return to table of content

Gmail and Yahoo’s 2024 inbox protections and what they mean for email programs

darylteo
81 replies
1d13h

How does this interact with transactional emails / 2FA / password resets? If 5000 people request a 2fa code in a month, I have to give them a unsubscribe header as well? Or magic login links?

If I don't provide a list-unsubscribe header: do these emails then get blocked and noone can log in ?

If I provide a list-unsubscribe header, what is the expected behaviour if they do click the Unsubscribe button?

- tell them they can't unsubscribe to this email because it's needed to accomplish what they want to do in the future?

- delete their account? what if it's a bank account or something like that?

Would appreciate some clarify from Google at least...

dexwiz
42 replies
1d11h

Its 5000/day for marketing, and if you are sending 5000 emails a day, you probably should have unsubscribe links. https://support.google.com/mail/answer/81126#requirements-5k You also need a link, not just list-unsubscribe, and it is specifically for marketing emails.

In my experience, Google is pretty accurate in figuring out transactional versus marketing. They don't tell their heuristics, but you don't think engineers who build web crawlers cannot build email classifiers? They have reliably been sorting my promotional emails from transaction emails for almost a decade now.

But off the top of my head when working on an email marketing platform: sender address, message subject and content, single message or bulk inbound at a given time, open rates, click rates, unsub rates, bounce rates. Part of sender reputation is ESPs building a profile of what kind of email you send from an address.

frereubu
7 replies
1d8h

Google routinely flags my genuine AWS invoices as possibly dangerous, despite me routinely clicking the "this isn't dangerous, I know what it is" button. So yes, I think it's totally possible that engineers who build web crawlers can't build reliable email classifiers.

cik
2 replies
1d8h

Or potentially a low-key sales tactic to push google cloud...?

spacecadet
0 replies
1d8h

yeah lol, google is the king of "its not a bug, its a feature".

bombcar
0 replies
1d4h

To be fair to Google, they also flag and filter emails from themselves with some regularity.

cmg
1 replies
1d3h

And somehow I still get regular “H0ME_DEPOT Order CONFRIMATION” junk landing at the top of my Gmail inbox.

hedora
0 replies
1d1h

That reminds me: totallylegit2022@hotmail.com is holding my USPS package at the warehouse.

winddude
0 replies
1d1h

I dunno, runaway costs on AWS is very dangerous.

croutonwagon
0 replies
1d1h

Google seems to do this from ANY mails coming from some of the major VPS providers. They do the same on my linodes as well, despite me having SPF, DKIM, DMARC and even reverse DNS properly configured......

Luckily for me, its mostly just for my own usage and Im not using Google to send anything, its for things like email alerts to my google workspace account...

jwr
6 replies
1d9h

Google is pretty accurate in figuring out transactional versus marketing. They don't tell their heuristics, but you don't think engineers who build web crawlers cannot build email classifiers?

Yes, I definitely think that. The engineers can build anything, but where the company focuses matters.

I've seen transactional E-mails get sorted into people's spam/junk/newsletter folders too many times.

ndriscoll
5 replies
1d2h

I also get tons of spam to my inbox despite regularly marking it as such, so if they are classifying marketing emails, they're not doing anything with that information.

How hard is it to classify a message that literally contains the string "this is an advertisement"?

jodrellblank
3 replies
1d2h

Your comment literally contains the string "this is an advertisement" but I can't tell what you are advertising?

ndriscoll
2 replies
1d1h

It's also not an email. I've never seen a legitimate email with that string, and all of the illegitimate ones should be triggering other heuristics, such as the existence of an unsubscribe link, or things like "$x off".

In any case the false positive rate on that would likely be incredibly low, so it's a good heuristic considering how bad the false negative rate is right now.

Macha
1 replies
1d1h

Dear site admin,

This is as advertisement that appeared on your site yesterday that is a phishing scam pretending to be a bank.

<Screenshot>

Please prevent ads like this showing up on your site.

Regards,

Client XYZ

---

Maybe it's just the positions I've been in, but I've often seen variations of the above email, and I've never seen advertisement emails that flat out say "this is an advertisement"

In fact, what I have seen are advertisement emails of the form

"This is not an advertisement, we'd like to arrange a call to discuss ways to grow your business. Signed, Bob the XYZ product sales manager"

ndriscoll
0 replies
1d

Like others, I get people handing my email out all the time by mistake because I grabbed first-initial-last-name 20 years ago, so I get lots of corporate spam that others have signed me up for. If you look at corporate spam, it frequently contains a passage like this:

This is an advertisement and outbound email only. Please do not respond to it. This email has been sent on behalf of Kia Motors America, Inc. (KMA). To opt-out of receiving marketing/promotion emails from or on behalf of KMA, please click here.

Or this one I got last week from J Crew:

We want you to hear about what's just right for you. Update your email preferences here. This email may be considered an advertising or promotional message.

For a while I just ignored it, and this kind of thing never went to spam. Now I always mark it as spam, and it's starting to, but their default spam heuristics are apparently awful, and it seems like marking as spam just affects that one sender, so you have to do it all the time for new spammers. I still just got linkedin spam yesterday after I have marked thousands of their messages. It can't be that hard to come up with heuristics for this. The biggest signal is probably that it contains an unsubscribe link since it has to be there by law.

Your example is also a single message. I imagine they look at patterns, and a single sender sending thousands of emails which are 99% similar is probably also a strong signal that it is spam (yes there are transactional emails that are templated; that's why it's a signal). That combined with the "this is an advertisement" heuristic is probably pretty accurate.

The reality is--obviously--that they are not trying to stop corporate spam. They're an advertising company; they don't want to normalize the idea that advertisements are supposed to be filtered.

ehutch79
0 replies
1d

Turn off your spam filtering for a week.

You'll find out what the quality of the job they are doing is.

boplicity
5 replies
1d3h

you probably should have unsubscribe links

They're not requiring just unsubscribe links. They're specifically requiring "one-click" unsubscribe links that can accept a POST request for unsubscribing. This allows their software to have an unsubscribe button that doesn't require the user to leave their software.

This is the RFC that has to be complied with:

https://datatracker.ietf.org/doc/html/rfc8058

Note, that this is not easy for many people using legacy software. It's a major change. I wouldn't be surprised if this requirement gets delayed multiple times.

eli
2 replies
1d3h

Yes, that's the List-Unsubscribe header and it doesn't require a POST request.

Email deliverability has always meant staying on top of changing requirements.

boplicity
1 replies
1d2h

No -- this actually expands on the List-Unsubscribe header, and adds a POST request header for one-click unsubscribe.

From the RFC:

This document addresses this part of the problem, with an HTTPS POST action

Look at the examples in the RFC for a clear description.

eli
0 replies
1d2h

Ah, my mistake. The MAILTO: style unsubscribes were a bit of a pain to deal with anyway.

dexwiz
0 replies
23h54m

No, that is for generating the Unsubscribe buttons in the email client itself. They also require a link in the body itself. From the google doc:

  Marketing messages and subscribed messages must support one-click unsubscribe, and include a clearly visible unsubscribe link in the message body.

callalex
0 replies
1d

this is not easy for many people using legacy software. It's a major change.

That’s fine, I never wanted to receive messages from those people in the first place.

JimDabell
5 replies
1d7h

you don't think engineers who build web crawlers cannot build email classifiers?

Don’t put Google on a pedestal. I’ve seen Google Workspace classify an individual email sent from one colleague to another as spam. Both perfectly legitimate users in the same account / domain. No weird trigger words like Viagra. Just a run-of-the-mill email about work, between two colleagues who had been emailing each other for months. If emails like that aren’t safe from Google’s spam filter, then no emails are safe from Google’s spam filter.

cj
1 replies
1d7h

I don’t disagree with you, but before assuming it’s the fault of gmail classifier I would look at Google Workspace admin configuration. There are a lot of settings that admins can tweak and toggle that can mess with email deliverability. You can even create specific rules that only apply when users within the same workspace are emailing each other.

Google Workspace can even be configured to use an external smtp service behind the scenes. Can also be configured to proxy emails through 3rd parties (in which case the email might be leaving the Google ecosystem and then reentering it from a non-Google IP). There’s a lot of silly (seemingly unnecessary) features on the admin side that could trip up a spam filter.

