Skip to main content

Signalling one-click functionality for list email headers
draft-levine-herkula-oneclick-05

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 8058.
Authors John R. Levine , Tobias Herkula
Last updated 2016-09-15
RFC stream Internet Engineering Task Force (IETF)
Formats
Reviews
Stream WG state (None)
Document shepherd Paul Kincaid-Smith
Shepherd write-up Show Last changed 2016-09-12
IESG IESG state Became RFC 8058 (Proposed Standard)
Consensus boilerplate Yes
Telechat date (None)
Responsible AD Alexey Melnikov
Send notices to "Paul Kincaid-Smith" <paulkincaidsmith@gmail.com>
IANA IANA review state IANA - Review Needed
draft-levine-herkula-oneclick-05
Network Working Group                                          J. Levine
Internet-Draft                                      Taughannock Networks
Intended status: Standards Track                              T. Herkula
Expires: March 19, 2017                                      optivo GmbH
                                                      September 15, 2016

       Signalling one-click functionality for list email headers
                    draft-levine-herkula-oneclick-05

Abstract

   This document describes a method for signaling a one-click function
   for the list-unsubscribe email header.  The need for this arises out
   of the actuality that mail software sometimes fetches URLs in mail
   headers, and thereby accidentally triggers unsubscriptions in the
   case of the list-unsubscribe header.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 19, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Levine & Herkula         Expires March 19, 2017                 [Page 1]
Internet-Draft            One click unsubscribe           September 2016

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction and Motivation . . . . . . . . . . . . . . . . .   2
   2.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Implementation  . . . . . . . . . . . . . . . . . . . . . . .   4
     3.1.  Mail senders  . . . . . . . . . . . . . . . . . . . . . .   4
     3.2.  Mail receivers  . . . . . . . . . . . . . . . . . . . . .   5
   4.  Additional Requirements . . . . . . . . . . . . . . . . . . .   5
   5.  Header Syntax . . . . . . . . . . . . . . . . . . . . . . . .   5
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   7.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .   6
     7.1.  Simple  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     7.2.  Complex . . . . . . . . . . . . . . . . . . . . . . . . .   7
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   9.  Normative References  . . . . . . . . . . . . . . . . . . . .   7
   Appendix A.  Change Log . . . . . . . . . . . . . . . . . . . . .   8
     A.1.  Changes from -04 to -05 . . . . . . . . . . . . . . . . .   8
     A.2.  Changes from -03 to -04 . . . . . . . . . . . . . . . . .   8
     A.3.  Changes from -02 to -03 . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction and Motivation

   An [RFC2369] email header can contain HTTPS [RFC7230] URIs.  In a
   List-Unsubscribe Header the HTTPS URI is intended to unsubscribe the
   recipient of the email from the list.  But anti-spam software often
   fetches all resources in mail headers automatically, without any
   action by the user.  To prevent accidental unsubscriptions, senders
   return landing pages with a confirmation step to finish the
   unsubscribe request.  This has undesirable consequences for mailers
   who wish for the unsubscription process to be as simple as possible.

   Different types of mailing lists are managed in different ways.  Non-
   commercial discussion lists that exchange messages among the list's
   subscribers typically try to ensure that requests to subscribe and
   unsubscribe are valid, but don't worry too much about message
   delivery, since all the messages are typically delivered to the
   recipients.  Commercial broadcast lists are much more concerned about
   deliverability, whether the mail is delivered to the recipients and
   how the messages are presented, e.g., whether in the primary inbox or
   in a junk folder.  Many mail systems allow recipients to report mail
   as spam or junk, and mail from senders with a lot of junk reports
   tends to have poor deliverability.  Hence the mailers want to make it
   as easy as possible for recipients to unsubscribe, since the

Levine & Herkula         Expires March 19, 2017                 [Page 2]
Internet-Draft            One click unsubscribe           September 2016

   recipient's alternative to a difficult unsubscription process is to
   report mail from the sender as junk until it goes away.

   The recipient mail systems are aware that their users do not make a
   clear distinction between unsubscription and junk, so in many cases
   they allow trustworthy mailers to request notification when their
   mail is reported as junk, so they can unsubscribe the recipient.
   Since the process of identifying trustworthy mailers and notifying
   them does not scale well to large numbers of small mailers, this
   specification provides a way for recipient systems to notify the
   mailer automatically, using only information within the mail message.
   Some recipient systems might wish to send an unsubscription notice to
   mailers whenever a user reports a message as junk, or they might give
   the user the option to report and unsubscribe.

   If a mail recipient is unsubscribing manually and the unsubscription
   process requires confirmation, the resulting web page is presented to
   the recipient who can then click the appropriate button.  But when
   the unusubscribe action is combined with a MUA junk report, there is
   no direct user interaction with the mailer's web site.  Similarly,
   there can be no interaction when the action is performed
   automatically on mail sent to an abandoned or closed mailbox.  In
   those cases, the unsubscription process has to work without manual
   intervention, and in particular without requiring that software
   attempt to interpret the contents of a confirmation page.

