> we’ll enforce a clear spam rate threshold that senders must stay under
I hope they make it really strict. I'm sick of companies that send you spam ("newsletters") just because you interacted with them once, then when you unsubscribe, you get unsubscribed from that one list, so they keep spamming you just with a slightly different newsletter type. (Edit: Also, everything requiring a notification - by e-mail if they couldn't get me to install their app - just to get me to engage with their site.)
Once such behavior has the potential of landing your entire domain in the spam folder, maybe they'll be more careful.
Edit: For example, I can't imagine LinkedIn being able to pull of their "phish people, steal their address book, spam each contact three times with no opt-out" bullshit for so long if strict spam thresholds were in place.
Just a perspective from the other side of the coin: I host various services for schools like online registration for parent - teacher conferences. When the platform is live hundreds of parents are logging in, choosing their appointments and have to confirm them via email (only one email per person not per appointment)
And Yahoo is the Single worst email service to send to. I have correctly configured sfp, dmarc, dkim, reverse dns for the Mailserver and have tested the wording with multiple mail testing services to make sure it doesn't have keywords that get automatically flagged.
And yet after like 50 emails to parents with yahoo email addresses they are giving me errors because of "unusual volume of emails from your domain"
There is no form, no human to talk to and they just block you.
Angry parents come to me or course because they never redeived the activation link so I had to put up a disclaimer stating that if they should not use a yahoo email address if they have a different one
I have no idea if this still works, and it probably wouldn't work for a school, but 15-20 years ago the way to get Yahoo to stop blocking your emails was to call up your ad rep and say something like "Why the heck should we keep spending $10000/month buying ads on Yahoo when any new customers we get from those ads that use Yahoo email end up pissed off at us and maybe even charge back because it looks like we are completely ignoring them because they don't see our emails????".
That would get you added to a "never block mail from this domain" whitelist that had higher precedence than everything else.
There is a form and people you can talk to if the form doesn't work. The form should have been mentioned in the reject message but is at <https://senders.yahooinc.com/contact#sender-support-request> though you should first review their information, rules, etc, starting at <https://senders.yahooinc.com/>, and the mailop mailing list at <https://list.mailop.org/listinfo/mailop> is where you can ask for help if the former doesn't suffice that will often result in direct contact with someone at Yahoo! that can get things done or at least give knowledgeable advice.
> And yet after like 50 emails to parents with yahoo email addresses they are giving me errors because of "unusual volume of emails from your domain"
Scandalous, it's almost as if the established major providers have a financial interest in making it difficult for smaller providers and individuals to send mail using their own domains!
> And Yahoo is the Single worst email service to send to.
During the pandemic we had a lot of problems with the confirmation email for our 5000 T.A. in the virtual campus of the university. I had to guess what was happening because I was not part of the administration team, just collecting forwarded messages form the T.A and guessing:
* Gmail: Most of the time it works.
* Yahoo: The server receives a few hundred emails per day and the other are delayed. These were confirmation emails with half an hour tolerance, if they were lucky to pass the next day they were not useful. (After a week the sending server stops retrying.)
* Hotmail: Sometimes the email is received and sometimes it just disappears. No spam folder. No bounce email. It just evaporate. (Try sending an email from hotmail to the no-reply address and cross your fingers.)
I seriously don't get why we can't have some sort of licensing authority for this type of thing. Maybe they issue you a secret key to include in email headers, or put your entire domain on some sort of whitelist. And complaints get handled by a human to confirm that it's not a "oh I don't like this, or I don't remember signing up for this" non-sense complaint that would get you blocked or have your license revoked with a normal provider.
Am I crazy or just missing some super obvious gap with this path?
NextDoor is the absolute fucking worst with this. They sign you up to 10+ lists each in over 9+ categories that results in what feels like 100 different "notification types".
Unsubscribing from an email just unsubscribes from that one list. They don't show any other lists or categories (or imply there are more) during this process.
Once you login you are greeted with a multi-page disaster to manually untoggle each of the near 100 list types.
Then when they add new notifications it is auto-on for everyone.
Why do you bother fighting to unsubscribe properly with a company like that? I have a rule: I will try 1 time to legitimately unsubscribe, using the normal flow. If you keep sending me email after that, I will mark every email you send as spam and my email provider will stop delivering your mail.
I started doing this years ago after watching a talk by some Gmail devs on how they think of spam. They said they internally - controversially - redefined spam to be any email the user doesn’t want to receive. Well guess what? I don’t want to receive shitty marketing emails after I unsubscribe. If you send them to me, I’ll get you listed as a spammer.
I encourage everyone else to do the same thing. Life is too short to put up with this crap.
Another for the hall of shame: MyHeritage. They will never, ever stop spamming you if they get your email. Set your language to Chinese and delete your account, now they will spam you in Chinese.
The special award though, must go to Wal-mart. That company doesn't exist in my country. I obviously never interacted with them in any way. I still get their "newsletter", and sure enough, it's authenticated to come from their domain.
Yes I ran into this the other day when I tried Nextdoor out for the first time. I was actually so in awe of the insane and sociopathic dark pattern that is their email/notification subscription system that I immediately deleted the app. I don’t want to be a user on a platform that treats its users with so little respect.
If I'm certain I don't know the company, or I know the company but there is no unsubscribe button, it goes straight to Spam, no questions asked.
A decade ago I went to my country's embassy to renew my passport, and they now use my email to subscribe me to the newsletters of any new political party. All unsubscribe links just 404s. Shameful behaviour.
Anything I receive from any of their political candidates goes straight to spam now. The hope is that I am training the spam filter so it marks those as spam for all other users as well.
It's simple really: have clearly visible, working unsubscribe link in the body of the email that doesn't require jumping through hoops, and be from a company I know and use. Otherwise the spam filter learns about it.
There's worse. An unsubscribe link that asks you to submit your email. Few things anger me more, because they went through the trouble of pretending to comply, and a decision was made to make my day more difficult.
> I hope they make it really strict. I'm sick of companies that send you spam ("newsletters") just because you interacted with them once, then when you unsubscribe, you get unsubscribed from that one list, so they keep spamming you just with a slightly different newsletter type.
