RFC 8058 · Gmail & Yahoo enforcement · PowerMTA implementation

List-Unsubscribe header is vital for email deliverability

When subscribers cannot find the unsubscribe link, they hit the spam button instead. Spam complaints destroy sender reputation faster than almost any other signal. The List-Unsubscribe header was the polite solution in 2010. In February 2024 it became a hard requirement.

The unsubscribe button is a deliverability mechanism

When a recipient wants out of a mailing list and the unsubscribe process is too complex — buried in the footer, requires login, asks for a password reset, takes them to a 404 — subscribers reach for the spam button instead. From the recipient's perspective, "Report spam" achieves the same result as "Unsubscribe" with a single tap. From the sender's perspective, the difference is catastrophic.

A spam complaint is recorded as a strong negative reputation signal. Gmail, Yahoo, and Microsoft all track complaint rates as a primary input to inbox placement decisions. Cross 0.3% complaint rate at Gmail and your inbox placement drops within hours. Cross it sustained and you spend weeks rebuilding what took months to earn. An unsubscribe is recorded as nothing — the recipient is just removed from the list.

The List-Unsubscribe header is the technical mechanism that lets mailbox providers offer the recipient a one-click way out, removing the friction that pushes them to the spam button. It is, by a wide margin, the single technical change with the largest effect on complaint rates — and the change you can ship without touching email content, audience, or frequency.

February 2024 enforcement

Gmail and Yahoo announced new bulk sender requirements in October 2023 that took effect February 1, 2024. Senders of more than 5,000 emails per day to either provider must implement RFC 8058 one-click unsubscribe via the List-Unsubscribe-Post header, plus DMARC at minimum p=none, plus authenticated message origin (SPF or DKIM aligned). Non-compliant mail from large senders is increasingly rejected outright, not just spam-foldered.

How the header works at the protocol level

List-Unsubscribe is an SMTP header defined in RFC 2369 (published 1998). It carries one or more URIs that the receiving mail user agent can call to unsubscribe the recipient. The header supports two URI schemes:

  • mailto: — an email address that, when sent any message, processes the unsubscribe. The mail client sends an empty message to the address; the sender's MTA delivers it to a script that updates the suppression list.
  • https:// — an HTTPS URL that, when called, processes the unsubscribe. With RFC 8058 (added in 2017), the call is a POST with body List-Unsubscribe=One-Click — no further interaction required.

The format expects URIs wrapped in angle brackets, comma-separated when both are present:

# Correct format with both mailto and HTTPS, plus RFC 8058 one-click
List-Unsubscribe: <mailto:unsub-7f2a91@list.example.com>, <https://example.com/u/7f2a91>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

# Mailto only (older format, still valid for some receivers)
List-Unsubscribe: <mailto:unsub-7f2a91@list.example.com>

# HTTPS only (acceptable but mailto provides better cross-provider coverage)
List-Unsubscribe: <https://example.com/u/7f2a91>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

What each major mailbox provider does with it

Provider Behavior Required from sender
Gmail Renders an "Unsubscribe" link next to the sender name in the inbox preview. Calls the HTTPS endpoint via POST when clicked (RFC 8058). When user reports as spam, also fires an empty mail to the mailto: address as soft unsubscribe signal. Both mailto: and https:// + List-Unsubscribe-Post for senders > 5,000/day.
Yahoo Surfaces unsubscribe link prominently. Same RFC 8058 enforcement as Gmail since February 2024. Both mailto: and https:// + List-Unsubscribe-Post for senders > 5,000/day.
Outlook / Hotmail Reads the mailto: variant primarily. If absent when a user clicks Outlook's "Unsubscribe", new mail from the sender often gets pre-routed to Junk without an explicit JMRP complaint being surfaced. Microsoft has been tightening throughout 2025. mailto: required. https:// + List-Unsubscribe-Post strongly recommended.
Apple Mail / iCloud Renders unsubscribe option inside the message header in iOS Mail and macOS Mail. Uses HTTPS endpoint when present. Both mailto: and https://. List-Unsubscribe-Post recommended.
European ISPs (GMX, web.de, T-Online, Libero, Orange, BTInternet) Read the mailto: variant. Less consistent UI surfacing, but the header is consumed. mailto: required.
Russian ISPs (mail.ru, Yandex) Read the mailto: variant. Yandex also surfaces the unsubscribe option in their UI. mailto: required.
Chinese / Korean (qq.com, naver.com) Read the mailto: variant. Behavior varies more than Western providers. mailto: required.

The takeaway: always include both a mailto: and an https:// URL. The mailto: covers the long tail of providers that haven't implemented RFC 8058. The https:// + List-Unsubscribe-Post covers the Gmail and Yahoo enforcement requirement. The combination is what production senders ship.