   This document addresses this part of the problem, with a POST action
   for receivers that senders can distinguish from other requests and
   handle as a one-click unsubscription without manual intervention by
   the mail recipient.

   A List-Unsubscribe header can also contain a mailto: URI with an
   address to which an unsubscription request is sent.  While these URIs
   can be for a one-click unsubscribe, experience has shown that they do
   not work well in high volume environments, because the recipient mail
   systems (typically e-mail service providers that are optimized to
   send large volumes of mail) cannot keep up with the required number
   of mailed removal requests.  Hence this document considers only HTTPS
   URIs.

   This document has several goals.

   o  Allow email senders to signal that a [RFC2369] List-Unsubscribe
      header has One-Click functionality.

   o  Allow MUA designers to implement independent user interface
      features for a better user experience.

Levine & Herkula         Expires March 19, 2017                 [Page 3]
Internet-Draft            One click unsubscribe           September 2016

   o  Allow MUA users to trigger intended actions in a familiar
      environment and without leaving the MUA context.

2.  Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119] when written
   in all capital letters.

   "One-click" describes an action that directly triggers a change in a
   system's state, intended to be applied only with a user's intent.

3.  Implementation

3.1.  Mail senders

   An entity which is responsible for sending an email that wishes to
   add an HTTPS URI for one-click unsubscriptions places both a List-
   Unsubscribe and a List-Unsubscribe-Post header in the message.  The
   List-Unsubscribe-Post header may contain multiple key value pairs
   needed by the sending entity.  It also MUST contain the key value
   pair "List-Unsubscribe=One-Click".

   The combination of the URI in the List-Unsubscribe header and the
   POST arguments in the List-Unsubscribe-Post header MUST contain
   enough information to identify the mail recipient and the list from
   which the recipient is to be removed, so that the unsubscription
   process can complete automatically.  In particular, One-click has no
   way to ask the user what address he or she wishes to unsubscribe.

   The URI and POST arguments SHOULD include a hard to forge component
   such as a hash in addition to or instead of the plain-text names of
   the list and the subscriber.  This will deter attacks in which a
   malicious party sends fraudulent mail purporting to be from the list,
   with the intention of getting the user to unsubscribe from the actual
   list.

   The sending entity needs to provide the infrastructure to handle POST
   requests to the specified URI in the List-Unsubscribe header, and to
   handle the reasonably foreseeable volume of unsubscribe requests that
   its mail will provoke.

   The One-Click action triggered by this URI SHOULD complete promptly
   and not burden the requester in an inappropriate way.  The sending
   entity cannot expect that HTTPS redirects are followed by the
   requester, since redirected POST actions have historically not worked
   reliably.

Levine & Herkula         Expires March 19, 2017                 [Page 4]
Internet-Draft            One click unsubscribe           September 2016

3.2.  Mail receivers

   A receiving entity which wants to use a List-Unsubscribe HTTPS URI
   from an email that also contains a List-Unsubscribe-Post header
   performs an HTTPS POST to the first HTTPS URI in the List-Unsubscribe
   header and sends the content of the List-Unsubscribe-Post header as
   the request body.

   The POST content SHOULD be sent as "multipart/form-data" [RFC7578]
   and MAY be sent as "application/x-www-form-urlencoded".  These
   encodings are the ones used by web browsers when sending forms.  The
   target of the POST action will typically be the same as or similar to
   the one in the manual confirmation page when doing a two-click
   unsubscribe, so this is intended to allow the same server code to
   handle both.

   The receiving entity MUST NOT perform a POST on the the HTTPS URI
   without user consent.  When and how the user consent is obtained is
   not part of this specification.

   The Request uses the HTTPS verb POST.  The HEAD and GET requests are
   not intended to be used to trigger a state change.  PUT and DELETE
   would offer similar functionality but are often unavailable.

4.  Additional Requirements

   The email needs at least one valid authentication identifier.  In
   this version of the specification the only supported identifier type
   is DKIM [RFC6376], that provides a domain-level identifier in the
   content of the "d=" tag of a validated DKIM-Signature header field.

   The List-Unsubscribe and List-Unsubscribe-Post headers need to be
   covered by the signature, and hence must be included in the "h=" tag
   of a valid DKIM-Signature header field.

5.  Header Syntax

   The following ABNF imports fields, WSP, and CRLF from [RFC5322].  It
   imports ALPHA and DIGIT from [RFC5234].

