Skip to main content

Signalling one-click functionality for list email headers
draft-levine-herkula-oneclick-06

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 8058.
Authors John R. Levine , Tobias Herkula
Last updated 2016-09-20
RFC stream Internet Engineering Task Force (IETF)
Formats
Reviews
Additional resources
Stream WG state (None)
Document shepherd Paul Kincaid-Smith
Shepherd write-up Show Last changed 2016-09-12
IESG IESG state Became RFC 8058 (Proposed Standard)
Consensus boilerplate Yes
Telechat date (None)
Responsible AD Alexey Melnikov
Send notices to "Paul Kincaid-Smith" <paulkincaidsmith@gmail.com>
IANA IANA review state IANA - Review Needed
draft-levine-herkula-oneclick-06
Network Working Group                                          J. Levine
Internet-Draft                                      Taughannock Networks
Intended status: Standards Track                              T. Herkula
Expires: March 24, 2017                                      optivo GmbH
                                                      September 20, 2016

       Signalling one-click functionality for list email headers
                    draft-levine-herkula-oneclick-06

Abstract

   This document describes a method for signaling a one-click function
   for the list-unsubscribe email header field.  The need for this
   arises out of the actuality that mail software sometimes fetches URLs
   in mail header fields, and thereby accidentally triggers
   unsubscriptions in the case of the list-unsubscribe header field.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 24, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Levine & Herkula         Expires March 24, 2017                 [Page 1]
Internet-Draft            One click unsubscribe           September 2016

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction and Motivation . . . . . . . . . . . . . . . . .   2
   2.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Implementation  . . . . . . . . . . . . . . . . . . . . . . .   4
     3.1.  Mail senders  . . . . . . . . . . . . . . . . . . . . . .   4
     3.2.  Mail receivers  . . . . . . . . . . . . . . . . . . . . .   5
   4.  Additional Requirements . . . . . . . . . . . . . . . . . . .   5
   5.  Header Syntax . . . . . . . . . . . . . . . . . . . . . . . .   5
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   7.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   6
     7.1.  Simple  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     7.2.  Complex . . . . . . . . . . . . . . . . . . . . . . . . .   6
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   9.  Normative References  . . . . . . . . . . . . . . . . . . . .   7
   Appendix A.  Change Log . . . . . . . . . . . . . . . . . . . . .   8
     A.1.  Changes from -05 to -06 . . . . . . . . . . . . . . . . .   8
     A.2.  Changes from -04 to -05 . . . . . . . . . . . . . . . . .   8
     A.3.  Changes from -03 to -04 . . . . . . . . . . . . . . . . .   8
     A.4.  Changes from -02 to -03 . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction and Motivation

   An [RFC2369] email header field can contain HTTPS [RFC7230] URIs.  In
   a List-Unsubscribe header field the HTTPS URI is intended to
   unsubscribe the recipient of the email from the list.  But anti-spam
   software often fetches all resources in mail header fields
   automatically, without any action by the user, and there is no
   mechanical way for a sender to tell a request made automatically by
   anti-spam software from one manually requested by a user.  To prevent
   accidental unsubscriptions, senders return landing pages with a
   confirmation step to finish the unsubscribe request that a live user
   would recognize and act on, but an automated system would not.  This
   makes the unsubscription process more complex than a single click.

   Operators of broadcast marketing lists tend to be primarily concerned
   about deliverability of their mail: whether the mail is delivered to
   the recipients and how the messages are presented, e.g., whether in
   the primary inbox or in a junk folder.  Many mail systems allow
   recipients to report mail as spam or junk, and mail from senders with
   a lot of junk reports often has poor deliverability.  Hence the
   mailers want to make it as easy as possible for recipients to
   unsubscribe, since the recipient's alternative to a difficult

Levine & Herkula         Expires March 24, 2017                 [Page 2]
Internet-Draft            One click unsubscribe           September 2016

   unsubscription process is to report mail from the sender as junk
   until it goes away.

   Operators of recipient mail systems are aware that their users do not
   make a clear distinction between unsubscription and junk.  In some
   cases they allow trustworthy mailers to request notification when
   their mail is reported as junk, so they can unsubscribe the
   recipient, but the process of identifying trustworthy mailers and
   notifying them does not scale well to large numbers of small mailers.
   This specification provides a way for recipient systems to notify the
   mailer automatically, using only information within the mail message,
   and without prearrangement.  Some recipient systems might wish to
   send an unsubscription notice to mailers whenever a user reports a
   message as junk, or they might give the user the option to report and
   unsubscribe.

   If a mail recipient is unsubscribing manually and the unsubscription
   process requires confirmation, the resulting web page is presented to
   the recipient who can then click the appropriate button.  But when
   the unusubscribe action is combined with a MUA junk report, there is
   no direct user interaction with the mailer's web site.  Similarly, if
   a mail system automatically unsubscribes recipient mailboxes that
   have been closed or abandoned, there can be no interaction with a
   user who is not present.  In those cases, the unsubscription process
   has to work without manual intervention, and in particular without
   requiring that software attempt to interpret the contents of a
   confirmation page.

