I don’t want to log into your service or explain why I want to unsubscribe or chose which mailing lists I want to unsubscribe from (read: All of them) nor do I want to deal with your dark patterns such as colouring the ‘cancel my request to unsubscribe’ button green and ‘yes really unsubscribe me’ red.
https://support.google.com/mail/answer/81126#requirements-5k...
Senders will need to implement a single-click unsubscribe link within emails if they haven’t already, to allow recipients to easily opt out.
It does in the article. The industry has clear definitions for things like one click unsubscribe versus two click confirmation.It's hard to confirm externally that things worked.
I've spent two weeks on a domain with limited registrar options because their dns manager lied about supporting larger public keys in txt records.
Also I think there was one question that was a mistake, it had a policy along the lines of:
v=DMARC1; p=reject; <stuff...>; pct=0; <stuff...>
I answered that a failing message would have an effect of p=none, but the right answer was apparently p=quarantine. Is that right, considering pct=0? (Unless I was blind and the pct wasn't set to 0 in the question...)
"If email is subject to the DMARC policy of "reject", the Mail Receiver SHOULD reject the message (see Section 10.3). If the email is not subject to the "reject" policy (due to the "pct" tag), the Mail Receiver SHOULD treat the email as though the "quarantine" policy applies. This behavior allows Domain Owners to experiment with progressively stronger policies without relaxing existing policy."
Thank you thank you.
You can't. That's the point. Stop.
I mark all commercial email as spam. I never asked for it, I don't want it. I don't really care if you carefully constructed a form in such a way to be compliant with the laws in my country. I don't care how your BDR found me. I don't ever want to hear from you. If I didn't ask for it, it's spam, I'm marking it spam, and I hope people who use Gmail and Yahoo do the same.
Maybe their mindset should really be, "Hey, we're annoying 99.95% of our users who did not consent to these emails, and > 50% will be turned off to our product and will associate our brand to that of a needy, attention-grabbing parasite".
If I wanted these emails, I would have opted in.
Instead, not only do they automatically opt you in, but they'll re-opt you in after you've unsubscribed. I've had it happen a year or two later; suddenly, I'm back on their spam list.
It's become so bad now that I can't even let a shopping cart sit anymore without getting a nagmail saying "HEY YOU NEED TO FINISH CHECKING OUT NOW1!!!".
That email is the reminder to empty my cart and never do business with them again.
Seriously, STFU and leave me alone. If your sales and marketing team insist on these tactics, you need to fire them and hire people who get it.
So, full disclosure, in addition to being kind of an anti-spam zealot, my day job is running marketing operations at a big-ish software company. So I get the fun job of telling everyone from the junior intern to the senior VP that no, my team is not going to send that email for you. That no, in fact, I don't care what the old person in my job let you do, or what you did at your old company, or how many levels above me you are in the org chart. We're only going to email people what they asked for, at the frequency they asked for it, on the topics they asked to hear about. These new Gmail/Yahoo rules have helped immensely in making the case to our CMO to have my back.
I have them blocked at the server level because of how much spam they were sending me. They clearly do zero enforcement of opt-in.
But any bulk mailer that doesn't solve that problem is by definition a spam engine, and should probably be blocked at the ISP level.
That said, with no-DNS email addresses, SPF comes for free (alice@[x.x.x.x] bob@[ipv6:...]).
Namely, if SPF does pass, cryptographic DNS based signature mecanisms are excessive and must not be used to score.
And to round it out, DMARC tells the receiver what to do when the SPF or DKIM tests fail, namely "report", "quarantine", or "reject". Not sure why they're requiring it when it doesn't affect a spam verdict. Maybe it's so those who run a misconfigured server can't complain if their mail is being dropped silently, google and yahoo can just tell them to switch the policy to "report".
DKIM would be used only if SPF does not "pass", if there. DNS SPF is inappropriate for those email provider implementing DNS trickery which cannot work with DNS SPF. For DNS SPF to "pass", not only the SMTP prolog and transactions must be evaluated, but also some header fields (from:,reply-to:).
