Missing One-Click List-Unsubscribe Header (Gmail/Yahoo Bulk-Sender Requirement)

What’s actually happening

Open rates from Gmail and Yahoo recipients fall off a cliff while other providers look normal. Microsoft starts bouncing the same campaigns with 550 5.7.515. The email itself renders fine in a test inbox, and there's a visible unsubscribe link in the footer, so nothing looks broken from the sending side. The damage shows up in placement and bounce logs, not in the message body.

Common causes

• No List-Unsubscribe-Post: List-Unsubscribe=One-Click header at all — only the older List-Unsubscribe with a mailto: or click-through URL is present.
• List-Unsubscribe contains only a mailto: target and no HTTPS URI, which RFC 8058 requires for the one-click flow.
• The two headers exist but are not covered by the DKIM signature (they're outside the h= tag), so providers treat them as untrusted and ignore them.
• The unsubscribe endpoint answers a GET but 404s or 405s on the POST that Gmail/Yahoo actually send, or it requires a login/confirmation page instead of acting immediately.
• Sending 5,000+ messages/day to Gmail or Yahoo without the header in place — under that volume the requirement isn't enforced, so the problem only appears once a list grows.

How to fix it

1. Add both headers to every marketing messageEmit List-Unsubscribe: <https://example.com/u/TOKEN>, <mailto:[email protected]> and List-Unsubscribe-Post: List-Unsubscribe=One-Click. The HTTPS URI must come first and carry a per-recipient token so the POST identifies who to remove. mailto can stay as a fallback but is not sufficient on its own.
2. Make the endpoint accept POST and act on itThe URL must answer an unauthenticated POST (Gmail/Yahoo send an empty body with the List-Unsubscribe=One-Click form field) and return 200 or 202 with a blank page. No confirmation screen, no login. Unsubscribe the recipient immediately and complete removal within 48 hours.
3. Put the headers inside the DKIM signatureAdd List-Unsubscribe and List-Unsubscribe-Post to the DKIM h= tag so the signature covers them. If they aren't signed, providers can't trust they came from you and will disregard the one-click path — which is the same as not having it.
4. Confirm SPF, DKIM and DMARC are alignedThe one-click header is one line item in the Gmail/Yahoo/Microsoft bulk-sender bundle. You also need passing SPF, DKIM, and a published DMARC record with alignment. 550 5.7.515 specifically flags the authentication level, so check those before assuming the header alone is the issue.
5. Verify with a real inbox and raw sourceSend to a Gmail and a Yahoo address, open the raw message, and confirm both headers are present and the HTTPS one is first. Click the native unsubscribe control Gmail shows next to the sender name and confirm the POST hits your endpoint in your access logs.