List-Unsubscribe header setup and testing
Add List-Unsubscribe and List-Unsubscribe-Post headers, build the RFC 8058 POST endpoint, avoid common Gmail/Yahoo mistakes, and test compliance.
Since February 2024, Gmail and Yahoo require bulk senders to honor one-click unsubscribe under RFC 8058. The header is two lines, the endpoint is one POST, and yet a remarkable number of senders still get it wrong — usually by treating it like a mailto link with extra steps. If you are fixing a campaign now, run a deliverability test and compare the result with the Gmail and Yahoo sender requirements checklist.
The two headers
List-Unsubscribe: <mailto:[email protected]>, <https://example.com/u/abc123xyz>
List-Unsubscribe-Post: List-Unsubscribe=One-Click- First header lists two methods: a mailto fallback and an HTTPS endpoint.
- Second header signals RFC 8058 compliance — receivers will POST to the HTTPS URL automatically.
- The mailto address is a fallback for clients that don't support one-click.
The POST endpoint contract
When a Gmail or Yahoo user clicks the native 'Unsubscribe' link, the receiver's server (not the user's browser) sends a POST request to your URL. There is no human in the loop and no chance to show a confirmation page. If you need to inspect a live header block first, use the free header analyzer.
POST /u/abc123xyz HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
List-Unsubscribe=One-ClickImplementation checklist
| Mistake | Why it fails | Correct behavior |
|---|---|---|
| Only mailto unsubscribe | Mailbox clients cannot perform RFC 8058 one-click POST | Include HTTPS URL plus mailto fallback |
| Confirmation required after POST | The POST is the unsubscribe action | Suppress immediately and return 2xx |
| Shared or guessable token | Creates privacy and abuse risk | Use per-recipient opaque tokens |
| Suppression delayed past 2 days | Provider sees repeated unwanted mail | Apply suppression quickly across active sends |
- Generate a per-recipient HMAC token at send time. Never reuse tokens.
- Store the token mapped to the recipient address in your database.
- POST handler validates the token, suppresses the address, and returns 200 OK.
- Suppression must be effective within 2 days — same campaign already in flight should be aborted for that address.
- GET on the same URL should show a friendly confirmation page for users who paste the URL.
import { createHmac } from "node:crypto";
function unsubToken(recipient: string, secret: string): string {
return createHmac("sha256", secret)
.update(`unsub:${recipient}`)
.digest("base64url")
.slice(0, 32);
}
const url = `https://example.com/u/${unsubToken(to, process.env.UNSUB_SECRET!)}`;
// Add to headers:
// List-Unsubscribe: <mailbox fallback>, <${url}>
// List-Unsubscribe-Post: List-Unsubscribe=One-ClickFrequently asked questions
Last updated May 24, 2026.
Sources reviewed
- RFC 8058: One-click unsubscribe(standard)
- Email sender guidelines(official)
- Sender requirements and recommendations(official)
Factual review: June 13, 2026 by WillItInbox Editorial.
Keep reading