Never interact with spam. Unsubscribing just tells spammers that your email address is actively being checked, and that you're the kind of person who clicks on links found in unsolicited messages. It can even end up getting you more spam (as you've noticed), and what looks like an innocent unsubscribe link can actually take you to a malicious website instead. You've really got nothing to gain by touching spam at all.
The best way to deal with the spam that makes it into your inbox, especially spam that comes from specific senders with predictable subject lines/body content like newsletters, is filtering. For example, just auto-delete anything from a domain you never want to hear from again. You never see it, and you leave them spending at least a little time/effort shouting uselessly into the void.
I tend not to auto-delete directly, but have things filtered into specific folders just in case. It takes almost no time to clear out when they get very full. Most filters are set once and forget.
>Never interact with spam. Unsubscribing just tells spammers that your email address is actively being checked, and that you're the kind of person who clicks on links found in unsolicited messages.
This only applies to scam emails like newsletters from sketchy domains that you never signed up for, which are sent out specifically to find active email addresses. For those, clicking the "unsubscribe" link is indeed counterproductive.
For actual businesses like Linkedin though, it makes more sense than not to unsubscribe from unwanted emails anytime they're sent. On occasion you'll find yourself back on a different newsletter list, but it's relatively rare and more often than not just incompetence rather than malice; legitimate companies want to send their emails out to people who buy stuff, not people who mark them as spam and lower their reputation.
>Never interact with spam. Unsubscribing just tells spammers that your email address is actively being checked, and that you're the kind of person who clicks on links found in unsolicited messages. It can even end up getting you more spam (as you've noticed), and what looks like an innocent unsubscribe link can actually take you to a malicious website instead.
Yet there are people here on HN telling us that we have some kind of responsibility to watch ads, not block them, and support the kind of people who do this slimy, evil, unethical bullshit.
At mailpass.io we tried to embed some of these ideas straight away. Easy to ignore certain domains. Easy to delete all messages from a specific domain without sending any kind of tracking this was done
Interacted with the company, as in filed a support request, bought something from them, etc.
They already have my e-mail address, likely even verified. They're also somewhat normal companies, i.e. they have an address where the local DPA can send a friendly reminder, and while they will happily pass your (likely hashed) e-mail address to Facebook for ad targeting, actual selling to spammers is incredibly rare.
I often can't just filter the domain because I might actually need to deal with the company again (if I boycotted everyone who acts like a dick I'd be living in a cave).
The threshold is "spam rates reported in Postmaster Tools below 0.3%".
That sounds pretty low to me, but I'm not in the bulk email business. I guess maybe a very small number of users actually report spam? Or maybe Google is being strict.
One of the key problems is that both gmail and Yahoo UIs actively encourage users to report messages as spam rather than unsubscribing. Yahoo is particularly bad at this; it's common for me to receive spam reports from yahoo on an entirely double-opt-in social site I run. My reaction there is to remove the reporter from all lists because the amount of damage a single spam report can do is immense; a single spam report can block delivery for weeks at a time to the 10k others that legitimately requested messages. Hotmail/outlook/live is much the same in encouraging spam reporting over unsubscribe, however, their penalties are not as excessive as Yahoo's.
The worst offenders are those without a link to unsubscribe, and who instead ask you to "reply unsubscribe", which happily for them is also a signal to the email provider that you've interacted with them and therefore are not spam.
I hope they not. Gmail spam filter is far from being perfect and classifies many non spam messages/senders as spam. May be because they heavily rely on user reports (to train AI?) and email users tend to report all kind of emails as spam including clearly ham messages like bank statements, appointment notifications, password reset emails e.t.c.
Even gmail's own marketing messages (that I never asked for!) end up in my spam folder. If google can't even reliably send emails to themselves I don't know how they expect anyone else to succeed.
Nextdoor is the absolute worst about this. Selecting unsubscribe only lets you unsubscribe from the "type" of email they're sending you. After unsubscribing 7 or 8 times I just reported the whole domain as spam and blocked it.
i can't be the only oldskool person on hacker news who knows not to click on unsubscribe buttons because it just identifies you as a legitimate email/mark...
these are spammers, not cases where you ever actually signed up to some kind of legitimate newsletter or discussion group. to pretend good faith is your first mistake...
I don’t think this is a legitimate concern any more. There’s basically zero value in “confirming” an email address is legitimate. Between all of the data breaches and various other ways to get actual email addresses this isn’t a problem. It’s also so cheap to send email there isn’t an operational cost where you need to optimise for sending only to know addresses.
There is definitely a punitive cost for sending emails that are repeatedly marked as spam though. You also can’t just cycle IPs because a brand new IP with zero sender reputation is treated with almost as much suspicion by the big player as one that is known to be a spammer.
It’s much better to give people an option to opt out, and to honour it. Most of the email sending providers (e.g., SendGrid, mailchimp, etc) force you to include the link and automatically block future sending to that address. Some will even provide you the option to provide a reason, where you can specify “I did not sign up for this” which in sufficient number will flag the sender account. I suspect the vast majority of cases where people unsubscribe but continue to get email is actually some incompetence from not having multiple disparate email systems sync back to a shared do not contact list (rather each system is maintaining its own).
That's the case for spam sent by illegitimate parties (actual spammers), but any real company (what OP is referring to) will respect the unsubscribe button because they're at risk of being sued otherwise. Clicking unsubscribe in those cases actually does work & doesn't put you at risk of anything.
I just had this experience today. The problem is that at least in the States the regulation is ambiguous enough to be abused to hell and back. Unsubscribe in the States could mean “Unsubscribe from all” or “Unsubscribe from 1 of 20” or it could mean “unsubscribe from all now, but we will arbitrarily resign you up for some new newsletter whenever we feel like it”. I got a spam email today from some no name dropshipper I bought contacts from probably a decade ago, I got LASIK 3 years ago and haven’t needed contacts since.
Some large companies even flagrantly violate the extremely lax rules that exist in the States. Guitar Center has infamously been sending me emails that are in direct violation of the one click unsubscribe regulations for almost a decade now. I can’t even sign in to the account to cancel the emails (which is in direct violation of the regulation- it is ambiguous on a lot of things but the one thing that it isn’t is that you aren’t supposed to be required to log in to opt out of email communications) because it was made with my dad’s email from 20 years ago yet I’m the recipient of the spam.
