Signalling one-click functionality for list email headers
draft-levine-herkula-oneclick-08
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8058.
|
|
|---|---|---|---|
| Authors | John R. Levine , Tobias Herkula | ||
| Last updated | 2016-10-30 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | Paul Kincaid-Smith | ||
| Shepherd write-up | Show Last changed 2016-09-12 | ||
| IESG | IESG state | Became RFC 8058 (Proposed Standard) | |
| Consensus boilerplate | Yes | ||
| Telechat date |
(None)
Needs a YES. Needs 10 more YES or NO OBJECTION positions to pass. |
||
| Responsible AD | Alexey Melnikov | ||
| Send notices to | "Paul Kincaid-Smith" <paulkincaidsmith@gmail.com> | ||
| IANA | IANA review state | Version Changed - Review Needed |
draft-levine-herkula-oneclick-08
Network Working Group J. Levine
Internet-Draft Taughannock Networks
Intended status: Standards Track T. Herkula
Expires: May 3, 2017 optivo GmbH
October 30, 2016
Signalling one-click functionality for list email headers
draft-levine-herkula-oneclick-08
Abstract
This document describes a method for signaling a one-click function
for the list-unsubscribe email header field. The need for this
arises out of the actuality that mail software sometimes fetches URLs
in mail header fields, and thereby accidentally triggers
unsubscriptions in the case of the list-unsubscribe header field.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 3, 2017.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Levine & Herkula Expires May 3, 2017 [Page 1]
Internet-Draft One click unsubscribe October 2016
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction and Motivation . . . . . . . . . . . . . . . . . 2
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Implementation . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Mail senders . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Mail receivers . . . . . . . . . . . . . . . . . . . . . 5
4. Additional Requirements . . . . . . . . . . . . . . . . . . . 5
5. Header Syntax . . . . . . . . . . . . . . . . . . . . . . . . 5
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1. Simple . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.2. Complex . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.3. Complex with multipart/form-data . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. Normative References . . . . . . . . . . . . . . . . . . . . 8
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 9
A.1. Changes from -07 to -08 . . . . . . . . . . . . . . . . . 9
A.2. Changes from -06 to -07 . . . . . . . . . . . . . . . . . 9
A.3. Changes from -05 to -06 . . . . . . . . . . . . . . . . . 9
A.4. Changes from -04 to -05 . . . . . . . . . . . . . . . . . 9
A.5. Changes from -03 to -04 . . . . . . . . . . . . . . . . . 9
A.6. Changes from -02 to -03 . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction and Motivation
An [RFC2369] email header field can contain HTTPS [RFC7230] URIs. In
a List-Unsubscribe header field the HTTPS URI is intended to
unsubscribe the recipient of the message from the list. But anti-
spam software often fetches all resources in mail header fields
automatically, without any action by the user, and there is no
mechanical way for a sender to tell a request made automatically by
anti-spam software from one manually requested by a user. To prevent
accidental unsubscriptions, senders return landing pages with a
confirmation step to finish the unsubscribe request that a live user
would recognize and act on, but an automated system would not. This
makes the unsubscription process more complex than a single click.
Operators of broadcast marketing lists tend to be primarily concerned
about deliverability of their mail: whether the mail is delivered to
the recipients and how the messages are presented, e.g., whether in
the primary inbox or in a junk folder. Many mail systems allow
recipients to report mail as spam or junk, and mail streams from
senders whose mail is often reported as junk tend to have poor
Levine & Herkula Expires May 3, 2017 [Page 2]
Internet-Draft One click unsubscribe October 2016
deliverability. Hence the mailers want to make it as easy as
possible for recipients to unsubscribe, since the recipient's
alternative to a difficult unsubscription process is to report mail
from the sender as junk until the mail no longer appears in the
recipient's inbox.
Operators of recipient mail systems are aware that their users do not
make a clear distinction between unsubscription and junk. In some
cases they allow trustworthy mailers to request notification when
their mail is reported as junk, so they can unsubscribe the
recipient, but the process of identifying trustworthy mailers and
notifying them does not scale well to large numbers of small mailers.
This specification provides a way for recipient systems to notify the
mailer automatically, using only information within the mail message,
and without prearrangement. Some recipient systems might wish to
send an unsubscription notice to mailers whenever a user reports a
message as junk, or they might give the user the option to report and
unsubscribe.
If a mail recipient is unsubscribing manually and the unsubscription
process requires confirmation, the resulting web page is presented to
the recipient who can then click the appropriate button. But when
the unusubscribe action is combined with a MUA junk report, there is
no direct user interaction with the mailer's web site. Similarly, if
a mail system automatically unsubscribes recipient mailboxes that
have been closed or abandoned, there can be no interaction with a
user who is not present. In those cases, the unsubscription process
has to work without manual intervention, and in particular without
requiring that software attempt to interpret the contents of a
confirmation page.