For instance, if you are self-hosted and your SPF DNS entry does match the domain in the SMTP prolog/transactions and the header fields, your spam score will be significantly lower.
With no-DNS email servers, you don't have the SPF DNS indirection and can directly check the IPs ( bob@[x.x.x.x] alice@[ipv6:... )] for spam scoring.
That said, the real worst are those sys admins blocking instead of enabling grey listing.
Aside from SPF being around first DKIM makes far more sense.
i wish. If you are using spf-only, you are consenting to being spoofed.
And there's no incentive to stop this. When email inboxes turn into marketing dumpsters, it just drives users to WhatsApp/Discord/FB Messenger/Slack/etc. for communication, which is good for those affiliated companies, but is bad for open platforms.
It's nudging me towards switching banks.
If I don't provide a list-unsubscribe header: do these emails then get blocked and noone can log in ?
If I provide a list-unsubscribe header, what is the expected behaviour if they do click the Unsubscribe button?
- tell them they can't unsubscribe to this email because it's needed to accomplish what they want to do in the future?
- delete their account? what if it's a bank account or something like that?
Would appreciate some clarify from Google at least...
I'm asking how does Google differentiate between a transactional and a non transactional email?
They also say in their guidelines
> *Marketing messages and subscribed messages* must support one-click unsubscribe, and include a clearly visible unsubscribe link in the message body.
So how is Google determining what is a Marketing/Subscribed message? If they're not, then am I required to tack on this header to ALL emails regardless of type or risk getting binned?
In my experience, Google is pretty accurate in figuring out transactional versus marketing. They don't tell their heuristics, but you don't think engineers who build web crawlers cannot build email classifiers? They have reliably been sorting my promotional emails from transaction emails for almost a decade now.
But off the top of my head when working on an email marketing platform: sender address, message subject and content, single message or bulk inbound at a given time, open rates, click rates, unsub rates, bounce rates. Part of sender reputation is ESPs building a profile of what kind of email you send from an address.
Search isn't doing that well either.
They're not requiring just unsubscribe links. They're specifically requiring "one-click" unsubscribe links that can accept a POST request for unsubscribing. This allows their software to have an unsubscribe button that doesn't require the user to leave their software.
This is the RFC that has to be complied with:
https://datatracker.ietf.org/doc/html/rfc8058
Note, that this is not easy for many people using legacy software. It's a major change. I wouldn't be surprised if this requirement gets delayed multiple times.
In my last big job we had big discussions about what is marketing. What can marketing pack into a transactional without it becoming a marketing email? Banner? A tagline in the signature? Testimonials? Also - b/c Germany - big discussions with legal on that topic.
We're talking about Google here. It doesn't matter that they have lots of clever people working there; they still occasionally get/guess things wrong, and if you're the unlucky too-small-to-even-notice outfit that happens to get squished by Google today, there's seldom much you can do about it.
Don’t put Google on a pedestal. I’ve seen Google Workspace classify an individual email sent from one colleague to another as spam. Both perfectly legitimate users in the same account / domain. No weird trigger words like Viagra. Just a run-of-the-mill email about work, between two colleagues who had been emailing each other for months. If emails like that aren’t safe from Google’s spam filter, then no emails are safe from Google’s spam filter.
Yes, I definitely think that. The engineers can build anything, but where the company focuses matters.
I've seen transactional E-mails get sorted into people's spam/junk/newsletter folders too many times.
Nope, I don't. So many things get constantly marked as spam in my inbox, even server notifications, from the same domain, same daily emails, marked repeatedly as "not spam", and added to address book.
Then there's the second problem of google support... your 2fa passwords, email-authentications, password reset links, etc. will be sent out, gmail will send them to spam, your users won't see/find the email, and there's nothing you can do... noone to call at google that would actually listen and try to do anything, no penalties if they don't do anything, only hope that your service is large enough that it gets some traction on twitter or here and some random googler sees it.
G is like any other Fortune 500 company now. The amount of products in their graveyard grows every year. Maintenance of “legacy” apps is handed off to offshore teams who have objectives to just keep it running until it’s 86’d.
Google has also made plenty of mistakes with web: look at PWAs, AMP, and Chrome just to start.
