Your inbox is full of deals you didn’t ask for. Your finger hovers over the gray unsubscribe link at the bottom of one of them. For most legitimate emails, clicking is fine. For some, it’s the worst thing you can do.
The short answer
If the email is from a real company you recognize and remember interacting with, clicking unsubscribe is almost always safe. Legitimate senders must honor the request. In the U.S., the CAN-SPAM Act gives them 10 business days.
If the sender is a stranger, asks for a password, looks suspicious, or comes from an obvious spam dump, don’t click. Mark it as spam.
What happens when you click
Most people picture a clean handshake: you click, a server somewhere flips a flag, the emails stop. That’s the simplified view. In reality, a click takes one of three paths:
The legitimate web-form path: The “..click here to unsubscribe..” leads to a confirmation page on the sender’s website. Many marketing emails work this way. The risk is small but non-zero:
- the page can drop tracking cookies;
- log your IP;
- and tie your IP to whatever profile the sender keeps on you.
The native one-click protocol path: Most modern and legit senders support silent unsubscribing (the built-in ‘unsubscribe’ button that your email app shows at the top of the message). Clicking it never opens a website. It’s the safest path.
Nerdy details: what are 'List-Unsubscribe' headers?
RFC 2369 + RFC 8058: Some emails carry an invisible header (List-Unsubscribe, defined in RFC 2369) which is the sender’s official unsubscribe endpoint. When the header pairs with List-Unsubscribe-Post: List-Unsubscribe=One-Click (added by RFC 8058 in 2018), email client apps can surface their own “Unsubscribe” button at the top of the message. Clicking it doesn’t open the sender’s website. Instead your mail client sends a quiet, structured request straight to the sender, signaling that you no longer want their emails. Gmail and Yahoo began mandating one-click List-Unsubscribe headers for bulk senders (more than 5,000 messages a day to their domains) in February 2024. As a result the button shows up on more and more marketing emails since then. It’s also the safest path.
- The scam path: The sender isn’t who it claims to be. The “unsubscribe” link leads to a trap page set by an imposter designed to fool you. This is where the danger lives.
How a fake unsubscribe link can hurt you
Spam accounted for 46% of global email traffic in 2024 (Statista, citing Kaspersky), so there’s a high chance you’re also exposed to such dangerous links. There are three main scenarios that could unfold if you open a URL from a bad-intended email.
1. Confirming you’re a real person (the most likely outcome)
- The boring, high-volume scam. Clicking unsubscribe on a spam message can increase your spam volume, because it confirms a live address. Spammers promote your address to a higher-quality list and resell it.
2. Phishing
- This usually aims at identity or credentials theft. DNSFilter CTO Tim Keanini summed it for The Wall Street Journal: “Trust is relative. I trust my email client, but I don’t trust what’s inside the email.” The moment you leave your inbox for a browser, your email provider’s protections stop applying.
Learn: what's phishing?
The link leads to a page specifically designed to mimic a real brand (your bank, your email provider, a popular retailer) and asks you to “confirm” your identity to complete the unsubscribe. It harvests your username and password.
3. Malware
- The rarest, but the most serious. A click can land you on a malicious page that either exploits a browser vulnerability or shows a fake “update” or “verify” prompt that talks you into running malware yourself.
Nerdy details: malwares risk
Modern attackers prefer the fake-prompt route. The exploit-only path is rare: your browser has to be out of date and the attacker needs a working exploit kit. The fake-prompt path needs none of that. A convincing UI is enough.
When clicking is usually safe
Read through these. If all is true, you’re fine:
- You recognize the sender.
- The “From” address is a real domain you’ve seen before (
newsletter@nytimes.com, notnoreply@nytimes-secure-mailer.xyz). - You can reconstruct how you ended up on the list (you bought something, read an article, used the WiFi).
- The unsubscribe action doesn’t ask for your password, your card, or anything beyond confirming you want out.
U.S. law backs that last point. Under CAN-SPAM, legitimate senders cannot charge a fee, require any personally identifying information beyond an email address, or force you through more than a single web page. If a page wants more, it’s either non-compliant or fake.
