
307 fetches the images.
308
309 Since the mailer's server that receives the POST request cannot in
310 general tell where the request is coming from, the URI SHOULD contain
311 an opaque identifier or another hard-to-forge component to identify
312 the list and recipient address. That can ensure that the request
313 originated from the List-Unsubscribe and List-Unsubscribe-Post
314 headers in a message the mailer sent. Also, the request MUST NOT
315 include cookies or other context information to prevent the server
316 from associating the request with previous web requests.
317
3187. IANA Considerations
319
320 IANA has added a new entry to the "Permanent Message Header Field
321 Names" registry.
322
323 Header field name: List-Unsubscribe-Post
324
325 Applicable protocol: mail
326
327 Status: standard
328
329 Author/Change controller: IETF
330
331 Specification document: RFC 8058
332
333
334
335
336
337
338Levine & Herkula Standards Track [Page 6]
339
340RFC 8058 One-Click Unsubscribe January 2017
341
342
3438. Examples
344
3458.1. Simple
346
347 Header in Email
348
349 List-Unsubscribe: <https://example.com/unsubscribe/opaquepart>
350 List-Unsubscribe-Post: List-Unsubscribe=One-Click
351
352 Resulting POST request
353
354 POST /unsubscribe/opaquepart HTTP/1.1
355 Host: example.com
356 Content-Type: application/x-www-form-urlencoded
357 Content-Length: 26
358
359 List-Unsubscribe=One-Click
360
3618.2. Complex
362
363 Header in Email
364
365 List-Unsubscribe:
366 <mailto:listrequest@example.com?subject=unsubscribe>,
367 <https://example.com/unsubscribe.html?opaque=123456789>
368 List-Unsubscribe-Post: List-Unsubscribe=One-Click
369
370 Resulting POST request
371
372 POST /unsubscribe.html?opaque=123456789 HTTP/1.1
373 Host: example.com
374 Content-Type: application/x-www-form-urlencoded
375 Content-Length: 26
376
377 List-Unsubscribe=One-Click
378
3798.3. Complex with 'multipart/form-data'
380
381 Header in Email
382
383 List-Unsubscribe:
384 <mailto:listrequest@example.com?subject=unsubscribe>,
385 <https://example.com/unsubscribe.html/opaque123456789>
386 List-Unsubscribe-Post: List-Unsubscribe=One-Click
387
388
389
390
391
392
393
394Levine & Herkula Standards Track [Page 7]
395
396RFC 8058 One-Click Unsubscribe January 2017
397
398
399 Resulting POST request
400
401 POST /unsubscribe.html/opaque=123456789 HTTP/1.1
402 Host: example.com
403 Content-Type: multipart/form-data; boundary=---FormBoundaryjWmhtjORrn
404 Content-Length: 124
405
406 ---FormBoundaryjWmhtjORrn
407 Content-Disposition: form-data; name="List-Unsubscribe"
408
409 One-Click
410 ---FormBoundaryjWmhtjORrn--
411
4129. Normative References
413
414 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
415 Requirement Levels", BCP 14, RFC 2119,
416 DOI 10.17487/RFC2119, March 1997,
417 <http://www.rfc-editor.org/info/rfc2119>.
418
419 [RFC2369] Neufeld, G. and J. Baer, "The Use of URLs as Meta-Syntax
420 for Core Mail List Commands and their Transport through
421 Message Header Fields", RFC 2369, DOI 10.17487/RFC2369,
422 July 1998, <http://www.rfc-editor.org/info/rfc2369>.
423
424 [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
425 DOI 10.17487/RFC5322, October 2008,
426 <http://www.rfc-editor.org/info/rfc5322>.
427
428 [RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
429 "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
430 RFC 6376, DOI 10.17487/RFC6376, September 2011,
431 <http://www.rfc-editor.org/info/rfc6376>.
432
433 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
434 Protocol (HTTP/1.1): Message Syntax and Routing",
435 RFC 7230, DOI 10.17487/RFC7230, June 2014,
436 <http://www.rfc-editor.org/info/rfc7230>.
437
438 [RFC7578] Masinter, L., "Returning Values from Forms: multipart/
439 form-data", RFC 7578, DOI 10.17487/RFC7578, July 2015,
440 <http://www.rfc-editor.org/info/rfc7578>.
441
442
443
444
445
446
447
448
449
450Levine & Herkula Standards Track [Page 8]
451
452RFC 8058 One-Click Unsubscribe January 2017
453
454
455Authors' Addresses
456
457 John Levine
458 Taughannock Networks
459 PO Box 727
460 Trumansburg, NY 14886
461 United States of America
462
463 Phone: +1 831 480 2300
464 Email: standards@taugh.com
465 URI: http://jl.ly
466
467
468 Tobias Herkula
469 optivo GmbH
470 Wallstrasse 16
471 Berlin 10179
472 Germany
473
474 Phone: +49 30 768078 129
475 Email: t.herkula@optivo.com
476 URI: https://www.optivo.com
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506Levine & Herkula Standards Track [Page 9]
507
508