I did report them; but of course nothing must have happened because they are still doing it.
I don't know the legality of this in the EU but often it is required that you opt-in to these marketing emails to create an account or do other basic things on a website.
And then there's those online stores that cover the entire page in a popup that you can get a 20% discount code if you give your email. Technically I've opted into their marketing. But I always just use the coupon and then report the email as spam without bothering to unsubscribe.
Even European Websites do this. I know that in principle I never check the "I want to receive spam" but I still do and still have to unsubscribe later.
It’s fair to say any traditional email provider will still struggle to prevent this ‘legit spam’.
We took a different approach at mailpass.io where we assume most of the messages are not important for the majority of inbound email. We suggest giving it a go for then forgetting / not caring about whether unsubscribe actually works
The Information are so incredibly bad for this. I've requested unsubscriptions multiple times from them and they just can't seem to manage it. Like, presumably their audience won't use them but still it rankles.
Honestly I prefer to subscribe to those kind of newsletter in the form of a RSS feed. They just publish passively, and I choose when to subscribe and unsubscribe on my own term, and it doesn't clutter my mailbox.
This might be good news, but as it comes from Google and involves email centralisation, I’m sceptical.
At MailPace we already enforce DKIM, it’s pretty basic stuff. But list-unsubscribe is optional for our senders.
We can make this a requirement and manage lists for senders who don’t / can’t implement a webhook to handle it (we already default to blocking resends to emails that hard bounce).
However I am curious how Google will track this. Just because the header is set, it doesn’t mean it’ll do anything. In fact it can be used by spammers to identify legit email addresses and spam them separately.
> Just because the header is set, it doesn’t mean it’ll do anything.
True, but I think when you're processing the volume of email that Gmail is, you'll have enough data to be able to infer whether the unsubscription was processed.
All it would take is one human to review the email, but sadly given Google's aversion to humans in the loop I predict it will be inferred by an algorithm and subject to false positives with no practical way to escalate for review.
Side-note: for list-unsubscribe, do you determine the subscriber's identity that needs to be unsubscribed based on the sender or the receiver (like <guid>@unsubscribe.service.com)?
Reason I'm asking is Unsubscribe rarely works for me due to my catch-all not SENDING emails from the address it was received on. It sends it from my actual address. Very annoying.
The RFC https://www.ietf.org/rfc/rfc2369.txt Section 3.2 is not specific on this - but the examples only show the To address, and no unique identifier beyond that, so it might not work out well for you for mailto list-unsubscribes. It also prefers mailto over https.
If we build this as a mandatory feature at MailPace, we'll use an HTTPS webhook with a unique identifier for the email, so if you unsubscribe from a list sent via us, it will work for you.
> Just because the header is set, it doesn’t mean it’ll do anything
But they can track proxy metrics for this. For example people using GMail's builtin unsubscribe feature more than once with the same unsubscribe link for different emails is a pretty good indicator the unsubscribe did not work.
I'm cautious as well. We all hate the spam and dark patterns, and Google is a relatively responsible citizen of the email world in my experience so I hope this will be a positive step.
However if email blocking becomes too aggressive then it can easily result in mails containing information that senders are literally required by law to provide to the recipient being silently dropped, which essentially means the mail service has caused the sender to unknowingly break the law. The penalties for not providing required information under consumer protection rules can be extremely serious in jurisdictions like the EU.
And Joe Random can be a real customer who you are really required to provide with information but can still hit the "this is spam" button if they don't particularly care or want to see it so reading too much into self-reported spam flags is a bit of a slippery slope. Combine that with mandating one-click unsubscribe but possibly without recognising types of emails that again the subscriber literally can't legally not send (at least not without sending the same information to the same recipient some other way instead) and there could be some real danger here.
It's transactional email - so generally speaking it's not a subscription list that recipients are on per se. This is in line with the CAN SPAM guidance (although that is a US law it's good guidance to follow globally).
Also it requires senders to actually implement it, which is not possible to confirm. Although we could add a catch all service that does this automatically, which I think we'll do.
Wrong address is one reason. For example, I receive transactional emails from a US-based ISP for someone else and the only way to unsubscribe is calling their customer service line. I’m not even in the same country.
The problem comes, as I know very well, is that when you have a common sounding email, all kinds of people use it for all kinds of things. I get dozens of transactional emails a week from stores multiple states away.
A big part of why I’m stuck on/with gmail is that filtering redirects about 90% of those to spam.
On one of my SaaS apps workers receive details on their shifts via email. If I allow them to one-click unsubscribe, I know there will be many who do so accidentally, with no idea how to resubscribe.
Currently they need to sign in and manage their contact methods in settings (email, SMS, etc). Thus they know how to re-enable it if they disable it.
I can see many support requests from managers saying "X worker isn't getting emails". Sigh.
That's Amazon, in case it's not obvious. I don't need any of that by email, I immediately archive it, and if I want to know I look in my account, not my email. I even have the app installed and notifying me with all of the same and more (I'm spared 'x stops away' by email).
So they don't start getting blocked as spam? For transactional emails deliverability is often CRITICAL.
Oddly, on the cash app thing, I have a very basic username and seem to constantly have folks sending me money, sometimes good amounts. I never use the app, and eventually I hope the money goes back if I don't collect it.
More annoying on email but much less than it used to be - I think more systems require email verification now so a bit less common to get the misdirected order emails etc.
But yes, if I can't unsubscribe - then I block and report spam - even if it looks like transactional email (some is a lead-in to a scam where they will refund you for the "bogus" purchase).
I got a really cool vanity email address, back in the early days of gmail. But the downside of that is 100s of goofball people around the world randomly guessing it when they want to put some bullshit value in a field on a web form. The worst was when my address got posted to to some indian jobs forum, under a title like "test job" - I got dozens of applications per hour for a few days. I had to make filters to block all email that included the words "bangalore", "delhi", or "hyderabad".