When to never click
Look for these red flags:
- The sender is a stranger, and the email is a generic or unrealistic pitch (“I make $9,000/week from home”).
- The “From” domain doesn’t relate to the sender and the topic.
- The email impersonates a brand you do business with, but the tone, formatting, or links don’t match what they normally send.
- The email is threatening or urgent (“YOUR ACCOUNT WILL BE TERMINATED”).
- The email arrived in your spam folder and your provider already flagged it.
In all of these, mark as spam and move on. Marking as spam does two things at once. It trains your provider’s filter to catch similar messages, and sends no outgoing signal to the sender that you exist. If you click on ‘unsubscribe’ or any other URL from such a suspicious email, make sure to never input ANY sensitive information on the page that opens.
The 30-second pre-click checklist
Before clicking any unsubscribe link, run this:
- Hover, don’t click. On desktop, mousing over the link shows the real destination URL. On mobile, long-press to preview without opening. Does the domain match the sender? If the email claims to be from your bank but the link points to an address that’s not your bank’s website, walk away.
- Prefer your client’s top-bar Unsubscribe button. Gmail, Apple Mail, and Outlook surface their own “Unsubscribe” button near the sender’s name when the email supports it. Pick it over the link in the email body.
- Watch for credential prompts. A real unsubscribe doesn’t need your password. If the page wants you to “log in to confirm,” close the tab.
- If anything feels off, mark as spam. “Mark as spam” is safer than “unsubscribe” when you’re unsure. You can’t get phished by a spam-marking action.
The safer alternatives, ranked
In order of how strongly we’d recommend each.
Use your email provider’s native unsubscribe button:
- The one at the top of the email next to the sender, not the one buried in the footer. When the button is backed by the one-click protocol (Gmail and most modern clients only show it when it is), it’s the safe path. If the button isn’t there, the sender either doesn’t send enough volume to qualify or hasn’t bothered with modern bulk-sender standards. Either way, the sender hasn’t earned the safer path.
Mark suspicious emails as spam:
- The right move for anything you don’t recognize. It costs you a click, protects you from any link the message contains, and improves your future filtering.
Block the sender:
- Useful for legitimate companies that ignore or stall on unsubscribe requests. Every major email provider supports per-sender or per-domain blocking. It bypasses the sender’s compliance. You don’t have to wait the 10 business days the law gives them. (If they keep ignoring you past that window, you have legal options.)
Use email aliases for new signups going forward:
- This won’t fix today’s inbox, but it changes the math for tomorrow. Apple’s Hide My Email, Firefox Relay, DuckDuckGo Email Protection, and similar services let you give every site a unique forwarding address. When one starts getting spam, you delete the alias and the problem disappears at the source.
Use a tool that prioritizes the email protocol for unsubscribing:
- Best-in-class tools like our Email Unsubscriber App utilise the industry-standard
one-click unsubscribeprotocl for emails which conform to it and send unsubscribe requests directly from your browser to the sender without any detouring or tracking pages in between. We flag the rest of the senders with a small caution note in your dashboard so you know that they haven’t kept up with modern bulk-sender standards. You can then open the ‘Unsubscribe’ URL in a new tab to unsubscribe the old-fashioned way.
If you’re evaluating any tool in this category, three questions are worth asking:
- What access permissions does it request and what does it do with them?
- Where does the processing of your private emails happen, and is there a risk of leaking?
- Does it unsubscribe your address for real, or masks the unsubscribing behind inbox filters that need ongoing access to keep working?
The takeaway
Unsubscribe is, on balance, a useful feature. The internet would be worse without it. The trouble is that scammers know how strong the urge to click is when your inbox is overflowing, and they design fake unsubscribe links to exploit that urge.
Two habits cover almost every case. Use your email provider’s native unsubscribe button when it’s there. Use “Mark as spam” when it isn’t and you don’t recognize the sender. Save the link in the email body for senders you know.
If you’ve unsubscribed and the emails won’t stop, that’s a different problem with different tools. Your rights when ‘unsubscribe’ doesn’t stop the emails covers what to do next.
And if you’re tired of opting out one email at a time, but you don’t want to give away custody of your inbox, tap the button below to learn how we could help you.