I’ve seen Gmail put legit update emails coming from Google itself in spam.
A lot of places don't accept outgoing SMTP traffic at all, some allow it for personal usage and finding someone who accepts you sending lots of outgoing SMTP traffic is gonna be really hard, except if that host already hosts lots of already spam-marked IPs.
List-Unsubscribe-Post: List-Unsubscribe=One-Click
That shouldn't be hard for any mailing list manager software to handle.This is not a requirement for a personal self-hosted email.
Google et al have successfully turned email into the domain of a few SaaS, and at half of them blatant spammers can message millions with no record of consent with the most obvious scams and have it delivered into the inbox. Hell, most spam these days I get from hacked Gmail accounts. The game is rigged, as they say.
I wish they took a closer look at themselves and also applied these kinds of rules to themselves.
If you mean coming to Gmail, three-dots > report spam.
If you mean coming from Gmail, https://support.google.com/mail/contact/abuse?hl=en.
spf/dkim/dmark helps with phishing/forgery, it does little to nothing for spam, even though this policy change makes it look like it's connected.
If I send spam through gmail, the spam is "authenticated".
spammers were among the first to implement these in an attempt to get higher score in spam filters. For quite a while dkim was positively correlated with spammyness for me.
Meanwhile.. does google even respond postmaster@ or abuse@ requests?
Posthaven has very helpful (free) tools for setting up this stuff. Also GPT has a good understanding of the dns records needed.
IMHO, they’ve taken something that should be simple and turned it into a complex system that needs a ton of infrastructure because they all want a SaaS business. Everyone pays for the cost of scaling when simple sharding would do for most users.
I’d love to have a simple, self hosted DMARC analyzer running on something like PocketBase.
If there's demand, I could start a SaaS business for it :-)
For configuring:
https://www.cyber.gc.ca/en/guidance/implementation-guidance-...
I recently added DMARC monitoring to some of my domains through CloudFlare.
Otherwise anyone who receives a forwarded email can unsubscribe you! Right?
At least we can email the peson to say they’ve been unsubscribed, as a transactional email? And give them a chance to resubscribe and prevent such unsubscriptions — or what?
Enable easy unsubscription: Senders will need to implement a single-click unsubscribe link within emails if they haven’t already, to allow recipients to easily opt out.
Does this mean that my emails will no longer be sent?
https://helpcentre.borrowell.com/hc/en-us/articles/100145089...
The market(Google and others) was forced to act because how laughably easy the Can-Spam act is to stay compliant while legally mass spamming.
Does anyone know what this sentence means? Is this “the user said this is spam”, or “the gmail spam filter false positives 10% of the time; don’t be part of the 10%, or it’ll permaban you”?
The threshold for the number defined above is 0.3%; that's the point where Gmail starts penalizing the sender by putting their emails in spam folders.
That explains why I had to immediately disable gmail's spam filter.
It seems that every time I buy something or someone gets ahold of my email address, I get added to a SPAM list.
I can't wait for all of these to be blocked.
For example: I recently elected a benefit, and the company added me to a SPAM list for weekly deals 100% unrelated to the benefit. They even ignored the fact that I unsubscribed.
1. Report each and every offending email to the FTC: https://reportfraud.ftc.gov/#/
2. Forward the "report received" email that the FTC sends you to support@spamming_domain.com and explain how and why you're reporting them
3. That's it. I've had a 100% success rate with this approach
The new requirement specifically sidesteps this, by making it possible for the email client to send a POST request directly. No need to visit the website at all; just click a button in the email client. In Gmail, senders that have this implemented now have a big blue UNSUBSCRIBE button next to their email address at the top of the message.
- Docker Newsletter: `List-Unsubscribe: <mailto:redacted@unsub-sj.mktomail.com>` - but missing http post/one-click header
- Java Weekly: link in body but no header Expensify: compliant
- Gradle: compliant
- Confluence Digest: No unsubscribe header
- Apache Mailing Lists: mailto header, but missing required http post / one-click
I think the confusion is that it's not just having a link, it's a specific set of headers, dkim signed fields, and form response that allows a mail client to unsubscribe with no user interaction.