Anyway, the job applications have died down, but I still get plenty of others for people who are creating accounts. I unsubscribe when I can, and "mark spam" when I can't.
Because (according to this announcement) if you don't, Google will put you in the spam folder.
Edit: I suppose it does say "unsubscribe from commercial email in one click". But it's hard to say exactly what they mean. They also don't define Bulk Senders - is that the domain or the sending SMTP server?
Because its better than me just sending it to the spam box. Or worse, not interacting with your service.
At this point something as simple as ordering something online means I get 4-7 emails and then some growling "please rate us" shit. And if I am stupid enough to do so, but only rate it 4 our of 5, another "we are sorry, please tell us what we did wrong" email.
Reading all the comments makes me think I'm an outlier.
I very aggressively unsubscribe from everything so I get very little mailing list spam. Maybe a few messages a month.
What I do get _constantly_ is spam email messages to my inbox from Gmail and Outlook domains. At least one a day for many years. Because it from Gmail, they have very little spam filtering done, yet if any other provider sent these messages then Google would block the entire domain.
These particular spam messages get on my nerves, and these are the only ones making it through to me.
Never unsubscribe from anything you haven't subscribed for (or at least where you haven't gave your email address to the sending party), because I believe any interaction with unsolicited emails provide spammers with a clear signal that their spam is not just delivered but also read and interacted with, so they get more agressive.
I've heard this advice before, but in my experience you can tell the difference between something malicious or not.
But more importantly even if I provide some signal that my email is active it's not going to change that much. They can send more, but that just helps train filters.
Lastly default Gmail settings loads remote images. Just opening the email is enough to create some signal. Having remote images turned off is enough to stop most engagement pings.
Yep, I'm the opposite of you. I get almost zero true "spam" to my Gmail account. Maybe 1-2 messages a month.
Whereas quite a few of these quasi-spam marketing emails from a company that I once had some interaction with. The worst is hotels - you stay at 10 hotels during the course of a trip, then you get added to 10 email lists for the rest of your life.
I have a Gmail account I opened in the early days of Gmail and stopped using on a regular basis when I got my own domain around mid-2000's. Whenever I occasionally check in, I always find heaps of spam. Many I've tried unsubscribing for and still get the mail--obviously Gmail's filter doesn't take into account senders I've flagged time and time again as spam.
In the days I ran my own main server for my domain I was surprised to find that well over 50% of spam originated from Google (both emails with @gmail.com domains but also emails from other domains being processed via their servers). And I wasn't even a Gmail customer, so it looks like they don't really filter outgoing mail to other providers. It made my inbound filtering quite tricky as I couldn't block Google as quite lot of legitimate traffic comes from friends using Gmail so the other Spamassassin rules (e.g. content analysis) had to do much of the heaving lifting. A couple of years back I gave up and outsourced the MX for my domain to Fastmail. Interestingly they also struggle to filter Gmail messages (which isn't too surprising as they also use Spamassassin) but thankfully there are only a few a week that get past and I always make sure these are flagged as spam to train the filter. Over time they end up going into my Spam folder and eventually they just don't arrive at all due to my spam settings blocking high spam scores.
Usually when I get the spam you are describing sent to my gmail account it looks like some spammer managed to send obvious spam messages from a server on an authoritative domain like a university.
Most of the spam I get in gmail apparently comes from other gmail accounts. Presumably google already filtered out senders pretending to be gmail, so I am not sure what a big improvement this will be for the average user.
I've gotten a few emails from my own gmail account, spoofed, which inexplicably did not land in the spam folder. This happened to me on multiple different gmail accounts, too.
The majority of my spam is to firstname.lastname@gmail.com, because I have a common name. I assume spammers put together a list of common names and infer addresses from them. This would probably help me a lot.
> Most of the spam I get in gmail apparently comes from other gmail accounts.
Are they actually from Gmail accounts, or are they simply spoofing the sender? My bet is on the latter, because Google has heavy restrictions on Gmail that make it impractical to use for sending bulk spam.
> I am not sure what a big improvement this will be for the average user.
It's not going to be particularly noticeable for the average user, except for the second part (single-click unsubscribe, as opposed to a multi-step flow, is slightly stricter than what's required by CAN-SPAM). It will probably make Google's work easier, though, by having a publicly-known policy of rejecting emails without DKIM, as opposed the the status quo of having that be merely an open secret.
The vast majority of spam we get that isn't trivially rejected (DMARC, malformed HELO, etc) is from real, actual gmail. But they sure do care about _incoming_ spam.
Overall the changes seem sensible. For those wanting to self host there are plenty of guides out there on how to configure various MTAs with all of the required bits.
BUT, Why does IP reputation matter so much these days when you have DKIM, MTA-STS, DANE and other mechanisms that provide verification of the sender?
Say I want to startup a Email Service Provider, I need to go and source a bunch of IPv4 typically to have a premium upsell for end users to really ensure cross sender reputation does not impact other tenants. Crazy.
IPv6 historically at least was anecdotally punished by the likes of GMAIL, Yahoo, Hotmail, Office365 etc. Does anyone know if IPv6 hosted email severs still suffer additional spam scoring?
Delivery via IPv6 still seems more stringent. IPv4 now requires "authentication" as well where previously only IPv6 did. Last I checked Google didn't use DANE, preferring instead MTA-STS -- perhaps understandable for a giant web property.
The authentication stuff is all standard practice so no big change IMO. However the hard spam limit with Gmail in particular will get interesting. I predict this is going to create some insane headaches for indie Saas startups.
Gmail is the only inbox provider that doesn’t offer a real feedback loop (you don’t actually know if a given email address marked you as spam when sending to gmail users). The FBL in Google postmaster tools is anonymized and unreliable at best.
So essentially, you never know if a Gmail user marked you as spam so you can stop sending to them. Gmail will just by default mark your emails as spam for that user going forward, without telling you. This means your spam complaint level will inevitably rise over time without you knowing why and what email addresses are causing the issue.
Unless Gmail actually starts providing a real FBL like other inbox providers, the hard spam limit is going to snowball into a nightmare for even the most conservative and legitimate senders.
Honestly sounds like I'm on the side of Gmail here.