   This document addresses this part of the problem, with an HTTPS POST
   action for mail receivers.  Mail senders can distinguish this action
   from other unsubscribe requests and handle it as a one-click
   unsubscription without manual intervention by the mail recipient.

   This document has several goals.

   o  Allow email senders to signal that a [RFC2369] List-Unsubscribe
      header field has One-Click functionality.

   o  Allow MUA users to unsubscribe from mailing lists in a familiar
      environment and without leaving the MUA context.  A receiving
      system can process an unsubscription request in the background
      without further interaction, and know that it can be fully
      processed by the mail sender's system.

Levine & Herkula         Expires March 24, 2017                 [Page 3]
Internet-Draft            One click unsubscribe           September 2016

2.  Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119] when written
   in all capital letters.

3.  Implementation

3.1.  Mail senders

   An mail sender that wishes to enable one-click unsubscribes places
   one List-Unsubscribe header field and one List-Unsubscribe-Post
   header field in the message.  The List-Unsubscribe header field MUST
   contain one HTTPS URI.  It MAY contain other non-HTTP/S URIs such as
   MAILTO:.  The List-Unsubscribe-Post header contains key/value pairs
   needed by the mail sender, separated by ampersands.  The list of key/
   value pairs MUST contain the pair "List-Unsubscribe=One-Click".
   There is no provision for continuing a List-Unsubscribe-Post header
   field, so the size of the of key/value pairs is limited by the
   maximum length of a line.

   The combination of the URI in the List-Unsubscribe header and the
   POST arguments in the List-Unsubscribe-Post header MUST contain
   enough information to identify the mail recipient and the list from
   which the recipient is to be removed, so that the unsubscription
   process can complete automatically.  In particular, One-click has no
   way to ask the user what address or from what list the user wishes to
   unsubscribe.

   The URI and POST arguments SHOULD include an opaque identifier or
   other hard to forge component in addition to or instead of the plain-
   text names of the list and the subscriber.  The server handling the
   unsubscription SHOULD verify that the hard to forge component is
   valid.  This will deter attacks in which a malicious party sends spam
   with List-Unsubscribe links for a victim list, with the intention of
   causing list unsubscriptions from a victim list as a side effect of
   users reporting the spam.

   The mail sender needs to provide the infrastructure to handle POST
   requests to the specified URI in the List-Unsubscribe header, and to
   handle the unsubscribe requests that its mail will provoke.

   The One-Click action triggered by this URI SHOULD complete promptly
   and not burden the requester in an inappropriate way.  The mail
   sender MUST NOT return an HTTPS redirect, since redirected POST
   actions have historically not worked reliably.

Levine & Herkula         Expires March 24, 2017                 [Page 4]
Internet-Draft            One click unsubscribe           September 2016

3.2.  Mail receivers

   A mail receiver that wants do a one-click unsubscription performs an
   HTTPS POST to the HTTPS URI in the List-Unsubscribe header and sends
   the content of the List-Unsubscribe-Post header as the request body.

   The POST content SHOULD be sent as "multipart/form-data" [RFC7578]
   and MAY be sent as "application/x-www-form-urlencoded".  These
   encodings are the ones used by web browsers when sending forms.  The
   target of the POST action is the same as or similar to the one in the
   GET action for a manual unsubscription, so this is intended to allow
   the same server code to handle both.

   The mail receiver MUST NOT perform a POST on the the HTTPS URI
   without user consent.  When and how the user consent is obtained is
   not part of this specification.

4.  Additional Requirements

   The email needs at least one valid authentication identifier.  In
   this version of the specification the only supported identifier type
   is DKIM [RFC6376].  Hence senders MUST apply at least one valid DKIM
   signature to the message.

   The List-Unsubscribe and List-Unsubscribe-Post headers MUST be
   covered by the signature and included in the "h=" tag of a valid
   DKIM-Signature header field.

5.  Header Syntax

   The following ABNF imports fields, WSP, and CRLF from [RFC5322].  It
   imports ALPHA and DIGIT from [RFC5234].

   fields /= list-unsubscribe-post

   ldh = ALPHA 0*(ALPHA | DIGIT | "-")

   list-unsubscribe-post = "List-Unsubscribe-Post:" 0*1WSP postarg
       0*( "&" postarg) CRLF

   postarg = ALPHA 0*ldh "=" freetext

   freetext = 1*(%x20-%xfe)
      ; space, ampersand, percent, equal sign, and non-ASCII characters
      ; are percent encoded

   The percent encoding for freetext is as described in section 2 of
   [RFC7578].

