If I don't provide a list-unsubscribe header: do these emails then get blocked and noone can log in ?
If I provide a list-unsubscribe header, what is the expected behaviour if they do click the Unsubscribe button?
- tell them they can't unsubscribe to this email because it's needed to accomplish what they want to do in the future?
- delete their account? what if it's a bank account or something like that?
Would appreciate some clarify from Google at least...
I'm asking how does Google differentiate between a transactional and a non transactional email?
They also say in their guidelines
> *Marketing messages and subscribed messages* must support one-click unsubscribe, and include a clearly visible unsubscribe link in the message body.
So how is Google determining what is a Marketing/Subscribed message? If they're not, then am I required to tack on this header to ALL emails regardless of type or risk getting binned?
In my experience, Google is pretty accurate in figuring out transactional versus marketing. They don't tell their heuristics, but you don't think engineers who build web crawlers cannot build email classifiers? They have reliably been sorting my promotional emails from transaction emails for almost a decade now.
But off the top of my head when working on an email marketing platform: sender address, message subject and content, single message or bulk inbound at a given time, open rates, click rates, unsub rates, bounce rates. Part of sender reputation is ESPs building a profile of what kind of email you send from an address.
Search isn't doing that well either.
They're not requiring just unsubscribe links. They're specifically requiring "one-click" unsubscribe links that can accept a POST request for unsubscribing. This allows their software to have an unsubscribe button that doesn't require the user to leave their software.
This is the RFC that has to be complied with:
https://datatracker.ietf.org/doc/html/rfc8058
Note, that this is not easy for many people using legacy software. It's a major change. I wouldn't be surprised if this requirement gets delayed multiple times.
In my last big job we had big discussions about what is marketing. What can marketing pack into a transactional without it becoming a marketing email? Banner? A tagline in the signature? Testimonials? Also - b/c Germany - big discussions with legal on that topic.
We're talking about Google here. It doesn't matter that they have lots of clever people working there; they still occasionally get/guess things wrong, and if you're the unlucky too-small-to-even-notice outfit that happens to get squished by Google today, there's seldom much you can do about it.
Don’t put Google on a pedestal. I’ve seen Google Workspace classify an individual email sent from one colleague to another as spam. Both perfectly legitimate users in the same account / domain. No weird trigger words like Viagra. Just a run-of-the-mill email about work, between two colleagues who had been emailing each other for months. If emails like that aren’t safe from Google’s spam filter, then no emails are safe from Google’s spam filter.
Yes, I definitely think that. The engineers can build anything, but where the company focuses matters.
I've seen transactional E-mails get sorted into people's spam/junk/newsletter folders too many times.
Nope, I don't. So many things get constantly marked as spam in my inbox, even server notifications, from the same domain, same daily emails, marked repeatedly as "not spam", and added to address book.
Then there's the second problem of google support... your 2fa passwords, email-authentications, password reset links, etc. will be sent out, gmail will send them to spam, your users won't see/find the email, and there's nothing you can do... noone to call at google that would actually listen and try to do anything, no penalties if they don't do anything, only hope that your service is large enough that it gets some traction on twitter or here and some random googler sees it.
G is like any other Fortune 500 company now. The amount of products in their graveyard grows every year. Maintenance of “legacy” apps is handed off to offshore teams who have objectives to just keep it running until it’s 86’d.
Google has also made plenty of mistakes with web: look at PWAs, AMP, and Chrome just to start.
I’ve seen Gmail put legit update emails coming from Google itself in spam.
A lot of places don't accept outgoing SMTP traffic at all, some allow it for personal usage and finding someone who accepts you sending lots of outgoing SMTP traffic is gonna be really hard, except if that host already hosts lots of already spam-marked IPs.
List-Unsubscribe-Post: List-Unsubscribe=One-Click
The new requirement specifically sidesteps this, by making it possible for the email client to send a POST request directly. No need to visit the website at all; just click a button in the email client. In Gmail, senders that have this implemented now have a big blue UNSUBSCRIBE button next to their email address at the top of the message.
- Docker Newsletter: `List-Unsubscribe: <mailto:redacted@unsub-sj.mktomail.com>` - but missing http post/one-click header
- Java Weekly: link in body but no header Expensify: compliant
- Gradle: compliant
- Confluence Digest: No unsubscribe header
- Apache Mailing Lists: mailto header, but missing required http post / one-click
I think the confusion is that it's not just having a link, it's a specific set of headers, dkim signed fields, and form response that allows a mail client to unsubscribe with no user interaction.
It’s only the worst spam stuff that doesn’t. The obvious scam stuff sent to any email address they can find, containing every language I don’t speak, with lots of bad obfuscation to stop keyword scanners from 2002.
Hey, if this reduces the number of people who successfully unsubscribe, don't blame me, I'm just over here trying to make sure things are secure!