Think about this from the perspective of an actual spammer. You get a notification that address XYZ is marked as spam by user ABC. Well, now you just email user ABC from a different address.
Not even spammers want to waste time & money emailing people who have already marked their emails as spam (that's as clear a signal as any to move onto the next victim).
The real problem is, for legitimate senders, the people who send less emails actually get higher levels of spam complaints! This is because humans are human and they forget who you are. I would argue this actually incentivizes sending more emails. This is why marketers all recommend sending garbage emails daily/weekly/monthly.
The truth is, the companies with full-time spam (marketing) departments will do just fine with these changes. It's the little guy who is going to have to navigate these complexities (likely unsuccessfully), and get shut out from yet another technology that used to be open.
On top of that, Google has started to offer perks for senders within Gmail for a $1,500 per year fee (VMC). They're basically one step away from collecting rents on all of email by way of their monopoly.
Hijacking the thread: I do some "bulk" sending for a 501(c)3 I volunteer for. I include unsubscribe links that go to a form with a submit button (because I want the unsubscribe to be a POST request). Each link has a random opaque identifier in the query string. Something like:
hxxp://example.com/unsubscribe?id=abcd1234
A couple years ago I noticed that MSFT IPs hitting my unsubscribe links with invalid identifiers on the quest string. Anybody ever seen that?
I think some crawlers run JS, because a lot of the web simply won't work without JS to initialise the page state these days.
You can use captcha or similar, one workaround I've seen has a submit that is hidden so never clicked by real people then a visible submit that sets a hidden input and clicks the other one which requires the hidden input... not foolproof but avoids some accidents.
Okay, HN. Go ahead and explain what's offensive here.
The question that was asked: "I noticed that MSFT IPs hitting my unsubscribe links with invalid identifiers on the [query] string. Anybody ever seen that?"
The question the parent commenter seems to have hallucinated: "Does anyone know how we can keep mail services from unsubscribing folks in error when these mail services scan our subscribers' emails, but also still offer our subscribers 1-click unsubscribe?"
It's not really common for clicking a link to immediately unsubscribe, almost everyone requires you to click a button after navigating to the unsubscribe link. Otherwise you have issues with link scanners unsubscribing your recipients without their knowledge. There are some more complex ways to approach this with JavaScript checks for "real browser" but IMO these are more likely to create frustrating friction to unsubscribing (by not working if the user has an adblocker for example) than having the user click a button.
I've seen this pattern of unsubscribe link, then click button approved as CAN-SPAM compliant more than once so I don't think there's a legal concern. The CAN-SPAM rule seems more targeted at the systems you used to see a lot that required the user to log into their account, type in their email address, or figure out a complicated "communications preferences" list to use the unsubscribe form.
It's a little fuzzy to me how exactly to interpret this but I think you could reasonably read it as allowing even unsubscribe pages that require you to type your email address in again (even though I detest these and don't think the problem they're intended to solve is a meaningful one).
So many email security systems preemptively access every URL in messages. I found that I receive a GET for virtually every unsubscribe URL I send out.
I don't read clicking a "confirm" button as a second action. The attorney didn't either. He also said CAN SPAN doesn't apply to a 501(c)3. I still try to comply to be a good citizen.
You can require a second action such as clicking a button.
What you can't do is take them to a page that says "to unsubscribe, send a certified letter to our headquarters and wait 90 business days". The entire transaction must be completed at the page you link to.
Probably true but how do you handle autodetonation of email links in that case? Too many emails servers will click links automatically to check for issues.
This is exactly what the list-unsubscribe-post header from RFC8058 provides: https://www.rfc-editor.org/rfc/rfc8058. The unsubscribe button that gmail, Apple Mail and others displays is driven by that; it's not a gmail feature.
Weirdly, if google thinks you're a dodgy sender they won't display the button, which seems counterproductive to me.
Some companies attempt to hit every link in order to cache the link and then embed their own link so that they can track those links, and also to examine for malware. I work for a marketing SaaS and what made us break away from the monolith structure was that our server was getting blasted to hell and back by the sheer volumes of tracking links that were automatically followed by email providers.
Several antivirus scanners and mail providers open links to check for malware. I believe they add some randomness to either bust through cache or to detect if the URL is encoded as an exact match (some exploit kits will redirect to google.com if you alter the URL in any way or after x requests to the same URL).
Yes have seen this is in a couple of my SaaS applications.
If it's in the querystring then they essentially fuzz it by changing some part(s) of the value. I noticed this because I use signed tokens and it raised an exception in Sentry when the signed token was invalid.
I ended up moving the signed token into the URL itself and the problem went away. eg. /unsubscribe/abcd1234/
What else should I do? The list is double opt-in, every message includes a one-click unsubscribe link, full contact info for the organization is included, and I send text-only.
Doesn't matter to me, if an email doesn't have a one click unsubscribe I just mark it as spam. Messes with their email reputation so they hopefully get kicked off of reputable email services.
"!" key shortcut to mark as spam in Gmail web interface. I use it all the time. If I didn't expect and don't want the email you sent, then it is spam, regardless of what fine print I clicked through unknowingly at some point.
Would love for an "Unsubscribe Sunday" unofficial holiday to catch on to the same degree as "Cyber Monday".
Unfortunately for us, the Privacy team at our org has determined that a one-click unsubscribe link in the body of the email is unacceptable (passing an identifier into the URL of the link). So we accept either the client unsubscribe link, or users who click the unsubscribe link in the email have to provide their email address on the unsubscribe page.
That's rather ridiculous. There's a good reason not to put a one-click unsubscribe button in the email (email scanners will GET every URL you link to check for malware and you end up auto-unsubbing your recipients) but emails already inherently contain personal information: the email address they're directed to.
I do exactly the same. I give them one chance to let me unsubscribe. If it is more than 2 or 3 clicks I give up and mark as spam. If they keep sending I mark as spam.
I honestly don't care about their reputation, I just mark anything I don't want as spam. It's easier than finding the tiny 8-point link at the bottom and rolling the dice on whether their unsubscribe is one click or not. I don't feel obligated to protect their shitty business model.