JimDabell
0 replies
13h9m

In this case it was a super-basic setup. Nothing weird going on, just an internal email within the same Google account, sent from the Gmail web interface and going straight to the spam folder for the recipient, no filtering rules or anything like that.

PennRobotics
1 replies
1d7h

Yeah, something wrong with the filter.

Google marked several Samsung mobile phone order confirmation emails as phishing messages a week or two ago. Nobody sells more Android phones than Samsung, so they should be one of Google's top partners to accommodate correctly 100% of the time.

Manouchehri
0 replies
1d1h

Without knowing anything about the details, is it possible Samsung leaked their SMTP credentials, and Google was seeing phishing to a few of their users?

CPLX
0 replies
1d7h

Yeah that happens all the time, to the point where I had to add specific rules in Google Workspace to never send those to spam. Same with other transactional emails like receipts from some places that I had marked as "not spam" 4 times and Google still couldn't figure out the next one.

jeffparsons
4 replies
1d11h

you don't think engineers who build web crawlers cannot build email classifiers?

We're talking about Google here. It doesn't matter that they have lots of clever people working there; they still occasionally get/guess things wrong, and if you're the unlucky too-small-to-even-notice outfit that happens to get squished by Google today, there's seldom much you can do about it.

darylteo
3 replies
1d9h

Exactly... Outlook by Microsoft is notorious for being very heavy handed with emails, requiring sites to put warnings to users to whitelist their domains so that they receive invoices or notifications.

explaininjs
2 replies
1d1h

At this point with outlook it’s pretty much guaranteed that any important “you just paid a ton of money here is the asset you bought” email (show/bus/etc tickets) will go straight to spam. I check spam before I look in the non-“Focused” inbox.

latchkey
0 replies
1d

I'd just rename the spam folder to "Inbox-2" or something. ;-)

amluto
0 replies
1d

If I send an email to some business, from the Outlook UI, and they reply, Outlook usually classifies the reply as spam. It’s hard to imagine less spammy email than that.

KingOfCoders
3 replies
1d8h

"transactional versus marketing"

In my last big job we had big discussions about what is marketing. What can marketing pack into a transactional without it becoming a marketing email? Banner? A tagline in the signature? Testimonials? Also - b/c Germany - big discussions with legal on that topic.

hiatus
0 replies
1d1h

For US companies, the FTC has some guidance on transactional vs marketing, including commingling of the two. https://www.ftc.gov/business-guidance/resources/can-spam-act...

dboreham
0 replies
1d1h

Uh. The answer to this is easy and obvious, unless you are trying to force marketing content into a transaction email.

callalex
0 replies
1d

This is like making technical arguments to someone else that actually, legally, you are not sexually harassing them. If there’s even an inkling of a question, your behavior sucks.

gsharma
1 replies
1d

but you don't think engineers who build web crawlers cannot build email classifiers?

I’ve seen Gmail put legit update emails coming from Google itself in spam.

djbusby
0 replies
23h9m

And yet obviously fake Drive shares from "Wells Fargo" or "Chase" get delivered to Inbox

xyst
0 replies
1d4h

You could have put Google in early ‘00s on this pedestal. But the Google today is not worthy of this.

G is like any other Fortune 500 company now. The amount of products in their graveyard grows every year. Maintenance of “legacy” apps is handed off to offshore teams who have objectives to just keep it running until it’s 86’d.

Google has also made plenty of mistakes with web: look at PWAs, AMP, and Chrome just to start.

palmfacehn
0 replies
1d9h

Invoices are in my spam folder regularly. You'd think emails I open consistently month after month, which are followed by receipts would make it through.

Search isn't doing that well either.

joelcollinsdc
0 replies
1d1h

“You need a link not list-unsubscribe” is not fully accurate according to my reading. They are asking senders to support the one click unsubscribe rfc, which uses list-unsubscribe.

ajsnigrutin
0 replies
1d6h

you don't think engineers who build web crawlers cannot build email classifiers?

Nope, I don't. So many things get constantly marked as spam in my inbox, even server notifications, from the same domain, same daily emails, marked repeatedly as "not spam", and added to address book.

Then there's the second problem of google support... your 2fa passwords, email-authentications, password reset links, etc. will be sent out, gmail will send them to spam, your users won't see/find the email, and there's nothing you can do... noone to call at google that would actually listen and try to do anything, no penalties if they don't do anything, only hope that your service is large enough that it gets some traction on twitter or here and some random googler sees it.

orliesaurus
33 replies
1d13h

You're talking about Transactional emails? You cant unsubscribe from TRANSACTIONAL emails. That's why they're transactional...not marketing. It's really important to differentiate that.

darylteo
17 replies
1d13h

I "know" that.

I'm asking how does Google differentiate between a transactional and a non transactional email?

They also say in their guidelines

*Marketing messages and subscribed messages* must support one-click unsubscribe, and include a clearly visible unsubscribe link in the message body.

So how is Google determining what is a Marketing/Subscribed message? If they're not, then am I required to tack on this header to ALL emails regardless of type or risk getting binned?

jcrites
15 replies
1d12h

If you’re sending transactional emails like password resets or MFA, then the emails will have close to a 100% open rate. This is (likely) an important factor that Google uses to judge whether email is transactional, or more generally whether it is desired by recipients, alongside other factors like having a very low complaint rate.

MaxGabriel
8 replies
1d12h

100% open rate on transactional emails feels too high to me. Something like an e-commerce purchase might kick off multiple emails (purchase made, shipped, arrived), none of which the user opens

stubish
5 replies
1d12h

Kicking off a chain of emails a user cannot easily opt out of could well be the sort of emails users want to lose. There probably should be a one-click 'stop emailing me' button, for this and future purchases. Which would be a support burden, yes.

plg94
1 replies
1d3h

Some of these emails are legally required for online shops. Doesn't matter if the user wants to receive them or not, they _have to_ be sent and actually delivered to the user's inbox.

persolb
0 replies
17h30m

I'm not sure how the 'actually delivered' would be enforced. Does Google have an affirmative requirement to deliver a 3rd parties message? I hope not.

My gmail address received 35 emails yesterday (which didn't get spam filtered). All but 3 of those got auto-archived by the filters I have in gmail. I would love google to just do this automatically.

Practically I might need another message or two a week that didn't hit my inbox.... but that's fine as long as it's as it is still searchable.

behringer
1 replies
1d11h

I watch for the subject line. I don't actually care what the content says...

Wicher
0 replies
1d7h

So... let's assume many users do this, and let's assume Google factors in the opening rate into the transactional-email-likeness score, and that transactional-email-senders become widely aware of this...

Then senders' incentive will become to make the subject line into clickbait for the content, so that you'll open the message. So instead of subjects like "Order placed", "Order paid", "Order shipped", "Order out for delivery" you'll get uniform subjects along the lines of "IMPORTANT UPDATE TO YOUR ORDER". You will lose efficiency getting through your emails, and over time the metric will lose its indicativeness. Everybody loses.

blowski
0 replies
1d1h

We’ve received your order … we’ve taken payment for your order … your order has left our warehouse … your order has arrived in another warehouse … your order is with a delivery driver … all for a $5 cable.

jcrites
1 replies
1d9h

Sorry, to clarify, I only mean this particular type of transactional email: password reset, MFA.

But even for other types of transactional emails, like shipment confirmations, I would expect the open rate to be much higher and/or the complaint rate to be much lower than for marketing email.

josephg
0 replies
1d7h

It’s also not a bad idea to provide an unsubscribe option for shipment updates.

JimDabell
3 replies
1d10h

If you’re sending transactional emails like password resets or MFA, then the emails will have close to a 100% open rate.

So I can disable a competitor’s email functionality by triggering a whole bunch of password reset requests for all discoverable usernames?

jcrites
1 replies
1d9h

That could potentially cause them problems, yeah, if you were able to do that endlessly. In practice most companies will have some kind of rate limiting in place around features like that (by IP, cookie, captcha, etc.)

