What is one-click unsubscribe and is it required?

One-click unsubscribe is a standard, defined in RFC 8058, that lets a recipient opt out of a mailing list with a single click directly from their inbox — no landing page, no login, no preference centre. The mailbox provider reads two headers in your message and shows an "Unsubscribe" link next to the sender name; clicking it sends the opt-out straight to your server. For bulk senders to Gmail and Yahoo, it is not optional: since 2024 both providers require it for anyone sending more than 5,000 messages a day to their users.
Quick Takeaways
- One-click unsubscribe removes a subscriber in a single action from the inbox, using the
List-UnsubscribeandList-Unsubscribe-Postheaders defined in RFC 8058. - Gmail and Yahoo require it for bulk senders — those sending more than 5,000 messages per day to their users.
- The mailbox provider sends an HTTP POST to your unsubscribe URL; the process must not require a login or any extra step.
- Requests must be honored within two days, per Google's sender guidelines.
- It is separate from, but complements, the visible "unsubscribe" link inside your email body — you still need both.
- Missing or broken one-click unsubscribe can hurt deliverability and trigger spam-folder placement or outright rejection.
What is one-click unsubscribe?
One-click unsubscribe lets a recipient leave a mailing list without opening the email or visiting a website. The mailbox provider — Gmail, Yahoo, and others — surfaces an "Unsubscribe" control near the sender's name at the top of the message. When the recipient clicks it, the provider quietly tells your server to remove that address. The subscriber never sees a "are you sure?" page or a preference centre asking them to log in.
This is defined by RFC 8058, an internet standard published to make list removal genuinely one-step. Before it, the older List-Unsubscribe header often pointed to a web page that still asked the user to click through several screens — friction that pushed frustrated recipients to hit "report spam" instead, which is far more damaging to a sender's reputation.
How does one-click unsubscribe work?
The mechanism relies on two email headers working together:
List-Unsubscribecarries the unsubscribe target. For one-click it must include an HTTPS URL (amailto:address may be listed too, but the URL is what enables the one-click flow):
List-Unsubscribe:
List-Unsubscribe-Postsignals that the URL supports the automated one-click POST. Its value is fixed:
List-Unsubscribe-Post: List-Unsubscribe=One-Click
When the recipient clicks the provider's unsubscribe link, the mailbox provider sends an HTTP POST request to your List-Unsubscribe URL with the body List-Unsubscribe=One-Click. Your server reads that request and removes the address — no human visits the link, so it must work without any interactive confirmation, cookie, or sign-in. Both headers must be present and the message should be authenticated with a domain that aligns to your DMARC policy for providers to trust the request.
Is one-click unsubscribe required?
For bulk senders, yes. As part of the sender requirements Google and Yahoo rolled out through 2024, anyone sending more than 5,000 messages per day to their users must support one-click unsubscribe for marketing and subscribed messages. Per Google's sender guidelines, those senders must include the List-Unsubscribe and List-Unsubscribe-Post headers and honor opt-out requests within two days. Yahoo publishes matching requirements.
Two things are worth being precise about:
- It applies to bulk senders, not every sender. If you send low volumes, one-click unsubscribe is strongly recommended but not mandated by these rules. Because thresholds and enforcement tighten over time, though, building it in now is the safe choice — the same direction of travel behind stricter sender requirements generally.
- It does not replace the in-body link. You still need a visible "unsubscribe" link inside the email itself. One-click unsubscribe is the header-driven mechanism the mailbox provider uses; the in-body link is what a reader clicks manually.
How do you set up one-click unsubscribe?
Most reputable email service providers add the headers automatically once you enable list-unsubscribe, but the moving parts are worth understanding:
- Add both headers to every bulk message. Include a valid HTTPS
List-UnsubscribeURL and the fixedList-Unsubscribe-Post: List-Unsubscribe=One-Clickvalue. - Build an endpoint that accepts a POST. The URL must process an HTTP POST containing
List-Unsubscribe=One-Clickand unsubscribe the recipient without any login or extra confirmation. - Remove the address within two days — faster is better. The address should stop receiving marketing mail promptly.
- Authenticate the message. Make sure the mail passes SPF, DKIM, and aligns with your DMARC record, since providers weigh authentication when deciding whether to trust the unsubscribe request.
- Keep the in-body link too. Belt and braces: the header mechanism plus a visible link in the footer.
Common issues with one-click unsubscribe
Gmail isn't showing the unsubscribe link
The link only appears when both headers are present and the message is authenticated. Confirm you're sending List-Unsubscribe-Post: List-Unsubscribe=One-Click alongside a valid HTTPS List-Unsubscribe URL, and that the message passes SPF, DKIM, and DMARC alignment. Gmail also tends to hide the control on low-volume or transactional mail, so test with the kind of bulk campaign the requirement targets.
My unsubscribe URL requires a login or a confirmation page
That breaks the standard. The POST from the mailbox provider is automated — there is no human to click a "confirm" button or sign in. Strip every secondary step so the single POST completes the removal. A preference centre can exist, but it cannot be a required step in the one-click path.
The header points to a mailto: address only
A mailto: entry supports the older email-based opt-out, but it does not enable HTTPS one-click. To satisfy Gmail and Yahoo you need an HTTPS URL in List-Unsubscribe paired with the List-Unsubscribe-Post header. You can list both a URL and a mailto:, but the URL must be there.
Recipients still report spam despite the link
If opt-outs aren't processed quickly, people give up and report spam instead. Make sure removals happen within the two-day window and that unsubscribed addresses actually stop receiving mail across every list and sending platform you use.
Frequently asked questions
Is one-click unsubscribe the same as the List-Unsubscribe header?
Not quite. The older List-Unsubscribe header has existed for years and could point to a web page or a mailto: address. One-click unsubscribe is the RFC 8058 upgrade that adds List-Unsubscribe-Post and requires the URL to complete removal in a single automated POST.
Do I need it if I send fewer than 5,000 emails a day? The Gmail and Yahoo bulk-sender rules target senders above that threshold, so it isn't mandated for small senders. It is still good practice — it reduces spam complaints and improves the subscriber experience — and thresholds have only tightened over time.
Does one-click unsubscribe affect deliverability? Yes, indirectly and strongly. Making it easy to leave a list cuts spam complaints, and low complaint rates are one of the signals mailbox providers use to decide inbox placement. Missing or broken unsubscribe handling pushes users to the "report spam" button, which hurts deliverability.
Do transactional emails need it? The requirement centres on marketing and subscribed (bulk) messages, not one-to-one transactional mail like receipts or password resets. When in doubt, apply it to anything promotional.
Palisade won't manage your unsubscribe lists, but it does own the authentication half of these bulk-sender requirements: it monitors your SPF, DKIM, and DMARC records and walks you to enforcement, so the mail carrying your unsubscribe headers is trusted in the first place. Check where your domain stands with a free scan from the Email Security Score tool.
Related reading

Written by
Samuel ChenardCEO & Co-Founder, Palisade
Samuel Chenard is the CEO and co-founder of Palisade, the DMARC automation platform for MSPs. He writes Palisade's guides on DMARC, SPF, DKIM and email deliverability.
More from Samuel →