I once went to an Atlassian conf and they resold all our emails to dodgy people. Or perhaps leaked them over the black markets.
Not only I keep receiving almost the same email suggesting to buy 5,000 email addresses of Atlassian customers with always the same fields, but it’s always from different domains.
I didn’t think of submitting an Atlassian ticket for each spam I receive. That would teach them.
Readit News
I hope they make it really strict. I'm sick of companies that send you spam ("newsletters") just because you interacted with them once, then when you unsubscribe, you get unsubscribed from that one list, so they keep spamming you just with a slightly different newsletter type. (Edit: Also, everything requiring a notification - by e-mail if they couldn't get me to install their app - just to get me to engage with their site.)
Once such behavior has the potential of landing your entire domain in the spam folder, maybe they'll be more careful.
Edit: For example, I can't imagine LinkedIn being able to pull of their "phish people, steal their address book, spam each contact three times with no opt-out" bullshit for so long if strict spam thresholds were in place.
And Yahoo is the Single worst email service to send to. I have correctly configured sfp, dmarc, dkim, reverse dns for the Mailserver and have tested the wording with multiple mail testing services to make sure it doesn't have keywords that get automatically flagged.
And yet after like 50 emails to parents with yahoo email addresses they are giving me errors because of "unusual volume of emails from your domain"
There is no form, no human to talk to and they just block you.
Angry parents come to me or course because they never redeived the activation link so I had to put up a disclaimer stating that if they should not use a yahoo email address if they have a different one
That would get you added to a "never block mail from this domain" whitelist that had higher precedence than everything else.
Scandalous, it's almost as if the established major providers have a financial interest in making it difficult for smaller providers and individuals to send mail using their own domains!
During the pandemic we had a lot of problems with the confirmation email for our 5000 T.A. in the virtual campus of the university. I had to guess what was happening because I was not part of the administration team, just collecting forwarded messages form the T.A and guessing:
* Gmail: Most of the time it works.
* Yahoo: The server receives a few hundred emails per day and the other are delayed. These were confirmation emails with half an hour tolerance, if they were lucky to pass the next day they were not useful. (After a week the sending server stops retrying.)
* Hotmail: Sometimes the email is received and sometimes it just disappears. No spam folder. No bounce email. It just evaporate. (Try sending an email from hotmail to the no-reply address and cross your fingers.)
* Others: No enough data to have a good guess.
Am I crazy or just missing some super obvious gap with this path?
Unsubscribing from an email just unsubscribes from that one list. They don't show any other lists or categories (or imply there are more) during this process.
Once you login you are greeted with a multi-page disaster to manually untoggle each of the near 100 list types.
Then when they add new notifications it is auto-on for everyone.
I started doing this years ago after watching a talk by some Gmail devs on how they think of spam. They said they internally - controversially - redefined spam to be any email the user doesn’t want to receive. Well guess what? I don’t want to receive shitty marketing emails after I unsubscribe. If you send them to me, I’ll get you listed as a spammer.
I encourage everyone else to do the same thing. Life is too short to put up with this crap.
The special award though, must go to Wal-mart. That company doesn't exist in my country. I obviously never interacted with them in any way. I still get their "newsletter", and sure enough, it's authenticated to come from their domain.
A decade ago I went to my country's embassy to renew my passport, and they now use my email to subscribe me to the newsletters of any new political party. All unsubscribe links just 404s. Shameful behaviour.
Anything I receive from any of their political candidates goes straight to spam now. The hope is that I am training the spam filter so it marks those as spam for all other users as well.
It's simple really: have clearly visible, working unsubscribe link in the body of the email that doesn't require jumping through hoops, and be from a company I know and use. Otherwise the spam filter learns about it.
Never interact with spam. Unsubscribing just tells spammers that your email address is actively being checked, and that you're the kind of person who clicks on links found in unsolicited messages. It can even end up getting you more spam (as you've noticed), and what looks like an innocent unsubscribe link can actually take you to a malicious website instead. You've really got nothing to gain by touching spam at all.
The best way to deal with the spam that makes it into your inbox, especially spam that comes from specific senders with predictable subject lines/body content like newsletters, is filtering. For example, just auto-delete anything from a domain you never want to hear from again. You never see it, and you leave them spending at least a little time/effort shouting uselessly into the void.
I tend not to auto-delete directly, but have things filtered into specific folders just in case. It takes almost no time to clear out when they get very full. Most filters are set once and forget.
This only applies to scam emails like newsletters from sketchy domains that you never signed up for, which are sent out specifically to find active email addresses. For those, clicking the "unsubscribe" link is indeed counterproductive.
For actual businesses like Linkedin though, it makes more sense than not to unsubscribe from unwanted emails anytime they're sent. On occasion you'll find yourself back on a different newsletter list, but it's relatively rare and more often than not just incompetence rather than malice; legitimate companies want to send their emails out to people who buy stuff, not people who mark them as spam and lower their reputation.
Yet there are people here on HN telling us that we have some kind of responsibility to watch ads, not block them, and support the kind of people who do this slimy, evil, unethical bullshit.
They already have my e-mail address, likely even verified. They're also somewhat normal companies, i.e. they have an address where the local DPA can send a friendly reminder, and while they will happily pass your (likely hashed) e-mail address to Facebook for ad targeting, actual selling to spammers is incredibly rare.
I often can't just filter the domain because I might actually need to deal with the company again (if I boycotted everyone who acts like a dick I'd be living in a cave).
Also, for many, unsubscribe actually works.
The threshold is "spam rates reported in Postmaster Tools below 0.3%".
That sounds pretty low to me, but I'm not in the bulk email business. I guess maybe a very small number of users actually report spam? Or maybe Google is being strict.
Source: https://support.google.com/mail/answer/81126#zippy=%2Crequir...
(I work for Google, but on something totally unrelated, and don't speak for them or have any inside knowledge.)
I hope they not. Gmail spam filter is far from being perfect and classifies many non spam messages/senders as spam. May be because they heavily rely on user reports (to train AI?) and email users tend to report all kind of emails as spam including clearly ham messages like bank statements, appointment notifications, password reset emails e.t.c.
these are spammers, not cases where you ever actually signed up to some kind of legitimate newsletter or discussion group. to pretend good faith is your first mistake...