JimDabell
0 replies
1d9h

IP and cookie-based rate-limiting are trivially bypassed. In fact, any kind of rate-limiting is ineffective here, especially for smaller organisations, because you only need to generate a small fraction of the traffic they normally send out. If they separate transactional mail from other types of mail (something that is frequently recommended), then how many illegitimate password reset emails do you think an attacker needs to trigger to get to, say, a 5% failure rate? Smaller organisations don’t send out an awful lot of transactional email.

renewiltord
0 replies
1d2h

If they support SMS 2FA they need to be prepared for this too because it costs a lot. Yeah, so people need to ensure that reset is at least a little hard to abuse. After all, it's a bad experience for their users if they receive a shit ton of reset emails anyway.

quickthrower2
0 replies
1d12h

I open way less than 100% of password resets - because some are malicious.

mitthrowaway2
0 replies
1d10h

I rarely open 2FA emails, because usually the displayed preview is all I need.

orliesaurus
0 replies
1d13h

Ahhh I see what you mean now, but it wasn't clear in your initial question.

Gmail's algorithms analyzes, and has been doing over the last ~20 years, a combination of factors to classify emails as promotional or transactional!

Nothing in the code itself of your email will indicate that, other than the presence of an unsub link + the rest of the footer (which is the obvious sign that's a marketing email)

wl
11 replies
1d9h

Maybe transactional emails don't need an unsubscribe link like marketing emails, but they do need a "not my account; please stop" link to avoid the spam button.

andersa
7 replies
1d9h

Why would you be receiving transactional emails for an account that isn't yours?

josephg
1 replies
1d7h

Hah. I have josephg@gmail. I sometimes wake up to threads of 6+ password reset attempts over an hour from someone who doesn’t know their own email address. For a couple years I got pay stubs. And monthly cell phone invoices from India.

I think that email address gets more email for other people than email for me at this point.

guiambros
0 replies
15h28m

Same. Flights trips -- including PNR. Invoices. School reports. Tons of telephone bills. Frequent Uber trips (somewhere in Africa, for some reason). The list goes on and on. And my email address is short but not that common, but still get hit a few times per week.

It really drives me crazy that none of them have any type of email confirmation before accepting an email address as valid.

mgkimsal
0 replies
1d1h

my wife gets these regularly. there's a few people in the UK (we're in the US) that have similar gmail addresses as hers, and use her email address often. she'll get restaurant reservation notices, dr appt confirmations, tv repair schedule confirmations, delivery notices, etc. She's called the vendors a couple of times, and also called the people directly a a couple times. "You've entered your email wrong, please stop using my email".

One person, one time, understood the situation, thanked her, and updated things. And a year later, we got email for them. There's lots of mischief we could get up to, if so inclined, but we're not like that.

Someone last year accused her of 'hacking' in to their computer and stealing emails, so she's basically given up. But these people are missing their dr appointments, delivery change notifications, etc. And by 'these people', I'm meaning - it's perhaps 4 other people with slight variations of the same spelling.

jacobr1
0 replies
1d3h

Another source that are common are emails entered in on physical point of sale devices

dharmab
0 replies
1d

This is a frequent occurrence for anyone with a common name.

https://xkcd.com/1279

JelteF
0 replies
1d8h

Someone signing up with a wrong email

Brybry
0 replies
1d8h

Because many people are not great at entering their email addresses correctly and many sites don't require any sort of address verification/confirmation.

If you have a common word or common name email address at a big email provider then you almost certainly are getting: password reset emails, billing invoices/order confirmations, tax info, childcare/education notices, medical appointment confirmations, local government notices, business conversations, wedding invitations, etc.

All legitimate and not spam but intended for a different recipient.

Semaphor
2 replies
1d9h

Lack of opt-in into those will have me keep marking those as spam. Just like those US political newsletters that also don’t feel like they need to verify mails.

josephg
1 replies
1d7h

US political emails are even more annoying when you aren’t American. I flag all that stuff as spam without hesitation. If you do that, I hope your entire domain ends up flagged as spam.

tomjen3
0 replies
1d

I had the idea to do a 1 dollar donation and then see the campaign getting flagged for illegal campaign contributions, but that is probably illegal for me as well.

(non-us based not us citizen)

LoganDark
2 replies
1d11h

Well, I wish my ISP would stop marking ads and promotions as "transactional". Just because they have a system that prohibits unsubscribing, doesn't mean they should be allowed to abuse that system.

93po
1 replies
1d1h

I've had a website that sent me no fewer than 6 emails over the course of 10 days for a single transaction, 5 of which were full of ads and links to their website and products. I emailed them and asked them to stop and their response was there was no way to opt out, they were transactional for new accounts.

LoganDark
0 replies
19h18m

My ISP constantly sends me emails about "staying safe online" and "the holiday season". At the bottom of the email, it says "THIS IS A SERVICE-RELATED EMAIL", supposedly to excuse the lack of any unsubscribe link.

Unfortunately you are no longer allowed to take them to court over this, as their terms of service simply say you are no longer allowed to sue them :) just like all tech companies that know they're committing lawsuit-worthy offenses.

tsycho
0 replies
1d12h

Their algorithms very likely look at (I hope so, at least) spam marking rates. I would bet that users mark promotional emails at a order of magnitude higher rate than transactional emails.

mrtesthah
0 replies
1d1h

Well the answer of course is for google to clone the unique features of your service and classify your site and its outgoing emails as spam.

jerrygoyal
0 replies
1d12h

use different subdomains for transactional and marketing emails.

ahoka
0 replies
1d3h

Also forcing people to click on opaque links in random emails cannot end good.

TheCycoONE
67 replies
1d14h

DKIM, SPF, and DMARC are old hat and implemented by anyone serious for years. What's buried in this article is the required https://datatracker.ietf.org/doc/html/rfc8058 support for one-click unsubscribe posts. I don't see many messages in my inbox yet with that.

kragen
31 replies
1d12h

also it violates longstanding security measures against malicious prank unsubscribes; it means that if you forward an email list message to someone else, they can unsubscribe you without your consent as a prank

cameldrv
11 replies
1d12h

Requiring the user to login to unsubscribe also has the nice effect of requiring them to know the password, otherwise they have to go through the reset procedure. Of course you need to be really secure and do 2FA as well.

Hey, if this reduces the number of people who successfully unsubscribe, don't blame me, I'm just over here trying to make sure things are secure!

kragen
6 replies
1d11h

the standard approach is that unsubscribing sends an unsubscribe confirmation mail to the subscribed email address, replying to which confirms the unsubscription. nothing about logins or passwords or the web. this has been standard practice for 25–30 years

murderfs
1 replies
1d9h

I have never seen anyone do that and I believe it has been literally illegal in the U.S. for the last 20 years. From https://www.ftc.gov/business-guidance/resources/can-spam-act...:

"You can’t [...] make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request."

kragen
0 replies
1d9h

this is not 'taking any step other than sending a reply email' and it's the standard way mailing lists managed with mailman or majordomo or ezmlm have worked for quite a bit longer than 20 years

also, according to that page, the can-spam act only applies to 'any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service', not to mailing lists

ghusbands
1 replies
1d8h

You keep talking about a particular style as though it is standard practice that's essential for security, even though it is both unusual and now illegal in many parts of the world.

I have not seen such an unsubscribe flow in more than a decade, at this point. I assume you're thinking of mailman or some other similar solution that was already dated two decades ago, let alone now.

kragen
0 replies
1d8h

something can simultaneously be standard practice in one community, essential for security, unusual in another community, and illegal in many parts of the world, though nobody seems to have found any laws against the standard mailman unsubscription mechanism in this thread

it is understandable that people who are not familiar with a cultural practice might seek to marginalize it, but that does not make it right

i don't really care about making life easier for people who send email advertisements (a cultural practice i am sadly all too familiar with) but i think discussion email lists are important and valuable, even if you personally don't participate in them

QuadmasterXLII
1 replies
1d6h

That’s gonna catch a report spam from me dawg

kragen
0 replies
19h10m

hopefully people like you won't be able to figure out how to subscribe to the mailing list in the first place

LinAGKar
1 replies
1d10h

Not only that, it also requires then to accept your EULA/Privacy Policy before you let them unsubscribe.

kragen
0 replies
9h57m

requiring web access to subscribe or unsubscribe is unacceptable

kugelblitz
0 replies
1d11h

Yep.

