Re: Last Call: <draft-levine-herkula-oneclick-04.txt> (Signalling one-click functionality for list email headers) to Proposed Standard

"John Levine" <> Tue, 20 September 2016 02:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 36A2912B161 for <>; Mon, 19 Sep 2016 19:36:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kneenpSfCs8s for <>; Mon, 19 Sep 2016 19:36:38 -0700 (PDT)
Received: from ( [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7766812B172 for <>; Mon, 19 Sep 2016 19:36:38 -0700 (PDT)
Received: (qmail 73772 invoked from network); 20 Sep 2016 02:36:35 -0000
Received: from unknown ( by with QMQP; 20 Sep 2016 02:36:35 -0000
Date: 20 Sep 2016 02:36:15 -0000
Message-ID: <20160920023615.83210.qmail@ary.lan>
From: "John Levine" <>
Subject: Re: Last Call: <draft-levine-herkula-oneclick-04.txt> (Signalling one-click functionality for list email headers) to Proposed Standard
In-Reply-To: <>
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Sep 2016 02:36:40 -0000

>> provoked a lot of responses.  In any event, our goal here is to help
>> make mail less lousy, not to make a statement about how we think
>> people should design their systems.
>If they DoS a few spammers, seems like a win... :-)  In any case,
>there's no need for this as a motivation in the RFC.

I wouldn't disagree, except that the reason it's there is about six messages
ago people were complaining that I didn't explain why you had to use https
rather than mailto.

>> That's an implementation detail.  In the most likely implementations,
>> it's web mail so the MDA and MUA are all the same system.
>The requirement for DKIM signing is a mystery in the draft.  If is
>there, its purpose should be explained.

Really, it's what I said. It's so receipient systems have a handle to
evaluate the message.  As you are doubtless aware, MUST means "do this
if you want to interoperate."  At least one very large mail system has
told me that they will only do one-click on signed mail.  So senders
MUST sign it so they can, you know, interoperate.

>If it is merely useful to them, there's no requirement for DKIM on
>the receiving side, and this is not enough to mandate DKIM in the
>draft.  Perhaps you meant to say that senders SHOULD use DKIM,
>otherwise the one-click unsubscribe signal might not be honoured?

No.  See above.

>I think not, "GET" is supposed to not have non-idempotent side-effects.
>I would strongly suggest that there be a requirement to include an
>"Origin: mailto:<envelope-sender>" header in the POST, which would
>indicate to the target webserver that it is dealing with a cross-origin

If you can find a non-trivial mailer who actually wants that, and you
are offering to update RFC 6454 so that header would be valid, I'd
consider it.  They've already got the List-Unsubscribe=One-Click if
they want a clue about why the POST is happening.