This document addresses this part of the problem, with an HTTPS POST
action for mail receivers. Mail senders can distinguish this action
from other unsubscribe requests and handle it as a one-click
unsubscription without manual intervention by the mail recipient.
This document has several goals.
o Allow email senders to signal that a [RFC2369] List-Unsubscribe
header field has One-Click functionality.
o Allow MUA users to unsubscribe from mailing lists in a familiar
environment and without leaving the MUA context. A receiving
system can process an unsubscription request in the background
without further interaction, and know that it can be fully
processed by the mail sender's system.
Levine & Herkula Expires May 3, 2017 [Page 3]
Internet-Draft One click unsubscribe October 2016
2. Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] when written
in all capital letters.
3. Implementation
3.1. Mail senders
A mail sender that wishes to enable one-click unsubscribes places one
List-Unsubscribe header field and one List-Unsubscribe-Post header
field in the message. The List-Unsubscribe header field MUST contain
one HTTPS URI. It MAY contain other non-HTTP/S URIs such as MAILTO:.
The List-Unsubscribe-Post header MUST contain the single key/value
pair "List-Unsubscribe=One-Click". As described below, the message
MUST have a valid DKIM signature that covers at least the List-
Unsubscribe and List-Unsubscribe-Post headers.
The URI in the List-Unsubscribe header and the POST argument in the
List-Unsubscribe-Post header MUST contain enough information to
identify the mail recipient and the list from which the recipient is
to be removed, so that the unsubscription process can complete
automatically. Since there is no provision for extra POST arguments,
any information about the message or recipient is encoded in the URI.
In particular, One-click has no way to ask the user what address or
from what list the user wishes to unsubscribe.
The POST request SHOULD NOT include cookies, http authorization, or
any other context information. The unsubscribe operation is
logically unrelated to any previous Web activity and context
information could inappropriately link the unsubscribe to previous
activity.
The URI and POST arguments SHOULD include an opaque identifier or
other hard to forge component in addition to or instead of the plain-
text names of the list and the subscriber. The server handling the
unsubscription SHOULD verify that the opaque or hard to forge
component is valid. This will deter attacks in which a malicious
party sends spam with List-Unsubscribe links for a victim list, with
the intention of causing list unsubscriptions from the victim list as
a side effect of users reporting the spam.
The mail sender needs to provide the infrastructure to handle POST
requests to the specified URI in the List-Unsubscribe header, and to
handle the unsubscribe requests that its mail will provoke.
Levine & Herkula Expires May 3, 2017 [Page 4]
Internet-Draft One click unsubscribe October 2016
The One-Click action triggered by this URI SHOULD complete promptly
and not burden the requester in an inappropriate way. The mail
sender MUST NOT return an HTTPS redirect, since redirected POST
actions have historically not worked reliably.
This document does not update [RFC2369] so the usage of List-
Unsubscribe URIs other than for one-click remains unchanged.
3.2. Mail receivers
A mail receiver can do a one-click unsubscription by performing an
HTTPS POST to the HTTPS URI in the List-Unsubscribe header and sends
the content of the List-Unsubscribe-Post header as the request body.
The POST content SHOULD be sent as "multipart/form-data" [RFC7578]
and MAY be sent as "application/x-www-form-urlencoded". These
encodings are the ones used by web browsers when sending forms. The
target of the POST action is the same as or similar to the one in the
GET action for a manual unsubscription, so this is intended to allow
the same server code to handle both.
The mail receiver MUST NOT perform a POST on the the HTTPS URI
without user consent. When and how the user consent is obtained is
not part of this specification.
4. Additional Requirements
The message needs at least one valid authentication identifier. In
this version of the specification the only supported identifier type
is DKIM [RFC6376]. Hence senders MUST apply at least one valid DKIM
signature to the message.
The List-Unsubscribe and List-Unsubscribe-Post headers MUST be
covered by the signature and included in the "h=" tag of a valid
DKIM-Signature header field.
If the message does not have the required DKIM signature, the mail
receiver SHOULD NOT offer a one-click unsubscribe for that message.
5. Header Syntax
The following ABNF imports fields, WSP, and CRLF from [RFC5322]. It
imports ALPHA and DIGIT from [RFC5234].
Levine & Herkula Expires May 3, 2017 [Page 5]
Internet-Draft One click unsubscribe October 2016
fields /= list-unsubscribe-post
ldh = ALPHA 0*(ALPHA | DIGIT | "-")
list-unsubscribe-post = "List-Unsubscribe-Post:" 0*1WSP postarg CRLF
postarg = "List-Unsubscribe=One-Click"
6. IANA Considerations
IANA is requested to add a new entry to the Permanent Message Header
Field Names registry.
