Skip to content
Privacy

One-click unsubscribe, explained: what RFC 8058 does for your inbox

One-click unsubscribe is the RFC 8058 standard behind the Unsubscribe button at the top of some emails. Here's what it does and why it's safer.

Email Unsubscriber Team 7 min read
Flat vector illustration of a finger tapping an unsubscribe button on a cream email card, an arrow flying past a crossed-out browser window to a mailbox, with a small shield nearby.

Open a promotional email in Gmail and look at the very top, right next to the sender’s name. Some emails show a small Unsubscribe link there. Others bury a gray, six-point link in the footer and dare you to find it. The one at the top is one-click unsubscribe, and it works differently under the hood.

One-click unsubscribe is an email standard (RFC 8058, January 2017) that lets your email app remove you from a mailing list with a single tap. Your client sends a quiet POST request straight to the sender, and no website opens. Gmail and Yahoo have required it from bulk senders since February 2024.

What is one-click unsubscribe?

One-click unsubscribe is a published internet standard, RFC 8058, that lets you leave a mailing list with one tap and no detour through a web page. Your email app talks to the sender’s server on your behalf and confirms you want out.

The standard was written by the Internet Engineering Task Force and published in January 2017. Gmail, Yahoo, Apple Mail, and Outlook all read it. When they see the right signals in an email, they draw their own Unsubscribe button at the top of the message, above whatever the sender put in the footer.

The button you tap belongs to your email provider, not the marketer. You never leave the safety of your inbox, and a legitimate sender has to honor the request.

How does one-click unsubscribe actually work?

Two hidden headers make the button appear. You never see them, but your email app does.

The first is List-Unsubscribe, defined back in RFC 2369 in July 1998. It carries the sender’s unsubscribe endpoint, either a web address or a mailto: address. On its own it is old and passive: it just tells a client where the opt-out lives.

The second header is what RFC 8058 added. It looks like this:

List-Unsubscribe: <https://sender.example/opt-out/abc123>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

That List-Unsubscribe-Post line is the switch. It tells your email app one thing: you may fire a POST request to the endpoint above without asking the sender’s website for permission first. When you tap the button, your client sends an HTTPS POST to that URL with the body List-Unsubscribe=One-Click. The sender’s server reads it, finds your address, and removes you. No tab opens. No form loads.

Why does one-click unsubscribe use a POST request instead of a link?

Because plain links get clicked by machines, not just people. This is the core problem RFC 8058 was written to solve.

Email passes through security software before it reaches you. That software often opens the links inside a message to check whether they lead somewhere dangerous. The RFC names the issue directly: “anti-spam software often fetches all resources in mail header fields automatically, without any action by the user.” A scanner that follows an old-style unsubscribe URL can opt you out of a list you wanted, or flood a sender with fake opt-outs from addresses that never asked to leave.

A POST request fixes both. Scanners and link-preview bots fetch URLs with GET, the read-only method. They do not send POST requests carrying an action body. So the unsubscribe fires only when a human deliberately taps the button, and the sender can trust that every opt-out is real.

Why did Gmail and Yahoo make one-click unsubscribe mandatory?

They tied it to volume. In February 2024, Google and Yahoo rolled out shared rules for bulk senders, defined as anyone sending more than 5,000 messages a day to their domains.

According to Google’s sender guidelines, bulk senders of marketing mail must include a one-click unsubscribe in every promotional message and process the request within two days (how that 48-hour clock compares to the law’s own deadline is covered in how long a company can email you after you unsubscribe). Google paired that with authentication: senders have to sign their mail with SPF, DKIM, and DMARC, and keep spam complaints low. Yahoo published matching rules. The two providers handle most consumer inboxes between them, so the standard spread across the industry inside a year.

The result shows up in your inbox as a button. Every time you see Gmail’s own Unsubscribe next to a big brand’s name, you are looking at a sender who had to comply.

Yes. The footer link takes you to the sender’s website; the one-click button never leaves your email app. That single difference removes most of the risk.

Footer unsubscribe linkOne-click unsubscribe button
Where you end upThe sender’s web page, in your browserNowhere, the request goes app-to-server
Can it drop a tracking cookie?Yes, the landing page canNo page loads, so no
Can it log your IP on a page?YesNo
Phishing surfaceA fake page can imitate a loginNone, there is no page to fake
Sender identity checkNone guaranteedDKIM signature required by RFC 8058

RFC 8058 requires the message to carry a valid DKIM signature that covers the unsubscribe headers. DKIM is a cryptographic signature that proves the email really came from the domain it claims. A scammer cannot forge it, which is why genuine one-click buttons rarely show up on spam. For a fuller walk through the risks of clicking, see is it safe to click unsubscribe?.

