Network Working Group J. Levine Internet-Draft Taughannock Networks Intended status: Standards Track T. Herkula Expires: January 20, 2017 optivo GmbH July 19, 2016 Signalling one-click functionality for list email headers draft-levine-herkula-oneclick-01 Abstract This document describes a method for signaling a one-click function for the list-unsubscribe email header. The need for this arises out of the actuality that mail software sometimes fetches URLs in mail headers, and thereby accidentally triggers unsubcriptions in the case of the list-unsubscribe header. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 20, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Levine & Herkula Expires January 20, 2017 [Page 1] Internet-Draft One click unsubscribe July 2016 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. High-Level Goals . . . . . . . . . . . . . . . . . . . . . . 3 4. Out of Scope . . . . . . . . . . . . . . . . . . . . . . . . 3 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 3 5.1. Mail senders . . . . . . . . . . . . . . . . . . . . . . 3 5.2. Mail receivers . . . . . . . . . . . . . . . . . . . . . 3 6. Additional Requirements . . . . . . . . . . . . . . . . . . . 4 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 4 8.1. Simple . . . . . . . . . . . . . . . . . . . . . . . . . 5 8.2. Complex . . . . . . . . . . . . . . . . . . . . . . . . . 5 9. Security Considerations . . . . . . . . . . . . . . . . . . . 5 10. Normative References . . . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction An [RFC2369] email header can contain HTTP or HTTPS URIs. In a List- Unsubscribe Header the HTTP or HTTPS URI should unsubscribe the recipient of the email from the list. But anti-spam software often fetches all resources in mail headers automatically, without any action by the user. As a result of this unintended malicious behavior, senders implement landing pages with a confirmation step to finish the unsubscribe request. This document addresses this part of the problem, with a POST action for receivers that can be distinguished by senders from other requests and therefore handled as a one-click unsubscription. 2. Definitions The capitalized key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. One-click describes an action that directly triggers a change in a system's state, intended to be applied only with a user's intent. Levine & Herkula Expires January 20, 2017 [Page 2] Internet-Draft One click unsubscribe July 2016 3. High-Level Goals This document has several goals. o Allow email senders to signal "One-Click" functionality for specific HTTP and HTTPS URIs used in [RFC2369] email headers. o Allow MUA designers to implement independent user interface features for a better user experience. o Allow MUA users to trigger intended actions in a familiar environment and without leaving the MUA context. 4. Out of Scope This document does not address problems associated with intended malicious behavior. 5. Implementation 5.1. Mail senders An entity which is responsible for sending an email that wishes to add an HTTP or HTTPS URI for one-click unsubscriptions places both a List-Unsubscribe and a List-Unsubscribe-Post header in the message. The List-Unsubscribe-Post header may contain multiple key value pairs needed by the sending entity. It also MUST contain the key value pair "List-Unsubscribe=One-Click". The combination of the URI in the List-Unsubscribe header and the POST arguments in the List-Unsubscribe-Post header MUST identify the mail recipient, so that the unsubscription process knows what address to handle. In particular, "one click" has no way to manually ask the user what address he or she wishes to unsubscribe. The sending entity needs to provide the infrastructure to handle POST requests to the specified URI in the List-Unsubscribe header. The "One-Click" action triggered by this URI SHOULD complete promptly and not burden the requester in an inappropriate way. The sending entity cannot expect that HTTP redirects are followed by the requester. 5.2. Mail receivers A receiving entity which wants to use a List-Unsubscribe HTTP URI from an email that also contains a List-Unsubscribe-Post header performs an HTTP or HTTPS POST to the first HTTP or HTTPS URI in the Levine & Herkula Expires January 20, 2017 [Page 3] Internet-Draft One click unsubscribe July 2016 List-Unsubscribe header and send the content of the List-Unsubscribe- Post header as request body with the content type set to "application/x-www-form-urlencoded". The receiving entity MUST NOT perform a POST on the the HTTP or HTTPS URI without user consent. When and how the user consent is obtained is not part of this specification. The Request uses the HTTP or HTTPS verb POST. The HEAD and GET requests are not intended to be used to trigger a state change. PUT and DELETE would offer similar functionality but are often unavailable. 6. Additional Requirements The email needs at least one valid authentication identifier. In this version of the specification the only supported identifier type is DKIM [RFC6376], that provides a domain-level identifier in the content of the "d=" tag of a validated DKIM-Signature header field. The List-Unsubscribe and List-Unsubscribe-Post headers need to be included in the "h=" tag of a valid DKIM-Signature header field. The domain used in the HTTP or HTTPS URI MUST align with the domain used in the "d=" tag of the valid DKIM-Signature header field in which the headers are included in the "h=" tag. 7. IANA Considerations IANA is requested to add a new entry to the Permanent Message Header Field Names registry. Header field name: List-Unsubscribe-Post Applicable protocol: mail Status: standard Author/Change controller: IETF Specification document: this document 8. Examples Levine & Herkula Expires January 20, 2017 [Page 4] Internet-Draft One click unsubscribe July 2016 8.1. Simple Header in Email List-Unsubscribe: List-Unsubscribe-Post: List-Unsubscribe=One-Click&recip=user@example.com Resulting POST request POST /unsubscribe.html HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Content-Length: 49 List-Unsubscribe=One-Click&recip=user@example.com 8.2. Complex Header in Email List-Unsubscribe: , List-Unsubscribe-Post: List-Unsubscribe=One-Click Resulting POST request POST /unsubscribe.html?campaign=123456789 HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Content-Length: 49 List-Unsubscribe=One-Click&recip=user@example.com 9. Security Considerations The List-Unsubscribe-Post header will typically contain the recipient address, but that address is usually also in the To: header. This specification allows anyone with access to a message to unsubscribe the recipient of the message, but that's typically the case with existing List-Unsubscribe, just with more steps. 10. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . Levine & Herkula Expires January 20, 2017 [Page 5] Internet-Draft One click unsubscribe July 2016 [RFC2369] Neufeld, G. and J. Baer, "The Use of URLs as Meta-Syntax for Core Mail List Commands and their Transport through Message Header Fields", RFC 2369, DOI 10.17487/RFC2369, July 1998, . [RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed., "DomainKeys Identified Mail (DKIM) Signatures", STD 76, RFC 6376, DOI 10.17487/RFC6376, September 2011, . Authors' Addresses John Levine Taughannock Networks PO Box 727 Trumansburg, NY 14886 Phone: +1 831 480 2300 Email: standards@taugh.com URI: http://jl.ly Tobias Herkula optivo GmbH Wallstrasse 16 Berlin 10179 DE Phone: +49 30 768078 129 Email: t.herkula@optivo.com URI: https://www.optivo.com Levine & Herkula Expires January 20, 2017 [Page 6]