There is definitely a punitive cost for sending emails that are repeatedly marked as spam though. You also can’t just cycle IPs because a brand new IP with zero sender reputation is treated with almost as much suspicion by the big player as one that is known to be a spammer.
It’s much better to give people an option to opt out, and to honour it. Most of the email sending providers (e.g., SendGrid, mailchimp, etc) force you to include the link and automatically block future sending to that address. Some will even provide you the option to provide a reason, where you can specify “I did not sign up for this” which in sufficient number will flag the sender account. I suspect the vast majority of cases where people unsubscribe but continue to get email is actually some incompetence from not having multiple disparate email systems sync back to a shared do not contact list (rather each system is maintaining its own).
Click the unsubscribe button.
Some large companies even flagrantly violate the extremely lax rules that exist in the States. Guitar Center has infamously been sending me emails that are in direct violation of the one click unsubscribe regulations for almost a decade now. I can’t even sign in to the account to cancel the emails (which is in direct violation of the regulation- it is ambiguous on a lot of things but the one thing that it isn’t is that you aren’t supposed to be required to log in to opt out of email communications) because it was made with my dad’s email from 20 years ago yet I’m the recipient of the spam.
I did report them; but of course nothing must have happened because they are still doing it.
And then there's those online stores that cover the entire page in a popup that you can get a 20% discount code if you give your email. Technically I've opted into their marketing. But I always just use the coupon and then report the email as spam without bothering to unsubscribe.
Deleted Comment
Also there are separate email marketing laws.
At MailPace we already enforce DKIM, it’s pretty basic stuff. But list-unsubscribe is optional for our senders.
We can make this a requirement and manage lists for senders who don’t / can’t implement a webhook to handle it (we already default to blocking resends to emails that hard bounce).
However I am curious how Google will track this. Just because the header is set, it doesn’t mean it’ll do anything. In fact it can be used by spammers to identify legit email addresses and spam them separately.
True, but I think when you're processing the volume of email that Gmail is, you'll have enough data to be able to infer whether the unsubscription was processed.
Reason I'm asking is Unsubscribe rarely works for me due to my catch-all not SENDING emails from the address it was received on. It sends it from my actual address. Very annoying.
If we build this as a mandatory feature at MailPace, we'll use an HTTPS webhook with a unique identifier for the email, so if you unsubscribe from a list sent via us, it will work for you.
But they can track proxy metrics for this. For example people using GMail's builtin unsubscribe feature more than once with the same unsubscribe link for different emails is a pretty good indicator the unsubscribe did not work.
However if email blocking becomes too aggressive then it can easily result in mails containing information that senders are literally required by law to provide to the recipient being silently dropped, which essentially means the mail service has caused the sender to unknowingly break the law. The penalties for not providing required information under consumer protection rules can be extremely serious in jurisdictions like the EU.
And Joe Random can be a real customer who you are really required to provide with information but can still hit the "this is spam" button if they don't particularly care or want to see it so reading too much into self-reported spam flags is a bit of a slippery slope. Combine that with mandating one-click unsubscribe but possibly without recognising types of emails that again the subscriber literally can't legally not send (at least not without sending the same information to the same recipient some other way instead) and there could be some real danger here.
Also it requires senders to actually implement it, which is not possible to confirm. Although we could add a catch all service that does this automatically, which I think we'll do.
That's my concern as well. Ah well, we'll just mark them as arc=pass and sit back and relax.
A big part of why I’m stuck on/with gmail is that filtering redirects about 90% of those to spam.
On one of my SaaS apps workers receive details on their shifts via email. If I allow them to one-click unsubscribe, I know there will be many who do so accidentally, with no idea how to resubscribe.
Currently they need to sign in and manage their contact methods in settings (email, SMS, etc). Thus they know how to re-enable it if they disable it.
I can see many support requests from managers saying "X worker isn't getting emails". Sigh.
- confirmation of my order
- my order has been despatched
- my order is out for delivery
- my order has been delivered to locker
- reminder to collect from locker
- my order has been collected from locker
- feedback on customer support chat experience
- my return label has been generated
- reminder to return my item
- my refund is processing
That's Amazon, in case it's not obvious. I don't need any of that by email, I immediately archive it, and if I want to know I look in my account, not my email. I even have the app installed and notifying me with all of the same and more (I'm spared 'x stops away' by email).
Oddly, on the cash app thing, I have a very basic username and seem to constantly have folks sending me money, sometimes good amounts. I never use the app, and eventually I hope the money goes back if I don't collect it.
More annoying on email but much less than it used to be - I think more systems require email verification now so a bit less common to get the misdirected order emails etc.
But yes, if I can't unsubscribe - then I block and report spam - even if it looks like transactional email (some is a lead-in to a scam where they will refund you for the "bogus" purchase).
Think of it the same way Canada’s anti spam law (CASL) works. https://emailkarma.net/2016/09/qa-transactional-emails-unsub...
Anyway, the job applications have died down, but I still get plenty of others for people who are creating accounts. I unsubscribe when I can, and "mark spam" when I can't.
Edit: I suppose it does say "unsubscribe from commercial email in one click". But it's hard to say exactly what they mean. They also don't define Bulk Senders - is that the domain or the sending SMTP server?
At this point something as simple as ordering something online means I get 4-7 emails and then some growling "please rate us" shit. And if I am stupid enough to do so, but only rate it 4 our of 5, another "we are sorry, please tell us what we did wrong" email.
I very aggressively unsubscribe from everything so I get very little mailing list spam. Maybe a few messages a month.
What I do get _constantly_ is spam email messages to my inbox from Gmail and Outlook domains. At least one a day for many years. Because it from Gmail, they have very little spam filtering done, yet if any other provider sent these messages then Google would block the entire domain.
These particular spam messages get on my nerves, and these are the only ones making it through to me.
Never unsubscribe from anything you haven't subscribed for (or at least where you haven't gave your email address to the sending party), because I believe any interaction with unsolicited emails provide spammers with a clear signal that their spam is not just delivered but also read and interacted with, so they get more agressive.