Surely that is a bug in the email client that forwarded the email. It should have replaced the headers, including List-Unsubscribe, with its own.
That looks to be what's happened in the emails I receive. The one exception would be if someone forwarded an email as an attachment, but in practice almost no one does that.
How can one click unsubscribe work here? Mail scanners, virus scanners and even Microsoft's own spam filters would probably click these links!
The article gets it wrong. They imply that emails have to have one-click unsubscribe links, which isn't true. Emails need to include headers (described in your link,) which the mail client can use.
This is not a requirement for a personal self-hosted email.
Google et al have successfully turned email into the domain of a few SaaS, and at half of them blatant spammers can message millions with no record of consent with the most obvious scams and have it delivered into the inbox. Hell, most spam these days I get from hacked Gmail accounts. The game is rigged, as they say.
I wish they took a closer look at themselves and also applied these kinds of rules to themselves.
If you mean coming to Gmail, three-dots > report spam.
If you mean coming from Gmail, https://support.google.com/mail/contact/abuse?hl=en.
spf/dkim/dmark helps with phishing/forgery, it does little to nothing for spam, even though this policy change makes it look like it's connected.
If I send spam through gmail, the spam is "authenticated".
spammers were among the first to implement these in an attempt to get higher score in spam filters. For quite a while dkim was positively correlated with spammyness for me.
Meanwhile.. does google even respond postmaster@ or abuse@ requests?
Posthaven has very helpful (free) tools for setting up this stuff. Also GPT has a good understanding of the dns records needed.
IMHO, they’ve taken something that should be simple and turned it into a complex system that needs a ton of infrastructure because they all want a SaaS business. Everyone pays for the cost of scaling when simple sharding would do for most users.
I’d love to have a simple, self hosted DMARC analyzer running on something like PocketBase.
If there's demand, I could start a SaaS business for it :-)
For configuring:
https://www.cyber.gc.ca/en/guidance/implementation-guidance-...
I recently added DMARC monitoring to some of my domains through CloudFlare.
Otherwise anyone who receives a forwarded email can unsubscribe you! Right?
At least we can email the peson to say they’ve been unsubscribed, as a transactional email? And give them a chance to resubscribe and prevent such unsubscriptions — or what?
Enable easy unsubscription: Senders will need to implement a single-click unsubscribe link within emails if they haven’t already, to allow recipients to easily opt out.
If you really care about people being maliciously unsubscribed from marketing materials they forwarded around, then you can be one of the sites that sends a final "you have been unsubscribed" confirmation email.
According to the "single click" requirement, merely visiting the page by clicking the link in your email should be enough to unsubscribe you. Meaning, the GET request, which normally shouldn't change server state, should change server state.
The major issue with that is, if you forward the email, you are giving the capability to anyone else to act as you. It's a horribly insecure model, it also breaks HTTP semantics, but at least you can limit it to the "unsubscribe" action, I guess. Could be worse. Google could require other "single click" actions that may modify your profile or withdraw money from your bank account.
The only mitigation I can see is that the "you've been unsubscribed" email is a transactional email, and can inform the user that "if it wasn't you, then click here to restore your subscription to this newsletter, and don't forward your emails anymore, because Google says someone can unsubscribe you anytime and we can't do anything about it."
PS: Ironically, Apple's newest ITP scrubs information from tracking links in emails, so in theory it would make it impossible to even track whose account to unsubscribe from. "It will do this by automatically detecting user-identifiable tracking parameters in URLs and removing them." Apple ITP anti-tracking requires you to explicitly log in before doing stuff as you. Google now requires the opposite. It's impossible to satisfy both. https://www.peelinsights.com/post/ios-17-disrupts-link-track...
Yes, I have nightmares where I dream that someone else unsubscribes me from all those informative mailing lists that I NEVER OPTED IN TO.
I subscribe to receive emails or newsletters. I forward them to someone. They unsubscribe me. I stop getting them. I wonder what happens and blame the site. They couldn't even inform me what happened.
Developers are supposed to make the correct security architecture for things. Letting anyone who gets your forwarded email take actions as you on the site without any further authentication, is not the right security model.
Does this mean that my emails will no longer be sent?
https://helpcentre.borrowell.com/hc/en-us/articles/100145089...
The market(Google and others) was forced to act because how laughably easy the Can-Spam act is to stay compliant while legally mass spamming.
Does anyone know what this sentence means? Is this “the user said this is spam”, or “the gmail spam filter false positives 10% of the time; don’t be part of the 10%, or it’ll permaban you”?
The threshold for the number defined above is 0.3%; that's the point where Gmail starts penalizing the sender by putting their emails in spam folders.
That explains why I had to immediately disable gmail's spam filter.
It seems that every time I buy something or someone gets ahold of my email address, I get added to a SPAM list.
I can't wait for all of these to be blocked.