Header field name: List-Unsubscribe-Post
Applicable protocol: mail
Status: standard
Author/Change controller: IETF
Specification document: this document
7. Examples
7.1. Simple
Header in Email
List-Unsubscribe: <https://example.com/unsubscribe/opaquepart>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Resulting POST request
POST /unsubscribe/opaquepart HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
List-Unsubscribe=One-Click
7.2. Complex
Header in Email
List-Unsubscribe: <mailto:listrequest@example.com?subject=unsubscribe>,
<https://example.com/unsubscribe.html?opaque=123456789>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Levine & Herkula Expires May 3, 2017 [Page 6]
Internet-Draft One click unsubscribe October 2016
Resulting POST request
POST /unsubscribe.html?opaque=123456789 HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
List-Unsubscribe=One-Click
7.3. Complex with multipart/form-data
Header in Email
List-Unsubscribe: <mailto:listrequest@example.com?subject=unsubscribe>,
<https://example.com/unsubscribe.html/opaque123456789>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Resulting POST request
POST /unsubscribe.html/opaque123456789 HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=------FormBoundaryjWmhtjORrn
Content-Length: 218
------FormBoundaryjWmhtjORrn
Content-Disposition: form-data; name="List-Unsubscribe"
One-Click
------FormBoundaryjWmhtjORrn--
8. Security Considerations
The List-Unsubscribe-Post and/or List-Unsubscribe header can contain
a plaintext or encoded version of the recipient address, but that
address is usually also in the To: header. This specification allows
anyone with access to a message to unsubscribe the recipient of the
message, but that's typically the case with existing List-
Unsubscribe, just with more steps.
A creative mailer could send spam with content intended to provoke
large numbers of unsubscriptions, with suitably crafted headers to
send POST requests with arbitrary contents to servers that perhaps
don't want them. But it's been possible to provoke GET requests in a
similar way for a long time (and much easier, due to spam filter
auto-fetches) so the chances of significantly increased annoyance
seem low.
Levine & Herkula Expires May 3, 2017 [Page 7]
Internet-Draft One click unsubscribe October 2016
The unsubscribe operation provides a strong hint to the mailer that
the address to which the message was sent was valid, and could in
principle be used as a way to test whether an email address is valid.
In practice, though, there are simpler ways since as embedding image
links into the HTML of a message and see whether the recipient
fetches the images.
Since the mailer's server that receives the POST request cannot in
general tell where the request coming from, the URI or POST arguments
SHOULD contain an opaque identifier or other hard to forge component
to identify the list and recipient address. That can ensure that the
request originated from List-Unsubscribe and List-Unsubscribe-Post
headers in a message the mailer sent. Also, the request SHOULD NOT
include cookies or other context information to prevent the server
from associating the request with previous web requests.
9. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC2369] Neufeld, G. and J. Baer, "The Use of URLs as Meta-Syntax
for Core Mail List Commands and their Transport through
Message Header Fields", RFC 2369, DOI 10.17487/RFC2369,
July 1998, <http://www.rfc-editor.org/info/rfc2369>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>.
[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
DOI 10.17487/RFC5322, October 2008,
<http://www.rfc-editor.org/info/rfc5322>.
[RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
"DomainKeys Identified Mail (DKIM) Signatures", STD 76,
RFC 6376, DOI 10.17487/RFC6376, September 2011,
<http://www.rfc-editor.org/info/rfc6376>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
<http://www.rfc-editor.org/info/rfc7230>.
Levine & Herkula Expires May 3, 2017 [Page 8]
Internet-Draft One click unsubscribe October 2016
[RFC7578] Masinter, L., "Returning Values from Forms: multipart/
form-data", RFC 7578, DOI 10.17487/RFC7578, July 2015,
<http://www.rfc-editor.org/info/rfc7578>.
Appendix A. Change Log
Remove this section before publication, please.
A.1. Changes from -07 to -08
Editorial changes per Ops directorate and security review.
Simplify POST argument to one field.
Send no context info.
A.2. Changes from -06 to -07
Added example with multipart/form-data encoding
A.3. Changes from -05 to -06
Add opaque parts to the security discussion. Editing changes,
entities are now senders and receivers, MUSTage clarified.
A.4. Changes from -04 to -05
Reorganize first sections and add more background. Add ABNF. Add
more security advice.
A.5. Changes from -03 to -04
Require HTTPS. More motivation.
A.6. Changes from -02 to -03
Describe motivation in intro. Clarify required DKIM. More paranoid
scenarios.
Authors' Addresses
Levine & Herkula Expires May 3, 2017 [Page 9]
Internet-Draft One click unsubscribe October 2016
John Levine
Taughannock Networks
PO Box 727
Trumansburg, NY 14886
Phone: +1 831 480 2300
Email: standards@taugh.com
URI: http://jl.ly
Tobias Herkula
optivo GmbH
Wallstrasse 16
Berlin 10179
DE
Phone: +49 30 768078 129
Email: t.herkula@optivo.com
URI: https://www.optivo.com
Levine & Herkula Expires May 3, 2017 [Page 10]