Don't want these marketing emails? Unsubscribe here.

Oh, you need to login in order to do that.

No, that's the wrong password for your account. Forgot password?

Hm, we don't see your account existing. Probably a different email address?

... sigh... sent a couple of emails to the data protection contact listed, but after 5 years, I still get the emails and I occasionally try to login again.

So I just automatically mark it as spam every time.

But probably because they're a small provider and don't have the resources; this is the largest telecommunications provider in Germany.

bulbosaur123
0 replies
1d8h

There is a special place in hell for people who require login to unsubscribe

SpaghettiCthulu
7 replies
1d12h

What real harm could come from such a prank? I hardly see the need for such "security" measures.

kragen
5 replies
1d11h

- we're just about to discuss a contentious topic and vote on it. i bet bob and lauren will be opposed to our suggested solution. wouldn't it be nice if they accidentally happened to get unsubscribed for a few days without notice, so they can't rebut our arguments?

- adding a new member to the list requires a vote of approval of the existing members. bob apparently unsubscribed last week and now he wants to resubscribe. can we take a vote on whether to let him back in or not?

- when someone who isn't a member of the list attempts to post to it, we add their domain to the spam blacklist and report them to vipul's razor. hmm, weird that bob.example.com is on our spam blacklist, how could that happen?

- bob, i'm afraid i have to write you up for having violated the new company policy i posted to the policy-announce-important list last week. well, if you didn't read it, that's your problem

Thiez
4 replies
1d9h

So in other words, there is no plausible scenario.

kragen
3 replies
1d8h

if you think these are unrealistic, i've got news for you; the world is a lot bigger than you think it is

gbalduzzi
2 replies
1d2h

What kind of newsletters are you subscribed to

kragen
0 replies
19h8m

newsletters are irrelevant to this thread

aendruk
0 replies
1d

Mailing lists

falserum
0 replies
1d11h

Malicious compliance, to make unsubscription more annoying, so spam can continue to flow.

stubish
3 replies
1d11h

Forwarding an email should strip this header, probably along with most of the other irrelevant ones potentially containing sensitive information the user isn't aware of. Forwarding an email with GMail only keeps the From, To, Date and Subject headers.

kragen
2 replies
1d8h

i feel like if we're talking about a header the user isn't aware of, most users probably won't be able to use it to unsubscribe either

stubish
0 replies
19h22m

End users won't use the header. Email clients will use the header when you hit the report spam or unsubscribe buttons they will display.

calfuris
0 replies
1d

Users don't need to be aware of the header, they just need to use a client that knows what to do with it.

rstuart4133
1 replies
18h0m

it means that if you forward an email list message to someone else, they can unsubscribe you without your consent as a prank

Surely that is a bug in the email client that forwarded the email. It should have replaced the headers, including List-Unsubscribe, with its own.

That looks to be what's happened in the emails I receive. The one exception would be if someone forwarded an email as an attachment, but in practice almost no one does that.

kragen
0 replies
9h56m

what does your user interface for interacting with the list-unsubscribe header look like?

riffraff
1 replies
1d11h

I think unsubscription without requiring login should be already mandated by some regulations (CAN-SPAM law and maybe GDPR).

kragen
0 replies
1d9h

according to https://www.ftc.gov/business-guidance/resources/can-spam-act... the can-spam act only applies to 'any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service' so it's irrelevant to mailing list discussions

callalex
0 replies
23h45m

Is this a real problem in your life?

RockRobotRock
0 replies
1d11h

It would be nice to have something you can put in the footer which email clients recognize and strip when you are forwarding an email

AlexandrB
0 replies
1d1h

As far as pranks go, this is one where I'll probably thank the prankster instead of being annoyed. Even stuff I'm subscribed to intentionally, I can live without if it went away.

pests
13 replies
1d11h

I've seen a perverse dark pattern on one click unsubscribe. The page you land at has a button that lets you resubscribe! It looks non-obvious you've already unsubscribed and it looks like the regular two-click flow needing to enter your email address to confirm. Very sneaky.

mullingitover
8 replies
1d10h

If unsubscribing requires even two clicks I always flag it as spam. The rule is one-click to unsubscribe and I ruthlessly enforce it. Make it their problem.

pests
6 replies
1d10h

I tried that once with Nextdoor. They will group their mailings into different lists. The unsubscribe button only removes you from that list. To disable them all is 30+ clicks on the site once logged in. It's horrible.

alright2565
2 replies
1d5h

I just went through this with Nextdoor in October. Well, I personally didn't do all 50 clicks, but I asked their customer service to do it and they confirmed I was unsubscribed.

Of course, I got a new message from them yesterday because they've added a dozen different lists since then and automatically opted everyone into them.

xur17
1 replies
1d2h

Is this technically permitted behavior under CANSPAM? Seems like a company could just create a new "newsletter / list" for every new marketing email they send.

chuckadams
0 replies
1d

It'd be up to a judge and/or jury to decide. If one can establish that the intent was to ignore one's attempts to unsubscribe, it'd be a pretty clear-cut violation. Most reputable senders have an "opt out of all further communications" checkbox (with some fine print about legally required and transactional emails). Pretty much the only way to bring a private action under CAN-SPAM though is to be an ISP and show "actual damages".

malka
0 replies
1d9h

For this kind, my 'unsubscribe' button is labelled 'report spam'

jeromegv
0 replies
1d1h

Facebook too, unsubscribe is just a single of one of their hundred marketing emails.

croutonwagon
0 replies
1d1h

My rule is I unsubscribe once. Then I block the sender or in the case of places like nextdoor, the entire domain.

hospitalJail
0 replies
1d

Huh, I am an individual who is a scientist, not a web dev.

I paid some company to do my email.

I email 3 times per year and get 'spam' warnings from AWS every time despite everyone subscribing through a: "SUBSCRIBE TO OUR NEWSLETTER"

No bait, just an email field and submit.

I wonder if its your type that makes it so I have to be Amazon for forgiveness. Or at least that is how it used to be, now I sell addicting clicking casino games. No emails needed. I make way more money than back when I was giving away free content via email.

classified
1 replies
1d11h

It could have been that you clicked that tiny, greyed-out, hidden unsubscribe link by accident.

dotancohen
0 replies
1d9h

Or forwarded the mail to 256 of your closest friends and one of them clicked the unsubscribe link.

buttocks
0 replies
1d5h

Worse, the unsubscribe link is behind a tracker url so pi-hole blocks it. Drives me nuts.

boplicity
0 replies
1d

I've seen a perverse dark pattern on one click unsubscribe.

The new requirement specifically sidesteps this, by making it possible for the email client to send a POST request directly. No need to visit the website at all; just click a button in the email client. In Gmail, senders that have this implemented now have a big blue UNSUBSCRIBE button next to their email address at the top of the message.

Analemma_
10 replies
1d14h

That's very odd to me. Where are you located? I'm in the United States and virtually all my newsletter/marketing emails have one-click unsubscribe these days. The only ones which don't are from foreign companies, e.g. I bought a day planner from Hobonichi and found they put their unsubscribe behind a login, to my irritation.

OkGoDoIt
4 replies
1d13h

I’d say somewhere around half of the marking emails I receive in the USA have one-click unsubscribe. It’s still very common to have unsubscribe links that require you to enter your email address and then select that you actually want to unsubscribe from everything, etc. And some of them still require logins, although those are getting rarer. Not sure if it’s actually a loophole, but one of the dark patterns I’m seeing often is one-click unsubscribe generally only unsubscribes you from a very specific type of notification or topic of the mailing list, and you’ll still get other types of emails unless you fully log into your account and go in your email settings and unsubscribe from everything. Not sure exactly how Google and Yahoo treat those, but it feels kind of like marketers found a loophole that seems to work for them.

petre
2 replies
1d13h

Github unsubscribe is behind a login. Very annoying. We have an account with a company e-mail that is an alias to admins and it was subscribed to a few issues. One morning I got so annoyed with Thunderbird's not working message filters that I took the time to look up the password, login, unsubscribe and disable all nuisance e-mail communication.

dtech
1 replies
1d11h

That is not marketing email though

petre
0 replies
1d7h

Of course. But if I do my own service that notifies clients over e-mail, then it is "marketing e-mail".

thayne
0 replies
1d11h

I also get a fair number where there is am unsubscribe link, but it doesn't work. Or I unsubscribe and then a few months later am somehow resubscribed. It might be malicious. But I think in many cases the cause is just that the company doesn't really care that much, and don't prioritize fixing the unsubscribe flow if it breaks.

pixelesque
1 replies
1d12h

A lot of the spam from the US I get (I'm in NZ), for things like US Political fundraisers for politicians, to car dealerships in the US in various states have links to click, but you often then seem to have to enter your email address when I do click them before submitting the form.

swiftcoder
0 replies
1d10h

My favoutite thing is when the unsubscibe page itself blocks my country due to GDPR...

