← Blog

Healthy email list: double opt-in + 1-click unsubscribe (RFC 8058)

A "clean" email list isn't measured by your number of subscribers, but by what happens when you hit Send. If 2% of your sends bounce and Gmail drops you into spam after three campaigns, the problem is almost never your content: it's your collection and your unsubscribe handling. Here are the two building blocks that change everything, and how to put them in place concretely.

Double opt-in: confirm before adding

Single opt-in adds the address as soon as the form is submitted. The problem: you inherit typos (`gmial.com`), disposable addresses, bots filling out your forms, and malicious sign-ups (someone subscribing a third party's address). All of these addresses rot your reputation: bounces, spam traps, complaints. Double opt-in adds a step: you send a confirmation email with a unique link, and you subscribe the person only if they click.

Form submission → you create a record with status `pending` (not `confirmed`).
You generate a short-lived signed token (24-48 h) and send it in the confirmation link.
On click, you verify the token, switch the status to `confirmed`, and timestamp the consent (date, IP, user-agent).
No click within the window → the `pending` record is purged. It never received a single newsletter.

Measurable benefit: a confirmation email sent to `gmial.com` bounces before it ever enters your list. A fake address never clicks. You turn your sign-up gateway into a free quality filter. The cost: you "lose" 10 to 30% of sign-ups who don't confirm — but those are precisely the ones who would have tanked your open rate and your complaints.

Keep the proof of consent (timestamp + IP + exact wording of the checkbox). In case of a GDPR complaint or a dispute with a sending provider, that log is what saves you. Without it, you can't prove the subscriber asked to receive your emails.

1-click unsubscribe: List-Unsubscribe + RFC 8058

Since February 2024, Gmail and Yahoo require it for any bulk sender (~5,000 messages/day): a single-click unsubscribe mechanism, with no intermediate page, no login. It's no longer a courtesy, it's a deliverability requirement. `List-Unsubscribe` (RFC 2369) lists the methods; `List-Unsubscribe-Post` (RFC 8058) declares that the client can send an automatic POST — that's the real "1-click": Gmail's/Apple Mail's native button triggers a POST without opening your site.

List-Unsubscribe: <https://zylior.com/u/unsub?t=SIGNED_TOKEN>, <mailto:unsub@zylior.com?subject=unsub-SIGNED_TOKEN>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

Put the HTTPS URL first, the `mailto:` second (fallback). Both target the subscriber via a signed token — never the plaintext email in the URL.
Your endpoint must accept a POST with the body `List-Unsubscribe=One-Click` and unsubscribe without confirmation or login. A GET can show a "done" page, but the POST acts immediately.
Respond `200` quickly and handle the unsubscribe idempotently: the client may resend the POST.
Also keep an unsubscribe link visible in the body of the email — the RFC doesn't replace the legal obligation to provide a clickable link.

Common trap: an endpoint that requires a session or returns a "preferences" page on the one-click POST. Gmail then considers the unsubscribe to have failed, and it counts against your reputation as much as a complaint does. Test the POST with curl, not just the click from a real email.

Postal address and scoped removal

First, the physical postal address: CAN-SPAM requires it for commercial sends, and its absence is a negative signal for spam filters. Put it in the footer, next to the unsubscribe link — a P.O. box or the company's address is enough. Then, scoped removal: in multi-tenant, a subscriber can exist in several contexts (newsletter, product notifications, a tenant's onboarding). An unsubscribe must remove the subscriber from the right scope, not delete them globally or leave them on the other lists by mistake.

Model consent by the pair `(subscriber, list_id)` or `(subscriber, tenant_id, purpose)`, not by a simple boolean on the subscriber.
The unsubscribe token must encode which list it targets. A click from the newsletter must not cut off transactional emails (invoices, password resets).
Distinguish marketing unsubscribe from account deletion: the one-click `mailto:` must never delete the account.
Keep the unsubscribe history (who, when, which list) so you never re-subscribe someone through a sloppy import.

Why this protects your deliverability

Providers (Gmail, Microsoft, Yahoo) rate senders on concrete signals: complaint rate (aim for < 0.1%, red alert above 0.3%), bounce rate, presence of spam traps, and ease of unsubscribing. Double opt-in crushes bounces and traps at the source; the 1-click turns "mark as spam" actions (which cost you dearly) into clean unsubscribes (which cost you nothing). You protect your sending domain's reputation, and therefore the inbox placement of all your future emails — including transactional ones.

Measure before/after: monitor the complaint rate via Google Postmaster Tools and your ESP's bounce rate. If you switch from single to double opt-in, you should see hard bounces drop below 1-2% within a few campaigns. That's the KPI that tells you your gateway is really filtering.

In practice: put double opt-in in place today on your form (`pending` status + token + purge), add the two `List-Unsubscribe` headers with a one-click POST endpoint tested with curl, paste your postal address in the footer, and model consent per list rather than per subscriber. These four changes don't require a rebuild — a few hours of dev — and they're what decide whether you end up in the inbox or the Promotions tab. Start with the one you're missing the most.

The newsletter

By subscribing you agree to receive the Zylior newsletter. One-click unsubscribe in every email.