It’s only the worst spam stuff that doesn’t. The obvious scam stuff sent to any email address they can find, containing every language I don’t speak, with lots of bad obfuscation to stop keyword scanners from 2002.
Hey, if this reduces the number of people who successfully unsubscribe, don't blame me, I'm just over here trying to make sure things are secure!
Surely that is a bug in the email client that forwarded the email. It should have replaced the headers, including List-Unsubscribe, with its own.
That looks to be what's happened in the emails I receive. The one exception would be if someone forwarded an email as an attachment, but in practice almost no one does that.
How can one click unsubscribe work here? Mail scanners, virus scanners and even Microsoft's own spam filters would probably click these links!
The article gets it wrong. They imply that emails have to have one-click unsubscribe links, which isn't true. Emails need to include headers (described in your link,) which the mail client can use.
If you really care about people being maliciously unsubscribed from marketing materials they forwarded around, then you can be one of the sites that sends a final "you have been unsubscribed" confirmation email.
According to the "single click" requirement, merely visiting the page by clicking the link in your email should be enough to unsubscribe you. Meaning, the GET request, which normally shouldn't change server state, should change server state.
The major issue with that is, if you forward the email, you are giving the capability to anyone else to act as you. It's a horribly insecure model, it also breaks HTTP semantics, but at least you can limit it to the "unsubscribe" action, I guess. Could be worse. Google could require other "single click" actions that may modify your profile or withdraw money from your bank account.
The only mitigation I can see is that the "you've been unsubscribed" email is a transactional email, and can inform the user that "if it wasn't you, then click here to restore your subscription to this newsletter, and don't forward your emails anymore, because Google says someone can unsubscribe you anytime and we can't do anything about it."
PS: Ironically, Apple's newest ITP scrubs information from tracking links in emails, so in theory it would make it impossible to even track whose account to unsubscribe from. "It will do this by automatically detecting user-identifiable tracking parameters in URLs and removing them." Apple ITP anti-tracking requires you to explicitly log in before doing stuff as you. Google now requires the opposite. It's impossible to satisfy both. https://www.peelinsights.com/post/ios-17-disrupts-link-track...
Yes, I have nightmares where I dream that someone else unsubscribes me from all those informative mailing lists that I NEVER OPTED IN TO.
I subscribe to receive emails or newsletters. I forward them to someone. They unsubscribe me. I stop getting them. I wonder what happens and blame the site. They couldn't even inform me what happened.
Developers are supposed to make the correct security architecture for things. Letting anyone who gets your forwarded email take actions as you on the site without any further authentication, is not the right security model.
Unfortunately you are no longer allowed to take them to court over this, as their terms of service simply say you are no longer allowed to sue them :) just like all tech companies that know they're committing lawsuit-worthy offenses.
There's the fly in the ointment. "Legitimate" shades off very slowly into bottom feeding Sanford Wallace-ass spamming. The temptation to become worse and worse is real, economics favor spamming, as it externalizes advertising costs. Until the torches and pitchforks come out.
That’s fine, I never wanted to receive messages from those people in the first place.
Marketing messages and subscribed messages must support one-click unsubscribe, and include a clearly visible unsubscribe link in the message body.Email deliverability has always meant staying on top of changing requirements.
From the RFC:
> This document addresses this part of the problem, with an HTTPS POST action
Look at the examples in the RFC for a clear description.
A 2 page overview is here: https://certified-senders.org/wp-content/uploads/2017/07/CSA...
Luckily for me, its mostly just for my own usage and Im not using Google to send anything, its for things like email alerts to my google workspace account...
In GMail I believe senders that have this implemented now have a big blue UNSUBSCRIBE button next to their email address at the top of the message.
Neither appear if the headers aren't there.
Google marked several Samsung mobile phone order confirmation emails as phishing messages a week or two ago. Nobody sells more Android phones than Samsung, so they should be one of Google's top partners to accommodate correctly 100% of the time.