Levine & Herkula         Expires March 19, 2017                 [Page 5]
Internet-Draft            One click unsubscribe           September 2016

 fields /= l-u-post

 ldh = ALPHA 0*(ALPHA | DIGIT | "-")

 l-u-post = "List-Unsubscribe-Post:" 0*1WSP postarg 0*("&" postarg) CRLF

 postarg = ALPHA 0*ldh "=" freetext

 freetext = 1*(%x20-%xfe)
    ; ampersand, percent, and equal sign must be percent encoded

6.  IANA Considerations

   IANA is requested to add a new entry to the Permanent Message Header
   Field Names registry.

   Header field name: List-Unsubscribe-Post

   Applicable protocol: mail

   Status: standard

   Author/Change controller: IETF

   Specification document: this document

7.  Examples

7.1.  Simple

   Header in Email

List-Unsubscribe: <https://example.com/unsubscribe.html>
List-Unsubscribe-Post: List-Unsubscribe=One-Click&recip=user@example.com

   Resulting POST request

   POST /unsubscribe.html HTTP/1.1
   Host: example.com
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 49

   List-Unsubscribe=One-Click&recip=user@example.com

Levine & Herkula         Expires March 19, 2017                 [Page 6]
Internet-Draft            One click unsubscribe           September 2016

7.2.  Complex

   Header in Email

List-Unsubscribe: <mailto:listrequest@example.com?subject=unsubscribe>,
    <https://example.com/unsubscribe.html?campaign=123456789>
List-Unsubscribe-Post: List-Unsubscribe=One-Click&recip=user@example.com

   Resulting POST request

   POST /unsubscribe.html?campaign=123456789 HTTP/1.1
   Host: example.com
   Content-Type: application/x-www-form-urlencoded
   Content-Length: 49

   List-Unsubscribe=One-Click&recip=user@example.com

8.  Security Considerations

   The List-Unsubscribe-Post header will typically contain the recipient
   address, but that address is usually also in the To: header.  This
   specification allows anyone with access to a message to unsubscribe
   the recipient of the message, but that's typically the case with
   existing List-Unsubscribe, just with more steps.

   A creative mailer could send spam with content intended to provoke
   large numbers of unsubscriptions, with suitably crafted headers to
   send POST requests with arbitrary contents to servers that perhaps
   don't want them.  But it's been possible to provoke GET requests in a
   similar way for a long time (and much easier, due to spam filter
   auto-fetches) so the chances of significantly increased annoyance
   seem low.

   Since the mailer's server that receives the POST request cannot in
   general tell where it is coming from, the URI or POST arguments
   SHOULD contain a hash or other hard to forge component to verify the
   list and recipient address to ensure that the request originated from
   List-Unsubscribe and List-Unsubscribe-Post headers in a message the
   mailer sent.

9.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

Levine & Herkula         Expires March 19, 2017                 [Page 7]
Internet-Draft            One click unsubscribe           September 2016

   [RFC2369]  Neufeld, G. and J. Baer, "The Use of URLs as Meta-Syntax
              for Core Mail List Commands and their Transport through
              Message Header Fields", RFC 2369, DOI 10.17487/RFC2369,
              July 1998, <http://www.rfc-editor.org/info/rfc2369>.

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              <http://www.rfc-editor.org/info/rfc5234>.

   [RFC5322]  Resnick, P., Ed., "Internet Message Format", RFC 5322,
              DOI 10.17487/RFC5322, October 2008,
              <http://www.rfc-editor.org/info/rfc5322>.

   [RFC6376]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
              "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
              RFC 6376, DOI 10.17487/RFC6376, September 2011,
              <http://www.rfc-editor.org/info/rfc6376>.

   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Message Syntax and Routing",
              RFC 7230, DOI 10.17487/RFC7230, June 2014,
              <http://www.rfc-editor.org/info/rfc7230>.

   [RFC7578]  Masinter, L., "Returning Values from Forms: multipart/
              form-data", RFC 7578, DOI 10.17487/RFC7578, July 2015,
              <http://www.rfc-editor.org/info/rfc7578>.

Appendix A.  Change Log

   Remove this section before publication, please.

A.1.  Changes from -04 to -05

   Reorganize first sections and add more background.  Add ABNF.  Add
   more security advice.

A.2.  Changes from -03 to -04

   Require HTTPS.  More motivation.

A.3.  Changes from -02 to -03

   Describe motivation in intro.  Clarify required DKIM.  More paranoid
   scenarios.

Levine & Herkula         Expires March 19, 2017                 [Page 8]
Internet-Draft            One click unsubscribe           September 2016

Authors' Addresses

   John Levine
   Taughannock Networks
   PO Box 727
   Trumansburg, NY  14886

   Phone: +1 831 480 2300
   Email: standards@taugh.com
   URI:   http://jl.ly

   Tobias Herkula
   optivo GmbH
   Wallstrasse 16
   Berlin  10179
   DE

   Phone: +49 30 768078 129
   Email: t.herkula@optivo.com
   URI:   https://www.optivo.com

Levine & Herkula         Expires March 19, 2017                 [Page 9]