For example: I recently elected a benefit, and the company added me to a SPAM list for weekly deals 100% unrelated to the benefit. They even ignored the fact that I unsubscribed.
1. Report each and every offending email to the FTC: https://reportfraud.ftc.gov/#/
2. Forward the "report received" email that the FTC sends you to support@spamming_domain.com and explain how and why you're reporting them
3. That's it. I've had a 100% success rate with this approach
I don’t want to log into your service or explain why I want to unsubscribe or chose which mailing lists I want to unsubscribe from (read: All of them) nor do I want to deal with your dark patterns such as colouring the ‘cancel my request to unsubscribe’ button green and ‘yes really unsubscribe me’ red.
https://support.google.com/mail/answer/81126#requirements-5k...
Senders will need to implement a single-click unsubscribe link within emails if they haven’t already, to allow recipients to easily opt out.
It's hard to confirm externally that things worked.
I've spent two weeks on a domain with limited registrar options because their dns manager lied about supporting larger public keys in txt records.
Also I think there was one question that was a mistake, it had a policy along the lines of:
v=DMARC1; p=reject; <stuff...>; pct=0; <stuff...>
I answered that a failing message would have an effect of p=none, but the right answer was apparently p=quarantine. Is that right, considering pct=0? (Unless I was blind and the pct wasn't set to 0 in the question...)
"If email is subject to the DMARC policy of "reject", the Mail Receiver SHOULD reject the message (see Section 10.3). If the email is not subject to the "reject" policy (due to the "pct" tag), the Mail Receiver SHOULD treat the email as though the "quarantine" policy applies. This behavior allows Domain Owners to experiment with progressively stronger policies without relaxing existing policy."
Thank you thank you.
You can't. That's the point. Stop.
I mark all commercial email as spam. I never asked for it, I don't want it. I don't really care if you carefully constructed a form in such a way to be compliant with the laws in my country. I don't care how your BDR found me. I don't ever want to hear from you. If I didn't ask for it, it's spam, I'm marking it spam, and I hope people who use Gmail and Yahoo do the same.
Maybe their mindset should really be, "Hey, we're annoying 99.95% of our users who did not consent to these emails, and > 50% will be turned off to our product and will associate our brand to that of a needy, attention-grabbing parasite".
If I wanted these emails, I would have opted in.
Instead, not only do they automatically opt you in, but they'll re-opt you in after you've unsubscribed. I've had it happen a year or two later; suddenly, I'm back on their spam list.
It's become so bad now that I can't even let a shopping cart sit anymore without getting a nagmail saying "HEY YOU NEED TO FINISH CHECKING OUT NOW1!!!".
That email is the reminder to empty my cart and never do business with them again.
Seriously, STFU and leave me alone. If your sales and marketing team insist on these tactics, you need to fire them and hire people who get it.
So, full disclosure, in addition to being kind of an anti-spam zealot, my day job is running marketing operations at a big-ish software company. So I get the fun job of telling everyone from the junior intern to the senior VP that no, my team is not going to send that email for you. That no, in fact, I don't care what the old person in my job let you do, or what you did at your old company, or how many levels above me you are in the org chart. We're only going to email people what they asked for, at the frequency they asked for it, on the topics they asked to hear about. These new Gmail/Yahoo rules have helped immensely in making the case to our CMO to have my back.
I have them blocked at the server level because of how much spam they were sending me. They clearly do zero enforcement of opt-in.
But any bulk mailer that doesn't solve that problem is by definition a spam engine, and should probably be blocked at the ISP level.
That said, with no-DNS email addresses, SPF comes for free (alice@[x.x.x.x] bob@[ipv6:...]).
Namely, if SPF does pass, cryptographic DNS based signature mecanisms are excessive and must not be used to score.
And to round it out, DMARC tells the receiver what to do when the SPF or DKIM tests fail, namely "report", "quarantine", or "reject". Not sure why they're requiring it when it doesn't affect a spam verdict. Maybe it's so those who run a misconfigured server can't complain if their mail is being dropped silently, google and yahoo can just tell them to switch the policy to "report".
DKIM would be used only if SPF does not "pass", if there. DNS SPF is inappropriate for those email provider implementing DNS trickery which cannot work with DNS SPF. For DNS SPF to "pass", not only the SMTP prolog and transactions must be evaluated, but also some header fields (from:,reply-to:).
For instance, if you are self-hosted and your SPF DNS entry does match the domain in the SMTP prolog/transactions and the header fields, your spam score will be significantly lower.
With no-DNS email servers, you don't have the SPF DNS indirection and can directly check the IPs ( bob@[x.x.x.x] alice@[ipv6:... )] for spam scoring.
That said, the real worst are those sys admins blocking instead of enabling grey listing.
Aside from SPF being around first DKIM makes far more sense.
i wish. If you are using spf-only, you are consenting to being spoofed.