Google Workspace can even be configured to use an external smtp service behind the scenes. Can also be configured to proxy emails through 3rd parties (in which case the email might be leaving the Google ecosystem and then reentering it from a non-Google IP). There’s a lot of silly (seemingly unnecessary) features on the admin side that could trip up a spam filter.
But even for other types of transactional emails, like shipment confirmations, I would expect the open rate to be much higher and/or the complaint rate to be much lower than for marketing email.
So I can disable a competitor’s email functionality by triggering a whole bunch of password reset requests for all discoverable usernames?
Gmail's algorithms analyzes, and has been doing over the last ~20 years, a combination of factors to classify emails as promotional or transactional!
Nothing in the code itself of your email will indicate that, other than the presence of an unsub link + the rest of the footer (which is the obvious sign that's a marketing email)
I paid some company to do my email.
I email 3 times per year and get 'spam' warnings from AWS every time despite everyone subscribing through a: "SUBSCRIBE TO OUR NEWSLETTER"
No bait, just an email field and submit.
I wonder if its your type that makes it so I have to be Amazon for forgiveness. Or at least that is how it used to be, now I sell addicting clicking casino games. No emails needed. I make way more money than back when I was giving away free content via email.
Of course, I got a new message from them yesterday because they've added a dozen different lists since then and automatically opted everyone into them.
- adding a new member to the list requires a vote of approval of the existing members. bob apparently unsubscribed last week and now he wants to resubscribe. can we take a vote on whether to let him back in or not?
- when someone who isn't a member of the list attempts to post to it, we add their domain to the spam blacklist and report them to vipul's razor. hmm, weird that bob.example.com is on our spam blacklist, how could that happen?
- bob, i'm afraid i have to write you up for having violated the new company policy i posted to the policy-announce-important list last week. well, if you didn't read it, that's your problem
As for the Apple ITP thing, they implemented a thing that looks for known trackers and strips them from emails. You're saying that this thing is incorrectly breaking the URL parameter for the opt out links? Is there an example of them actually doing that? It sounds like it would be a bug if it is happening.
I've also noticed that many places interpret "one click opt out link" to mean you have to click once on the resulting page, technically making it two clicks, but also preserving HTTP get vs post semantics.
I suppose they could also make it two clicks for people that are using text-only mail clients and will therefore send a get, but to use HTML to arrange for it to be a post for everyone else.
Today it strips ?utm=928931823 from abc.com/foo?utm=928931823 but tomorrow it can strip the 928931823 from abc.com/foo/928931823 leaving abc.com/foo ... after all it can just look at all the links arriving in mail, and use an algorithm to deduce the pattern abc.com/foo/:trackingId and simply mangle the URLs.
Think they'll never do it? They already deleted FIRST-PARTY cookies and much more!
(non-us based not us citizen)
I think that email address gets more email for other people than email for me at this point.
It really drives me crazy that none of them have any type of email confirmation before accepting an email address as valid.
If you have a common word or common name email address at a big email provider then you almost certainly are getting: password reset emails, billing invoices/order confirmations, tax info, childcare/education notices, medical appointment confirmations, local government notices, business conversations, wedding invitations, etc.
All legitimate and not spam but intended for a different recipient.
One person, one time, understood the situation, thanked her, and updated things. And a year later, we got email for them. There's lots of mischief we could get up to, if so inclined, but we're not like that.
Someone last year accused her of 'hacking' in to their computer and stealing emails, so she's basically given up. But these people are missing their dr appointments, delivery change notifications, etc. And by 'these people', I'm meaning - it's perhaps 4 other people with slight variations of the same spelling.
> What is a bulk sender?
> A bulk sender is any email sender that sends close to 5,000 or more messages to personal Gmail accounts within a 24-hour period. Messages sent from the same primary domain count toward the 5,000 limit.
> Sending domains: When we calculate the 5,000-message limit, we count all messages sent from the same primary domain. For example, every day you send 2,500 messages from solarmora.com and 2,500 messages from promotions.solarmora.com to personal Gmail accounts. You’re considered a bulk sender because all 5,000 messages were sent from the same primary domain: solarmora.com. Learn about domain name basics.
> Senders who meet the above criteria at least once are permanently considered bulk senders.