MBCook
1 replies
1d13h

Same. Basically everything that comes from a legitimate mailing list/subscription has it. Even stuff I would personally consider spam like political mailing lists have it.

It’s only the worst spam stuff that doesn’t. The obvious scam stuff sent to any email address they can find, containing every language I don’t speak, with lots of bad obfuscation to stop keyword scanners from 2002.

bediger4000
0 replies
1d13h

Basically everything that comes from a legitimate mailing

There's the fly in the ointment. "Legitimate" shades off very slowly into bottom feeding Sanford Wallace-ass spamming. The temptation to become worse and worse is real, economics favor spamming, as it externalizes advertising costs. Until the torches and pitchforks come out.

TheCycoONE
0 replies
1d13h

I'm in Canada, but I don't think that's it.

- Docker Newsletter: `List-Unsubscribe: <mailto:redacted@unsub-sj.mktomail.com>` - but missing http post/one-click header

- Java Weekly: link in body but no header Expensify: compliant

- Gradle: compliant

- Confluence Digest: No unsubscribe header

- Apache Mailing Lists: mailto header, but missing required http post / one-click

I think the confusion is that it's not just having a link, it's a specific set of headers, dkim signed fields, and form response that allows a mail client to unsubscribe with no user interaction.

atesti
3 replies
1d7h

I have seen Outlook and other systems click on every link in our mailings. Using a sandboxed browser.

How can one click unsubscribe work here? Mail scanners, virus scanners and even Microsoft's own spam filters would probably click these links!

zie
2 replies
1d2h

The unsubscribe links are POST, not GET's. That's basically the entire safety net.

atesti
1 replies
22h41m

Really? I have not seen a <form> html element in an email in decades! Do you mean a list-unsubscribe header? I mean the hyperlink at the end of an email with "unsubscribe". I think it would be good if that unsubscribe link opens a page where one would need to press one more button to prove that it is not automatically involved by url scanners. But this would not be "one click" unsubscribe anymore. So how can this be solved? Why is not everybody constantly auto-unsubscribed who uses office 365 or hotmail?

zie
0 replies
22h38m

I was talking about https://datatracker.ietf.org/doc/html/rfc8058. Where the URL is in the headers as List-Unsubscribe: <URL>

A 2 page overview is here: https://certified-senders.org/wp-content/uploads/2017/07/CSA...

jasonjayr
2 replies
1d14h

I understand that the request happens in the background by the MUA at the user's express consent, and the unsubscribe is not allowed to send back any ui/html/whatever to present to the user, but the RFC is missing any information about how a response ought to be handled, HTTP Status code wise? Retry if 400/500? Give user any affirmative or negative response that it succeeded or failed?

zie
0 replies
1d2h

You can't send back anything? oops. I better re-read the RFC's, that's not how I implemented it...

chuckadams
0 replies
1d

That's up to the MUA, but I imagine that they would at least show an error dialog. If the backend of that POST is broken, then the spam complaints are going to rack up, which will get the list blocked, List-Unsubscribe header or no (some of the most notorious spammers around were actually quite scrupulous about having said header, which they would actually obey ... temporarily)

pbronez
0 replies
1d4h

Unsubscribe links make me nervous. Such an obvious attack vector.

illiac786
0 replies
10h25m

How does that interact with crawlers, like what Microsoft does? (They visit every link in every email it seems) does it automatically unsubscribes you by error then?

gwbas1c
0 replies
1d6h

required support for one-click unsubscribe posts

The article gets it wrong. They imply that emails have to have one-click unsubscribe links, which isn't true. Emails need to include headers (described in your link,) which the mail client can use.

cassianoleal
14 replies
1d15h

These mandates will only affect bulk senders, defined by Google as senders with volumes of 5000 or more messages to Gmail addresses in one day.

This is not a requirement for a personal self-hosted email.

StayTrue
6 replies
1d14h

If your personal self-hosted email routes outbound messages through a smarthost, it could affect you.

judge2020
5 replies
1d14h

Wouldn't it be based on send volume from your domain, and not send volume via your sending IP / smarthost?

zinekeller
4 replies
1d14h

Usually when talking about spam filtering it's based on sending IP and not domain names (domains are still important, but IP addresses are usually the first thing that is being evaluated), although admittedly Google is vague on what constitutes "5,000 mails per day".

judge2020
3 replies
1d14h

The linked article points to blog.google which points to this support article https://support.google.com/mail/answer/81126 which then finally points to this article: https://support.google.com/a/answer/14229414

What is a bulk sender?

A bulk sender is any email sender that sends close to 5,000 or more messages to personal Gmail accounts within a 24-hour period. Messages sent from the same primary domain count toward the 5,000 limit.

Sending domains: When we calculate the 5,000-message limit, we count all messages sent from the same primary domain. For example, every day you send 2,500 messages from solarmora.com and 2,500 messages from promotions.solarmora.com to personal Gmail accounts. You’re considered a bulk sender because all 5,000 messages were sent from the same primary domain: solarmora.com. Learn about domain name basics.

Senders who meet the above criteria at least once are permanently considered bulk senders.

IMO this is better since they have to handle all of the personal domains and small communities that send from a SMTP service like Sendgrid or Amazon SES. Relying on IPv4s to not be shared wouldn't work universally.

xyzzy123
2 replies
1d13h

It would also allow a pretty trivial bypass using ipv6. A sizeable % of ip-based rate limits are breakable if you can use v6; iirc for a long time google web properties had bypassable rate limits if you knew about this.

j16sdiz
1 replies
1d13h

Have you tried it?

In my experience, gmail is lot stricter on ipv6. They have been requiring SPF and rDNS on IPv6 before this announcement.

xyzzy123
0 replies
1d12h

Yep I am talking about maybe a decade ago; google have fixed the issues I knew about but lots of systems still only limit v4 effectively.

stefan_
5 replies
1d14h

Indeed, self-hosted email is commonly rejected despite doing all these things.

Google et al have successfully turned email into the domain of a few SaaS, and at half of them blatant spammers can message millions with no record of consent with the most obvious scams and have it delivered into the inbox. Hell, most spam these days I get from hacked Gmail accounts. The game is rigged, as they say.

1over137
1 replies
1d14h

I often see this repeated, but in my experience self-hosted email works just fine as long as your IP has a good reputation, and isn't on some crappy bulk VPS.

sbuk
0 replies
1d10h

I have a mail server on Hetzner and one on Vultr, neither have problems delivering to any service. That said, both domains are fully and correctly configured. Banners match rDNS, DMARC aligns, I’ve even configured MTA-STS. The IPs aren’t particularly warm either.

lrem
0 replies
1d11h

I don’t have the patience for any of this. But a friend has and I sometimes use the email service of their small company. Hosted out of a cellar, their own IP block, servers maintained as a side responsibility of an employee. Can’t remember Gmail ever rejecting email from there.

dexwiz
0 replies
1d12h

I dunno who has your email but I’ve had a gmail account for 15+ years and never had a serious spam issue. The promotions and social folder system also seems to be highly accurate when filtering social media updates and clear ads out of my main inbox.

bawolff
0 replies
1d14h

At the same time, i've used sendmail on my laptop to send an email to myself as a test and it somehow ended up in my inbox on gmail.

sebazzz
0 replies
1d12h

No, but many of us are using Twilio Sendgrid and there it will apply to, especially if you don't have a dedicated IP.

kaetemi
9 replies
1d13h

Is there any service that can process DMARC report e-mails? Those mails with zips with indecipherable XMLs inside them are a bit useless. Something that takes the junk, gives a nice human readable dashboard, and informs me if something is wrong, would be nice.

rbut
1 replies
1d13h

Postmark have a free DMARC service [1] that emails you a report once a week. I use it for all my domains. Note that they also have a paid offering, but this one is free.