But more importantly even if I provide some signal that my email is active it's not going to change that much. They can send more, but that just helps train filters.
Lastly default Gmail settings loads remote images. Just opening the email is enough to create some signal. Having remote images turned off is enough to stop most engagement pings.
Whereas quite a few of these quasi-spam marketing emails from a company that I once had some interaction with. The worst is hotels - you stay at 10 hotels during the course of a trip, then you get added to 10 email lists for the rest of your life.
I doubt Google would do that to other big companies.
Some accept user-provided email addresses at face value, without any confirmation, and then refuse to stop spamming you.
Would Google block Paypal?
Deleted Comment
That’s what I have done on my outlook.
Are they actually from Gmail accounts, or are they simply spoofing the sender? My bet is on the latter, because Google has heavy restrictions on Gmail that make it impractical to use for sending bulk spam.
> I am not sure what a big improvement this will be for the average user.
It's not going to be particularly noticeable for the average user, except for the second part (single-click unsubscribe, as opposed to a multi-step flow, is slightly stricter than what's required by CAN-SPAM). It will probably make Google's work easier, though, by having a publicly-known policy of rejecting emails without DKIM, as opposed the the status quo of having that be merely an open secret.
BUT, Why does IP reputation matter so much these days when you have DKIM, MTA-STS, DANE and other mechanisms that provide verification of the sender?
Say I want to startup a Email Service Provider, I need to go and source a bunch of IPv4 typically to have a premium upsell for end users to really ensure cross sender reputation does not impact other tenants. Crazy.
IPv6 historically at least was anecdotally punished by the likes of GMAIL, Yahoo, Hotmail, Office365 etc. Does anyone know if IPv6 hosted email severs still suffer additional spam scoring?
Gmail is the only inbox provider that doesn’t offer a real feedback loop (you don’t actually know if a given email address marked you as spam when sending to gmail users). The FBL in Google postmaster tools is anonymized and unreliable at best.
So essentially, you never know if a Gmail user marked you as spam so you can stop sending to them. Gmail will just by default mark your emails as spam for that user going forward, without telling you. This means your spam complaint level will inevitably rise over time without you knowing why and what email addresses are causing the issue.
Unless Gmail actually starts providing a real FBL like other inbox providers, the hard spam limit is going to snowball into a nightmare for even the most conservative and legitimate senders.
Think about this from the perspective of an actual spammer. You get a notification that address XYZ is marked as spam by user ABC. Well, now you just email user ABC from a different address.
The real problem is, for legitimate senders, the people who send less emails actually get higher levels of spam complaints! This is because humans are human and they forget who you are. I would argue this actually incentivizes sending more emails. This is why marketers all recommend sending garbage emails daily/weekly/monthly.
The truth is, the companies with full-time spam (marketing) departments will do just fine with these changes. It's the little guy who is going to have to navigate these complexities (likely unsuccessfully), and get shut out from yet another technology that used to be open.
On top of that, Google has started to offer perks for senders within Gmail for a $1,500 per year fee (VMC). They're basically one step away from collecting rents on all of email by way of their monopoly.
hxxp://example.com/unsubscribe?id=abcd1234
A couple years ago I noticed that MSFT IPs hitting my unsubscribe links with invalid identifiers on the quest string. Anybody ever seen that?
This allows everything to be "one click" (which honestly is a good thing) but prevents crawlers from accidentally triggering the unsubscribe.
Not sure this still works today and obviously this is not legal advice.
You can use captcha or similar, one workaround I've seen has a submit that is hidden so never clicked by real people then a visible submit that sets a hidden input and clicks the other one which requires the hidden input... not foolproof but avoids some accidents.
---
Okay, HN. Go ahead and explain what's offensive here.
The question that was asked: "I noticed that MSFT IPs hitting my unsubscribe links with invalid identifiers on the [query] string. Anybody ever seen that?"
The question the parent commenter seems to have hallucinated: "Does anyone know how we can keep mail services from unsubscribing folks in error when these mail services scan our subscribers' emails, but also still offer our subscribers 1-click unsubscribe?"
https://techcommunity.microsoft.com/t5/security-compliance-a...
If I get another email from that org, I click "report spam".
I've seen this pattern of unsubscribe link, then click button approved as CAN-SPAM compliant more than once so I don't think there's a legal concern. The CAN-SPAM rule seems more targeted at the systems you used to see a lot that required the user to log into their account, type in their email address, or figure out a complicated "communications preferences" list to use the unsubscribe form.
check out https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C...
It's a little fuzzy to me how exactly to interpret this but I think you could reasonably read it as allowing even unsubscribe pages that require you to type your email address in again (even though I detest these and don't think the problem they're intended to solve is a meaningful one).
I don't read clicking a "confirm" button as a second action. The attorney didn't either. He also said CAN SPAN doesn't apply to a 501(c)3. I still try to comply to be a good citizen.
What you can't do is take them to a page that says "to unsubscribe, send a certified letter to our headquarters and wait 90 business days". The entire transaction must be completed at the page you link to.
Details: https://support.google.com/mail/answer/81126#zippy=%2Crequir...
(I work for Google, but on something totally unrelated, and don't speak for them or have any inside knowledge. I was just curious and looked it up.)
That was my understanding at least.
Weirdly, if google thinks you're a dodgy sender they won't display the button, which seems counterproductive to me.
If it's in the querystring then they essentially fuzz it by changing some part(s) of the value. I noticed this because I use signed tokens and it raised an exception in Sentry when the signed token was invalid.
I ended up moving the signed token into the URL itself and the problem went away. eg. /unsubscribe/abcd1234/
Please try to make the world a better place instead of doing the legal minimum.
Would love for an "Unsubscribe Sunday" unofficial holiday to catch on to the same degree as "Cyber Monday".
I don’t ever remember subscribing to anything. Almost all email is undesired, apart from password reset emails.
Not only I keep receiving almost the same email suggesting to buy 5,000 email addresses of Atlassian customers with always the same fields, but it’s always from different domains.
I didn’t think of submitting an Atlassian ticket for each spam I receive. That would teach them.
NEVER give your true email to Atlassian.