What are the limits of one-click unsubscribe?

It covers less than you might hope. Three gaps are worth knowing.

It only reaches high-volume commercial senders. The standard exists for marketing mail from bulk senders. A small newsletter run by one person, or a local shop mailing a few hundred people, has no obligation to add the headers, and many don’t. Those messages show a footer link or nothing.

Transactional email is excluded. Receipts, shipping notices, password resets, and security alerts are not marketing, so the rules don’t apply. You will not find a one-click button on your bank’s fraud alert, and you would not want to unsubscribe from it anyway.

It depends on the sender playing fair. One-click unsubscribe tells a compliant sender to stop. It cannot force a sender who ignores the request. If mail keeps arriving well past the two-day window, the sender is breaking the mailbox providers’ rules, and possibly the law. Your rights when unsubscribe doesn’t stop the emails covers what to do next.

How do you use one-click unsubscribe across a whole inbox?

Tap the button when you see it. In Gmail, Yahoo, Apple Mail, and Outlook, it sits at the top of the message near the sender’s name, and it appears only when the email carries valid one-click headers. Prefer it over the footer link every time it shows.

Doing that one message at a time is slow when years of subscriptions have piled up (for the Gmail-specific routes, see how to mass unsubscribe in Gmail). A tool can read the headers for you and fire the same RFC 8058 POST request for every sender that supports it, all in one pass. Our Email Unsubscriber app does exactly this from inside your browser, dispatching genuine one-click unsubscribes where senders support them and flagging the ones that only offer an old-style link. The scanning happens on your device, so your email content never reaches our servers.

The takeaway

One-click unsubscribe is the quiet plumbing behind the safest button in your inbox. It is a real standard, RFC 8058, backed by a hidden pair of headers, a POST request instead of a link, and a DKIM signature that proves the sender is real. Gmail and Yahoo made it mandatory for bulk senders in 2024, which is why it now sits at the top of most marketing mail.

When the button is there, use it. When it isn’t, the sender either hasn’t earned the safer path or doesn’t send enough to qualify, and you fall back to marking as spam or opting out by hand.

Frequently asked questions

What is one-click unsubscribe?

One-click unsubscribe is an email standard called RFC 8058, published by the IETF in January 2017. It lets your email app remove you from a mailing list with a single tap. Your client sends a quiet POST request straight to the sender's server, and no website opens in your browser. Gmail and Yahoo have required it from bulk senders since February 2024.

Is one-click unsubscribe safe?

Yes, it is the safest way to opt out. Tapping the button sends a structured request straight from your email app to the sender, so no web page loads. Nothing can drop a cookie, log your IP on a landing page, or show you a fake login form. RFC 8058 also requires the message to carry a valid DKIM signature, which proves the sender is who they claim to be.

Why do some emails have an unsubscribe button at the top and others don't?

The top-bar button appears only when the email carries the List-Unsubscribe and List-Unsubscribe-Post headers and passes authentication checks. Bulk senders who mail more than 5,000 messages a day to Gmail or Yahoo must include them. Smaller senders and transactional emails often don't, so their messages show only a footer link, if anything at all.

What is the difference between List-Unsubscribe and List-Unsubscribe-Post?

List-Unsubscribe (RFC 2369, from 1998) carries the sender's unsubscribe endpoint, either a URL or a mailto address. List-Unsubscribe-Post (RFC 8058, from 2017) adds one line, List-Unsubscribe=One-Click, that tells your email app it may fire a POST request to that endpoint without opening a page. The second header is what turns a plain link into a true one-click button.

Do all emails support one-click unsubscribe?

No. One-click unsubscribe covers marketing and promotional mail from high-volume senders. Transactional messages like receipts and password resets are excluded, and small senders often skip the headers entirely. When the button is missing, the sender either doesn't send enough volume to qualify or hasn't adopted the modern bulk-sender standard.

Does one-click unsubscribe work for spam and scam emails?

You should not rely on it for spam. RFC 8058 requires a valid DKIM signature, which real bulk senders have and most spammers avoid, so genuine scam mail rarely shows a legitimate button. For anything you don't recognize, mark it as spam instead of unsubscribing. That trains your provider's filter and sends no signal back to the sender.

How long does a sender have to honor a one-click unsubscribe?

Under Gmail and Yahoo's bulk-sender guidelines, senders must process a one-click unsubscribe within two days. That is stricter than the law: the U.S. CAN-SPAM Act gives senders up to 10 business days. If a bulk sender keeps emailing you well past the two-day window, they are breaking the mailbox providers' rules and possibly the law.