[1] https://dmarc.postmarkapp.com

kaetemi
0 replies
1d13h

This looks very easy to set up, thanks. I'll try it tomorrow.

wetoastfood
0 replies
1d13h

I’ve been using DMARC Digests for a year and haven’t had any issues. Was quick to set up.

snowwrestler
0 replies
1d13h

Dmarcian, I think.

reddalo
0 replies
1d9h

I tried EasyDMARC in the past [1], it's easy to use but the free plan is very limited and the cheapest plan is a bit too pricey for me.

[1] https://easydmarc.com/

linuxalien
0 replies
1d13h

Mailhardener and dmarcdigests are 2 that I've used. Dmarcdigests also has a free version through postmark that sends you a summary email weekly instead of a dashboard. I personally like mailhardener, I felt the dashboard was better and easier to understand.

hannob
0 replies
1d10h

Not a service, but I can offer an opensource script to give a basic summary: https://github.com/hannob/rpter

If there's demand, I could start a SaaS business for it :-)

freddieleeman
0 replies
1d9h

https://URIports.com/dmarc offers services starting at just $1 monthly for up to 3 domains. It's GDPR compliant and includes features like notifications, hosted MTA-STS for protection against Man-in-the-Middle (MiTM) downgrade attacks, and much more.

donmcronald
0 replies
1d12h

The DMARC industry is nuts. Most services charge a lot for what amounts to retrieving emails and doing a little XML parsing. It’s mostly transient data too, so it’s not like paying for a ton of redundancy is worth it.

IMHO, they’ve taken something that should be simple and turned it into a complex system that needs a ton of infrastructure because they all want a SaaS business. Everyone pays for the cost of scaling when simple sharding would do for most users.

I’d love to have a simple, self hosted DMARC analyzer running on something like PocketBase.

hsbauauvhabzb
8 replies
1d12h

Please describe ‘easily unsubscribe’ - subjective terms like this don’t work when you’re dealing with the profit focused marking department of scumcorp.

I don’t want to log into your service or explain why I want to unsubscribe or chose which mailing lists I want to unsubscribe from (read: All of them) nor do I want to deal with your dark patterns such as colouring the ‘cancel my request to unsubscribe’ button green and ‘yes really unsubscribe me’ red.

dexwiz
6 replies
1d12h

  Senders will need to implement a single-click unsubscribe link within emails if they haven’t already, to allow recipients to easily opt out.
It does in the article. The industry has clear definitions for things like one click unsubscribe versus two click confirmation.

mook
3 replies
1d10h

My bank sends (non-transactional) email to me with an unsubscribe link, then magically I get sent more even after going through the whole thing (to the screen where they confirm everything has been unsubscribed).

It's hard to confirm externally that things worked.

actualwitch
2 replies
1d8h

Google probably tracks all clicks on links in mail. It is easy to see that unsubscribe was clicked, and then more mail that you mark as spam came.

mook
1 replies
10h33m

That's the thing — it's my bank and it does have transactional mail too. I don't expect Google to be able to tell between those.

It's nudging me towards switching banks.

actualwitch
0 replies
6h12m

I don't use google mail much, but fastmail seems to be capable of making fine-grained judgements on transactional/promotional mail coming from the same address. I reckon google will be able to do it too, certainly easier than changing banks.

hsbauauvhabzb
1 replies
1d11h

I know it’s not possible to implement a literal double click in web but hear me out - if someone told you they interpreted that as ‘a link which you only have to click once to open the unsubscribe website which may have additional clicking’ - would you think they’re malicious or incompetent?

dexwiz
0 replies
1d11h

Incompetent. But I think those decisions are often made by neither the people who send nor receive the emails.

darylteo
0 replies
1d9h

It is documented here as adding 2 email headers. 1 is a url that, when navigated to, implies that the recipient of the email wishes to unsubscribe from that mailing list.

https://support.google.com/mail/answer/81126#requirements-5k...

sylware
6 replies
1d16h

Abusive, SPF is plenty enough unless you cannot map the domain with the right IPs due to DNS trickery (rotation, etc), then you would need an IP agnostic way to do some checks, hence the cryptographic DNS based signature.

That said, with no-DNS email addresses, SPF comes for free (alice@[x.x.x.x] bob@[ipv6:...]).

Namely, if SPF does pass, cryptographic DNS based signature mecanisms are excessive and must not be used to score.

chuckadams
3 replies
1d14h

SPF only authenticates the envelope-from, whereas it's DKIM that takes care of the From: header. Without DKIM, one can easily do "EHLO randomspamdomainboughtyesterday.com" and "From: accounts@citibank.com". SPF is about the transport, DKIM is about the content.

And to round it out, DMARC tells the receiver what to do when the SPF or DKIM tests fail, namely "report", "quarantine", or "reject". Not sure why they're requiring it when it doesn't affect a spam verdict. Maybe it's so those who run a misconfigured server can't complain if their mail is being dropped silently, google and yahoo can just tell them to switch the policy to "report".

sylware
2 replies
1d1h

This is wrong:

DKIM would be used only if SPF does not "pass", if there. DNS SPF is inappropriate for those email provider implementing DNS trickery which cannot work with DNS SPF. For DNS SPF to "pass", not only the SMTP prolog and transactions must be evaluated, but also some header fields (from:,reply-to:).

For instance, if you are self-hosted and your SPF DNS entry does match the domain in the SMTP prolog/transactions and the header fields, your spam score will be significantly lower.

With no-DNS email servers, you don't have the SPF DNS indirection and can directly check the IPs ( bob@[x.x.x.x] alice@[ipv6:... )] for spam scoring.

That said, the real worst are those sys admins blocking instead of enabling grey listing.

chuckadams
1 replies
23h46m

I'd ask you to show me the relevant section in RFC4408 that backs up your claims about header fields, but honestly I don't care to read any more incoherent rambling screeds on the topic. Cheers.

sylware
0 replies
23h39m

chatgpt?

jabroni_salad
0 replies
1d2h

https://github.com/CanIPhish/spf-bypass

i wish. If you are using spf-only, you are consenting to being spoofed.

ericpauley
0 replies
1d14h

IP addresses get reused, private keys don’t.

Aside from SPF being around first DKIM makes far more sense.

ryandrake
6 replies
1d14h

As a self-hoster for over a decade, setting up SPF, DKIM, and DMARC are pretty much once-and-done and free, so there's pretty much no downside. I'd be shocked if most self-hosters haven't set these up long ago.

boplicity
1 replies
1d3h

For those sending in bulk, the more challenging part will be complying with rfc8058

https://datatracker.ietf.org/doc/html/rfc8058

diggan
0 replies
1d2h

For sending outgoing emails in a self-hosted environment, the toughest step will absolutely be to find a host willing to accept you as a customer.

A lot of places don't accept outgoing SMTP traffic at all, some allow it for personal usage and finding someone who accepts you sending lots of outgoing SMTP traffic is gonna be really hard, except if that host already hosts lots of already spam-marked IPs.

vmfunction
0 replies
1d9h

Word, the truly hard part of self-hosting is IP warming, and fill out those dame form to FANNG to get white listed, it is a rabbit hole that take forever with no end.

illiac786
0 replies
12h22m

I don't know if self hosted but I regularly get emails from companies where this has not been set up. And not "Joe's Car Detailing" but rather "medium size gas provider" ...

RandomWorker
0 replies
1d11h

Agreed, self hosting for the last year now. It’s to do took me about a week to get it all working.