IMO this is better since they have to handle all of the personal domains and small communities that send from a SMTP service like Sendgrid or Amazon SES. Relying on IPv4s to not be shared wouldn't work universally.
How hard is it to classify a message that literally contains the string "this is an advertisement"?
You'll find out what the quality of the job they are doing is.
In any case the false positive rate on that would likely be incredibly low, so it's a good heuristic considering how bad the false negative rate is right now.
Together with cookies, you can show the captcha only to visitors that are not already recognized in some way, giving them a limited number of actions before showing the captcha. And regardless of whether you want one on your password reset page, you almost certainly want one on your login page anyway.
Don't want these marketing emails? Unsubscribe here.
Oh, you need to login in order to do that.
No, that's the wrong password for your account. Forgot password?
Hm, we don't see your account existing. Probably a different email address?
... sigh... sent a couple of emails to the data protection contact listed, but after 5 years, I still get the emails and I occasionally try to login again.
So I just automatically mark it as spam every time.
But probably because they're a small provider and don't have the resources; this is the largest telecommunications provider in Germany.
"You can’t [...] make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request."
also, according to that page, the can-spam act only applies to 'any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service', not to mailing lists
I have not seen such an unsubscribe flow in more than a decade, at this point. I assume you're thinking of mailman or some other similar solution that was already dated two decades ago, let alone now.
it is understandable that people who are not familiar with a cultural practice might seek to marginalize it, but that does not make it right
i don't really care about making life easier for people who send email advertisements (a cultural practice i am sadly all too familiar with) but i think discussion email lists are important and valuable, even if you personally don't participate in them
This is as advertisement that appeared on your site yesterday that is a phishing scam pretending to be a bank.
<Screenshot>
Please prevent ads like this showing up on your site.
Regards,
Client XYZ
---
Maybe it's just the positions I've been in, but I've often seen variations of the above email, and I've never seen advertisement emails that flat out say "this is an advertisement"
In fact, what I have seen are advertisement emails of the form
"This is not an advertisement, we'd like to arrange a call to discuss ways to grow your business. Signed, Bob the XYZ product sales manager"
> This is an advertisement and outbound email only. Please do not respond to it. This email has been sent on behalf of Kia Motors America, Inc. (KMA). To opt-out of receiving marketing/promotion emails from or on behalf of KMA, please click here.
Or this one I got last week from J Crew:
> We want you to hear about what's just right for you. Update your email preferences here. This email may be considered an advertising or promotional message.
For a while I just ignored it, and this kind of thing never went to spam. Now I always mark it as spam, and it's starting to, but their default spam heuristics are apparently awful, and it seems like marking as spam just affects that one sender, so you have to do it all the time for new spammers. I still just got linkedin spam yesterday after I have marked thousands of their messages. It can't be that hard to come up with heuristics for this. The biggest signal is probably that it contains an unsubscribe link since it has to be there by law.
Your example is also a single message. I imagine they look at patterns, and a single sender sending thousands of emails which are 99% similar is probably also a strong signal that it is spam (yes there are transactional emails that are templated; that's why it's a signal). That combined with the "this is an advertisement" heuristic is probably pretty accurate.
The reality is--obviously--that they are not trying to stop corporate spam. They're an advertising company; they don't want to normalize the idea that advertisements are supposed to be filtered.
In my experience, gmail is lot stricter on ipv6. They have been requiring SPF and rDNS on IPv6 before this announcement.
Then senders' incentive will become to make the subject line into clickbait for the content, so that you'll open the message. So instead of subjects like "Order placed", "Order paid", "Order shipped", "Order out for delivery" you'll get uniform subjects along the lines of "IMPORTANT UPDATE TO YOUR ORDER". You will lose efficiency getting through your emails, and over time the metric will lose its indicativeness. Everybody loses.
My gmail address received 35 emails yesterday (which didn't get spam filtered). All but 3 of those got auto-archived by the filters I have in gmail. I would love google to just do this automatically.
Practically I might need another message or two a week that didn't hit my inbox.... but that's fine as long as it's as it is still searchable.