One-click unsubscribe (RFC 8058), explained
Since February 2024, Google and Yahoo require bulk senders to support one-click unsubscribe, and Microsoft's 2025 rules require a functional unsubscribe. The catch: this requirement is invisible in DNS. Your SPF, DKIM, and DMARC can all be perfect while every newsletter you send violates it, because one-click unsubscribe lives in the message itself, in two headers most people have never looked at.
It is not the link in your footer
Every newsletter has an unsubscribe link at the bottom. That link is not what the mandate means. One-click unsubscribe (RFC 8058) is a machine-readable pair of message headers that lets the mailbox provider itself offer an unsubscribe button next to the message, and honor it with a single POST request, no page visit, no confirmation step, no login:
List-Unsubscribe- an https URL (and optionally a mailto address) the receiver can call. Required since RFC 2369 days for list mail; the mandate requires the https form.List-Unsubscribe-Post: List-Unsubscribe=One-Click- the RFC 8058 marker that tells the receiver the URL accepts a bare POST as a complete unsubscribe. This is the header raw senders miss.
The DKIM rule nobody reads
RFC 8058 has a second requirement: the message's DKIM signature MUST cover both headers. A signature declares which headers it signs in its h= list; if list-unsubscribe and list-unsubscribe-post are not in that list, anyone relaying the message could alter or inject them, so receivers are entitled to ignore them. A stream can carry both headers and still fail the requirement this way.
Who requires what
- Google and Yahoo (February 2024, bulk senders over roughly 5,000 messages a day): one-click unsubscribe on marketing and subscription mail, honored within two days.
- Microsoft (May 2025, Outlook consumer domains): a functional unsubscribe mechanism. Weaker than one-click on paper, but the same fix satisfies both.
- Transactional mail - receipts, password resets, security notices - is not bulk mail and is not held to the unsubscribe requirements. A tool that grades a receipt against them is scoring theater.
Who silently misses it
Major marketing platforms (Mailchimp, HubSpot, Klaviyo and peers) add the pair automatically, which is exactly why the at-risk population is everyone else: raw SendGrid or Amazon SES integrations where the application composes its own headers, in-house SMTP, and older newsletter software. DNS looks green, the mandate is violated, and no DNS-based tool can tell you.
How to check a real message
Open a message from your own stream and view its original/raw form. Look for both headers, then find the DKIM-Signature whose d= matches your domain and check its h= list names both. If you would rather have this checked continuously on real mail, that is what trustyourinbox's Mandate Monitor does: you subscribe a private probe address to your streams, and every message is graded against the current mandate rulebook, header by header, with the evidence kept.
Keep reading
Free for one domain. Set up in five minutes. We parse the reports; you read plain-English summaries.