1over137
0 replies
1d14h

Yes, they are quite easy to set up. Yet I know several small ISPs that haven't done it yet. :(

freddieleeman
6 replies
1d10h

For those interested in testing their email for SPF, DKIM, and DMARC compliance or eager to learn about these mechanisms that enhance email security and prevent spoofing, check out https://learnDMARC.com. This is a site I developed to promote adoption and share knowledge. It includes a challenging quiz, tough even for professionals. I'd be keen to know your scores on the first attempt – honesty counts!

w3ll_w3ll_w3ll
0 replies
1d5h

Amazing site!

superhumanuser
0 replies
1d1h

This is beautiful and fun to use!

Thank you thank you.

ksjskskskkk
0 replies
1d10h

harder part is knowing the hacks from your dns provider that prevents things from working right.

I've spent two weeks on a domain with limited registrar options because their dns manager lied about supporting larger public keys in txt records.

flumpcakes
0 replies
1d2h

This is great! I scored 60% because I didn't realise 5321 HELO was also checked. That's news to me, I've never seen that before. I got 90% on my 2nd attempt :)

Also I think there was one question that was a mistake, it had a policy along the lines of:

v=DMARC1; p=reject; <stuff...>; pct=0; <stuff...>

I answered that a failing message would have an effect of p=none, but the right answer was apparently p=quarantine. Is that right, considering pct=0? (Unless I was blind and the pct wasn't set to 0 in the question...)

binkHN
0 replies
1d1h

Super slick site!

Kirce
0 replies
1d4h

If I scroll the DMARC Results on mobile Firefox, the right column doesn't scroll, while the rest of the table does. The results where all green, as expected :)

EGreg
6 replies
1d1h

Unsubscribe HAS to require an authenticated session. What do they mean by “single click”?

Otherwise anyone who receives a forwarded email can unsubscribe you! Right?

At least we can email the peson to say they’ve been unsubscribed, as a transactional email? And give them a chance to resubscribe and prevent such unsubscriptions — or what?

Enable easy unsubscription: Senders will need to implement a single-click unsubscribe link within emails if they haven’t already, to allow recipients to easily opt out.

hedora
3 replies
1d

It certainly does not require authentication. Have you used unsubscribe flows? Normally, you click once, it goes to a web page that displays your email address, and has an "I'm sure" button, and maybe some checkboxes to only partially unsubscribe.

If you really care about people being maliciously unsubscribed from marketing materials they forwarded around, then you can be one of the sites that sends a final "you have been unsubscribed" confirmation email.

EGreg
2 replies
23h19m

The "I'm sure" button is sensible since the session cookie confirms it's you. But that button requires a second click. That would violate the "single-click".

According to the "single click" requirement, merely visiting the page by clicking the link in your email should be enough to unsubscribe you. Meaning, the GET request, which normally shouldn't change server state, should change server state.

The major issue with that is, if you forward the email, you are giving the capability to anyone else to act as you. It's a horribly insecure model, it also breaks HTTP semantics, but at least you can limit it to the "unsubscribe" action, I guess. Could be worse. Google could require other "single click" actions that may modify your profile or withdraw money from your bank account.

The only mitigation I can see is that the "you've been unsubscribed" email is a transactional email, and can inform the user that "if it wasn't you, then click here to restore your subscription to this newsletter, and don't forward your emails anymore, because Google says someone can unsubscribe you anytime and we can't do anything about it."

PS: Ironically, Apple's newest ITP scrubs information from tracking links in emails, so in theory it would make it impossible to even track whose account to unsubscribe from. "It will do this by automatically detecting user-identifiable tracking parameters in URLs and removing them." Apple ITP anti-tracking requires you to explicitly log in before doing stuff as you. Google now requires the opposite. It's impossible to satisfy both. https://www.peelinsights.com/post/ios-17-disrupts-link-track...

hedora
1 replies
20h5m

They could also add an "oops! I didn't mean to unsubscribe; please resubscribe me" button to the landing page after you click. I've seen that before.

As for the Apple ITP thing, they implemented a thing that looks for known trackers and strips them from emails. You're saying that this thing is incorrectly breaking the URL parameter for the opt out links? Is there an example of them actually doing that? It sounds like it would be a bug if it is happening.

I've also noticed that many places interpret "one click opt out link" to mean you have to click once on the resulting page, technically making it two clicks, but also preserving HTTP get vs post semantics.

I suppose they could also make it two clicks for people that are using text-only mail clients and will therefore send a get, but to use HTML to arrange for it to be a post for everyone else.

EGreg
0 replies
18h5m

Apple has a history of gradually strengthening ITP until it breaks all the tabbos you'd never expect.

Today it strips ?utm=928931823 from abc.com/foo?utm=928931823 but tomorrow it can strip the 928931823 from abc.com/foo/928931823 leaving abc.com/foo ... after all it can just look at all the links arriving in mail, and use an algorithm to deduce the pattern abc.com/foo/:trackingId and simply mangle the URLs.

Think they'll never do it? They already deleted FIRST-PARTY cookies and much more!

nottorp
1 replies
23h47m

Otherwise anyone who receives a forwarded email can unsubscribe you! Right?

Yes, I have nightmares where I dream that someone else unsubscribes me from all those informative mailing lists that I NEVER OPTED IN TO.

EGreg
0 replies
23h22m

Straw man much?

I subscribe to receive emails or newsletters. I forward them to someone. They unsubscribe me. I stop getting them. I wonder what happens and blame the site. They couldn't even inform me what happened.

Developers are supposed to make the correct security architecture for things. Letting anyone who gets your forwarded email take actions as you on the site without any further authentication, is not the right security model.

jwr
4 replies
1d9h

I get plenty of spam through Gmail, and there is no easy way to report it, it also doesn't seem like they are the least bit interested in tackling the problem.

I wish they took a closer look at themselves and also applied these kinds of rules to themselves.

forgotpwd16
2 replies
1d9h

there is no easy way to report it

If you mean coming to Gmail, three-dots > report spam.

If you mean coming from Gmail, https://support.google.com/mail/contact/abuse?hl=en.

unsupp0rted
0 replies
1d9h

I thought this button isn’t hooked up to anything

HelenePhisher
0 replies
1d8h

A contact form is too complicated for this. I think an abuse header with an address to forward the entire mail with headers should be standard.

wakeupcall
0 replies
1d2h

I get >50% of my spam from legitimate hosts such as gmail and yahoo, which tick all the spf/dkim/dmark boxes.

spf/dkim/dmark helps with phishing/forgery, it does little to nothing for spam, even though this policy change makes it look like it's connected.

If I send spam through gmail, the spam is "authenticated".

spammers were among the first to implement these in an attempt to get higher score in spam filters. For quite a while dkim was positively correlated with spammyness for me.

Meanwhile.. does google even respond postmaster@ or abuse@ requests?

anticorporate
4 replies
1d

I find much of the discourse on these changes to be pretty amusing. It's a lot of sales and marketing teams asking how they can tweak things at a technical level so that they can keep doing the same things they've always been doing.

You can't. That's the point. Stop.

I mark all commercial email as spam. I never asked for it, I don't want it. I don't really care if you carefully constructed a form in such a way to be compliant with the laws in my country. I don't care how your BDR found me. I don't ever want to hear from you. If I didn't ask for it, it's spam, I'm marking it spam, and I hope people who use Gmail and Yahoo do the same.

codalan
2 replies
19h58m

Sometimes I wonder if their mindset is, "Hey, even if only .05% engage w/ the marketing email, that's still > 0%!".

Maybe their mindset should really be, "Hey, we're annoying 99.95% of our users who did not consent to these emails, and > 50% will be turned off to our product and will associate our brand to that of a needy, attention-grabbing parasite".

If I wanted these emails, I would have opted in.

Instead, not only do they automatically opt you in, but they'll re-opt you in after you've unsubscribed. I've had it happen a year or two later; suddenly, I'm back on their spam list.

It's become so bad now that I can't even let a shopping cart sit anymore without getting a nagmail saying "HEY YOU NEED TO FINISH CHECKING OUT NOW1!!!".

That email is the reminder to empty my cart and never do business with them again.

Seriously, STFU and leave me alone. If your sales and marketing team insist on these tactics, you need to fire them and hire people who get it.

anticorporate
1 replies
16h57m

If your sales and marketing team insist on these tactics, you need to fire them and hire people who get it.