Implementation checklist

  • Generate a unique token per recipient. Don't use the recipient's email address as the token directly — that exposes addresses in headers and creates a privacy issue. Use a hash or a database-backed identifier.
  • Inject both URIs into the header at message build time. Format: List-Unsubscribe: <mailto:...>, <https://...>
  • Add the List-Unsubscribe-Post header. Exactly: List-Unsubscribe-Post: List-Unsubscribe=One-Click
  • HTTPS endpoint accepts POST. Returns 200 OK after processing. No redirect, no login, no confirmation page. Body contains List-Unsubscribe=One-Click.
  • mailto: address routed to a processor. Inbound MTA receives mail at the unsubscribe address, parses the local part to extract the token, looks up the recipient, marks them as unsubscribed, suppresses future sends.
  • Suppression takes effect within minutes. If your suppression batch job runs nightly, you will continue sending to people who already unsubscribed for up to 24 hours, and complaint rate will spike. Real-time or near-real-time suppression is the standard.
  • Local part of mailto: ≤ 64 octets. RFC 5321 constraint. Long tokens may be rejected by strict MTAs.
  • HTTPS URL ideally < 1,024 characters. No formal limit but some intermediate MTAs may truncate.
  • Visible unsubscribe link still required in the body. The header serves the providers; the body link serves the recipients who use webmail clients without surface integration. CAN-SPAM and GDPR enforcement both expect a clear unsubscribe mechanism in-content.

PowerMTA-specific implementation

PowerMTA itself does not generate List-Unsubscribe headers. The header has to be present in the message at the moment of SMTP submission. That means the email application (MailWizz, Acelle, custom code, marketing automation platform) must inject it.

For inbound processing of mailto: unsubscribe requests, PowerMTA's pipe queue is the right hook. Configure a domain transport that pipes mail destined to the unsubscribe address to a script:

# /etc/pmta/config snippet for unsubscribe pipe queue
<domain unsub.example.com>
  smtp-source-ip 0.0.0.0
  queue-to /usr/local/bin/unsubmail-handler.sh
</domain>

CSE built and operates a webhook program called unsubmail that handles this end-to-end. It receives messages from the PowerMTA pipe queue, parses the local part of the mailto: address to extract the recipient token, calls the customer's webhook with a clean unsubscribe payload, and acknowledges the message back to PowerMTA. For our managed PMTA customers, this is part of the standard configuration. Self-managed customers can implement equivalent logic in any scripting language; the protocol surface is small.

For HTTPS endpoint implementation, the pattern is even simpler: a public POST endpoint at your application that accepts the body, validates the token, and writes the unsubscribe to your data store. The endpoint should return 200 within a couple of seconds; mailbox providers will retry on timeout but log it as a degraded experience.

What "before and after" actually looks like

Senders who add a properly-formed List-Unsubscribe header to a previously non-compliant program typically see complaint rates drop by 40–70% within two weeks. The exact number depends on list quality and content; the directional improvement is consistent because you are removing friction from people who were going to leave the list anyway.

A specific pattern from one of our customers: a B2C marketing list at around 4 million addresses had a Gmail complaint rate of 0.42% (above the 0.3% threshold, with corresponding inbox placement degradation). They added RFC 8058 one-click in late 2024. Within three weeks the complaint rate was 0.14%. Inbox placement at Gmail recovered to baseline within five weeks. No change to content, frequency, or audience — only the header.

The opposite case is more dramatic. A sender who had List-Unsubscribe but with a broken HTTPS endpoint (returning 500 errors) was effectively penalized harder than if the header had been absent: Gmail and Yahoo retry, and repeated failures accumulate as a quality signal against the sender. The header has to actually work.

Common implementation mistakes

  • HTTPS endpoint returns 302 redirect to a confirmation page. Breaks one-click. RFC 8058 expects the POST to complete the unsubscribe in a single round-trip.
  • Endpoint requires authentication. The provider POSTing the request is not authenticated as the recipient. The token in the URL is the authentication.
  • Asking for confirmation. "Are you sure you want to unsubscribe?" pages are explicitly forbidden by RFC 8058. The action must be processed without further user input.
  • Different tokens for mailto: and https://. The same recipient should be addressable through both. Pick one canonical token per recipient.
  • List-Unsubscribe-Post header missing. Without this header, Gmail will not treat your https:// URL as an RFC 8058 endpoint. The header must be exactly List-Unsubscribe-Post: List-Unsubscribe=One-Click — case-sensitive on the value.
  • Suppression list updated daily, not real-time. User unsubscribes Monday morning, gets another campaign Tuesday, hits spam. Process unsubscribes within minutes.
  • HTTPS endpoint blocked by WAF. Some web application firewalls block requests without standard browser headers. The unsubscribe POST will not look like a browser request. Whitelist the endpoint.

Beyond the header: complaint rate hygiene

List-Unsubscribe reduces friction for the user who is actively looking for a way out. It does not address the upstream causes that made them want to leave in the first place. If complaint rates remain elevated after implementing the header correctly, the issue is in the program, not the protocol:

  • Sending to addresses that didn't explicitly opt in.
  • Frequency that exceeds what the recipient agreed to.
  • Subject lines that misrepresent content.
  • Long-inactive subscribers (no opens for 12+ months) re-engaged at full volume.
  • Content that doesn't match the brand the recipient signed up to receive.

For a complete view of how the unsubscribe mechanism connects to broader sender reputation work, see our glossary entries on sender reputation and DMARC, plus the operational notes on bounce and complaint handling.

Need List-Unsubscribe properly implemented?

Our managed PowerMTA plans include unsubmail, real-time suppression, and RFC 8058 endpoint configuration. If you're hitting complaint rate thresholds, we can audit your current setup.