Levine & Herkula         Expires March 24, 2017                 [Page 5]
Internet-Draft            One click unsubscribe           September 2016

6.  IANA Considerations

   IANA is requested to add a new entry to the Permanent Message Header
   Field Names registry.

   Header field name: List-Unsubscribe-Post

   Applicable protocol: mail

   Status: standard

   Author/Change controller: IETF

   Specification document: this document

7.  Examples

7.1.  Simple

   Header in Email

List-Unsubscribe: <https://example.com/unsubscribe/opaquepart>
List-Unsubscribe-Post: List-Unsubscribe=One-Click&recip=user@example.com

   Resulting POST request

   POST /unsubscribe/opaquepart HTTP/1.1
   Host: example.com
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 49

   List-Unsubscribe=One-Click&recip=user@example.com

7.2.  Complex

   Header in Email

List-Unsubscribe: <mailto:listrequest@example.com?subject=unsubscribe>,
    <https://example.com/unsubscribe.html?opaque=123456789>
List-Unsubscribe-Post: List-Unsubscribe=One-Click&recip=user@example.com

Levine & Herkula         Expires March 24, 2017                 [Page 6]
Internet-Draft            One click unsubscribe           September 2016

   Resulting POST request

   POST /unsubscribe.html?opaque=123456789 HTTP/1.1
   Host: example.com
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 49

   List-Unsubscribe=One-Click&recip=user@example.com

8.  Security Considerations

   The List-Unsubscribe-Post and/or List-Unsubscribe header can contain
   a plaintext or encoded version of the recipient address, but that
   address is usually also in the To: header.  This specification allows
   anyone with access to a message to unsubscribe the recipient of the
   message, but that's typically the case with existing List-
   Unsubscribe, just with more steps.

   A creative mailer could send spam with content intended to provoke
   large numbers of unsubscriptions, with suitably crafted headers to
   send POST requests with arbitrary contents to servers that perhaps
   don't want them.  But it's been possible to provoke GET requests in a
   similar way for a long time (and much easier, due to spam filter
   auto-fetches) so the chances of significantly increased annoyance
   seem low.

   Since the mailer's server that receives the POST request cannot in
   general tell where the request coming from, the URI or POST arguments
   SHOULD contain an opaque identifier or other hard to forge component
   to identify the list and recipient address.  That can ensure that the
   request originated from List-Unsubscribe and List-Unsubscribe-Post
   headers in a message the mailer sent.

9.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC2369]  Neufeld, G. and J. Baer, "The Use of URLs as Meta-Syntax
              for Core Mail List Commands and their Transport through
              Message Header Fields", RFC 2369, DOI 10.17487/RFC2369,
              July 1998, <http://www.rfc-editor.org/info/rfc2369>.

Levine & Herkula         Expires March 24, 2017                 [Page 7]
Internet-Draft            One click unsubscribe           September 2016

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              <http://www.rfc-editor.org/info/rfc5234>.

   [RFC5322]  Resnick, P., Ed., "Internet Message Format", RFC 5322,
              DOI 10.17487/RFC5322, October 2008,
              <http://www.rfc-editor.org/info/rfc5322>.

   [RFC6376]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
              "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
              RFC 6376, DOI 10.17487/RFC6376, September 2011,
              <http://www.rfc-editor.org/info/rfc6376>.

   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Message Syntax and Routing",
              RFC 7230, DOI 10.17487/RFC7230, June 2014,
              <http://www.rfc-editor.org/info/rfc7230>.

   [RFC7578]  Masinter, L., "Returning Values from Forms: multipart/
              form-data", RFC 7578, DOI 10.17487/RFC7578, July 2015,
              <http://www.rfc-editor.org/info/rfc7578>.

Appendix A.  Change Log

   Remove this section before publication, please.

A.1.  Changes from -05 to -06

   Add opaque parts to the security discussion.  Editing changes,
   entities are now senders and receivers, MUSTage clarified.

A.2.  Changes from -04 to -05

   Reorganize first sections and add more background.  Add ABNF.  Add
   more security advice.

A.3.  Changes from -03 to -04

   Require HTTPS.  More motivation.

A.4.  Changes from -02 to -03

   Describe motivation in intro.  Clarify required DKIM.  More paranoid
   scenarios.

Levine & Herkula         Expires March 24, 2017                 [Page 8]
Internet-Draft            One click unsubscribe           September 2016

Authors' Addresses

   John Levine
   Taughannock Networks
   PO Box 727
   Trumansburg, NY  14886

   Phone: +1 831 480 2300
   Email: standards@taugh.com
   URI:   http://jl.ly

   Tobias Herkula
   optivo GmbH
   Wallstrasse 16
   Berlin  10179
   DE

   Phone: +49 30 768078 129
   Email: t.herkula@optivo.com
   URI:   https://www.optivo.com

Levine & Herkula         Expires March 24, 2017                 [Page 9]