So, full disclosure, in addition to being kind of an anti-spam zealot, my day job is running marketing operations at a big-ish software company. So I get the fun job of telling everyone from the junior intern to the senior VP that no, my team is not going to send that email for you. That no, in fact, I don't care what the old person in my job let you do, or what you did at your old company, or how many levels above me you are in the org chart. We're only going to email people what they asked for, at the frequency they asked for it, on the topics they asked to hear about. These new Gmail/Yahoo rules have helped immensely in making the case to our CMO to have my back.

codalan
0 replies
10h11m

Sounds like you get it. It's unfortunate more people don't follow this mentality.

And there's no incentive to stop this. When email inboxes turn into marketing dumpsters, it just drives users to WhatsApp/Discord/FB Messenger/Slack/etc. for communication, which is good for those affiliated companies, but is bad for open platforms.

izzydata
0 replies
1d

Indeed I do. Any email I didn't explicitly ask for that isn't a unique personal email I mark as spam. Although I also stopped using Gmail in favor of Proton.

max_
3 replies
1d11h

I use cloudflare's email remailer. i.e emails are mailed from from & to my Gmail via cloudflare. Using a custom email domain.

Does this mean that my emails will no longer be sent?

darylteo
1 replies
1d11h

I think you can set a ARC header for forwarders.

modernerd
0 replies
1d10h

I think they set it automatically, at least based on https://blog.cloudflare.com/email-routing-subdomains

corney91
0 replies
23h52m

DMARC only requires SPF or DKIM to pass, so the mail will pass of it's DKIM signed.

hedora
3 replies
1d1h

Gmail and Yahoo are getting serious about spam monitoring and senders will need to ensure they’re keeping below a set spam rate threshold.

Does anyone know what this sentence means? Is this “the user said this is spam”, or “the gmail spam filter false positives 10% of the time; don’t be part of the 10%, or it’ll permaban you”?

cnees
1 replies
1d

Gmail postmaster tools says, "This dashboard shows the percentage of user-reported spam vs emails that were sent to the inbox for active users. Emails delivered directly to the spam folder are not included in the spam rate calculation. Only emails authenticated by DKIM are eligible for spam-rate calculation."

The threshold for the number defined above is 0.3%; that's the point where Gmail starts penalizing the sender by putting their emails in spam folders.

hedora
0 replies
1d

Oh, so if 0.3% of people subscribe to a mailing list, then mark it as spam (instead of unsubscribing), then it goes to my spam folder?

That explains why I had to immediately disable gmail's spam filter.

nulbyte
0 replies
1d

In my experience, it means nothing. Most of the spam I get to my Gmail account comes from other Gmail users using Gmail, and I don't believe Google will do anything to hold themselves accountable.

bagels
3 replies
1d15h

What're the best resources for testing and configuring this stuff?

YPPH
0 replies
1d15h

For testing, I find https://www.mail-tester.com/ helpful.

XCSme
0 replies
1h0m

I wrote this blog post for myself for whenever I have to configure email again: https://www.uxwizz.com/blog/stop-others-use-your-domain-emai...

1over137
0 replies
1d14h
ubermonkey
2 replies
1d3h

Mailgun is a spammer, so, like, cry me a river?

I have them blocked at the server level because of how much spam they were sending me. They clearly do zero enforcement of opt-in.

jdhawk
1 replies
22h27m

how are they supposed to enforce it?

ubermonkey
0 replies
3h27m

Not really my problem.

But any bulk mailer that doesn't solve that problem is by definition a spam engine, and should probably be blocked at the ISP level.

simscitizen
2 replies
1d

Mandatory DMARC basically breaks all e-mail forwarding services (SPF doesn't survive forwarding due to modification of Return-Path). I think ARC/RFC8617 is supposed to be the fix for that, but it's not even standardized yet. This seems like a rather big issue?

mjw1007
0 replies
1d

Have Google actually documented what they mean when they say DMARC is mandatory?

Does a DMARC record with p=none count?

Does DMARC with an SPF record that that places no restrictions count?

illiac786
0 replies
10h31m

That is a massive problem for me indeed, if true.

gwbas1c
2 replies
1d6h

I can't wait for this to take effect.

It seems that every time I buy something or someone gets ahold of my email address, I get added to a SPAM list.

I can't wait for all of these to be blocked.

For example: I recently elected a benefit, and the company added me to a SPAM list for weekly deals 100% unrelated to the benefit. They even ignored the fact that I unsubscribed.

zie
0 replies
1d2h

I promise, these changes won't fix that.

mrWiz
0 replies
1d1h

I've started using this approach to combat spam that ignores unsubscribe attempts:

1. Report each and every offending email to the FTC: https://reportfraud.ftc.gov/#/

2. Forward the "report received" email that the FTC sends you to support@spamming_domain.com and explain how and why you're reporting them

3. That's it. I've had a 100% success rate with this approach

flemhans
1 replies
1d14h

How are they counting the 5,000/day? Per sender email? IP?

snowwrestler
0 replies
1d4h

Per sending domain name, it appears.

d3w4s9
1 replies
1d5h

Slightly off-topic: it seems that Outlook has given up fighting spam and isn't even in such conversations. I have a decades-old hotmail.com email address that is getting spams daily in the inbox, while a similarly old gmail.com almost always filters them out. Well, Gmail occasionally flags false positives but never false negatives. This is getting so bad that I have completely moved off that hotmail.com address.

rebelde
0 replies
23h56m

Microsoft, like the old Microsoft, seems to completely reject all these modern methods and use their own instead. So, you get a lot of spam and my legitimate emails are rejected.

tikkun
0 replies
1d14h

My addition to title: “If you send >5000 emails a day.”

Posthaven has very helpful (free) tools for setting up this stuff. Also GPT has a good understanding of the dns records needed.

tgsovlerkhgsel
0 replies
20h21m

I hope the <0.3% spam limit is low enough to force companies to stop with the usual "congratulations, you unsubscribed from newsletter 13 (but will continue to get newsletters 1-12 and 14-39)" bullshit.

tempestn
0 replies
1d8h

I wonder if this will force Borrowell to finally allow unsubscription from their regular emails without deleting your account.

https://helpcentre.borrowell.com/hc/en-us/articles/100145089...

technion
0 replies
1d14h

A fairly big deal is being made of this, but dmarc has been a signal for a long time and there's a good chance half your mail has been randomly landing in junk folders if you don't have it setup right. This may actually help people by making them realise that.

repeek
0 replies
23h46m

How does the one-click unsubscribe not get triggered by enterprise SPAM tools like Mimecast or Barracuda?

red_admiral
0 replies
1d9h

I hope this also applies to T&C spam - the thing where a company reminds you that they exist once a month by e-mailing you about a minor change to the wording of their terms and conditions, and because it's "important legal information" it overrides your opt-out preferences. If I think someone is taking the piss, I flag these as spam, and if more than 0.3% of the population did this then companies would think twice about this tactic.

pqvst
0 replies
1d16h

From Q1 2024, Gmail and Yahoo will require senders to have SPF, DKIM, and DMARC. Also, spam complaints must be kept below 0.3%.

I recently added DMARC monitoring to some of my domains through CloudFlare.

navigate8310
0 replies
1d11h

Having DMARC to allow all emails is still stupid. They should have added a mandatory reject policy.

XCSme
0 replies
1h2m

If anyone is interested, I wrote some sort of tldr blog post for quickly setting up your DMARC/SPF/DKIM: https://www.uxwizz.com/blog/stop-others-use-your-domain-emai...

TheCaptain4815
0 replies
1d11h

I’d say the only real worry for “black hat emailers” is the spam rate monitoring. Everything else is fairly trivial to comply by, but lowering the spam compliance threshold could really put a wrench in a lot of sales outreach campaign.

The market(Google and others) was forced to act because how laughably easy the Can-Spam act is to stay compliant while legally mass spamming.

StayTrue
0 replies
1d14h

In practice I think people who care about deliverability have already instituted these measures ... because spam blocking measures at Big Email are so opaque you’ve tried everything/anything. And it’s not that difficult.

LanzVonL
0 replies
1d14h

That's so weird considering those two domains are the source of ALMOST all the spam I've seen over the last couple decades.