Redwood City CA US david@weekly.org

US standards@standcore.com

ART MAILMAINT email This document describes a mechanism for an email recipient to indicate to a sender that they are not the intended recipient. About This Document Discussion of this document takes place on the MAILMAINT Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction Many users with common names and/or short email addresses receive transactional emails from service providers intended for others. These emails can't be unsubscribed (as they are transactional) but neither are they spam. These emails commonly are from a noreply@ email address; there is no standards-based mechanism to report a "wrong recipient" to the sender. Doing so is in the interest of all three involved parties: the inadvertent recipient (who does not want the email), the sender (who wants to be able to reach their customer and who does not want the liability of transmitting PII to a third party), and the intended recipient. This document proposes a structured mechanism for the reporting of such misdirected email via HTTPS POST, updating the List-Unsubscribe-Post mechanism of .

Proposal There ought be a mechanism whereby a service can indicate it has an endpoint to indicate a "wrong recipient" of an email. If this header field is present in an email message, the user can select an option to indicate that they are not the intended recipient. Updating the one-click unsubscription , the mail service can perform this action in the background as an HTTPS POST to the provided URL without requiring the user's further attention to the matter. Since it's possible the user may have a separate valid account with the sending service, it may be important that the sender be able to tie which email was sent to the wrong recipient. For this reason, the sender may also include an opaque blob in the header field to specify the account ID referenced in the email; this is included in the POST. Note that this kind of misdelivery shouldn't be possible if a service has previously verified the user's email address for the account.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

High-Level Goals Allow a recipient to stop receiving emails intended for someone else. Allow a service to discover when they have the wrong email for a user.

Out of Scope This document does not propose a mechanism for automatically discovering whether a given user is the correct recipient of an email, though it is possible to use some of the signals in an email, such as the intended recipient name, to infer a possible mismatch between actual and intended recipients.

Implementation

Mail Senders When Sending Mail Senders that wish to be notified when a misdelivery has occurred should include a List-Unsubscribe: header field and a List-Unsubscribe-Post: header containing "Wrong-Recipient=One-Click". The sender MUST encode a mapping to the underlying account identifier in the List-Unsubscribe: URI as described in Section 3.1 of .

Mail Recipients When a mail client receives an email that includes a Wrong-Recipient header field, an option should be exposed in the user interface that allows a recipient to indicate that the mail was intended for another user, if the email is reasonably assured to not be spam. If the user selects this option, the mail client performs an HTTPS POST to the first https URI in the List-Unsubscribe header field as described in section 3.2 of . The POST body MUST include only "Wrong-Recipient=One-Click".

Mail Senders After Wrong Sender Notification When a misdelivery has been indicated by a POST to the HTTPS URI or email to the given mailto: URI, the sender must make a reasonable effort to cease emails to the indicated email address for that user account. Since it is possible that the same address is associated with a different valid account, the sender should not simply block all mail to that address. The sender should make a best effort to attempt to discern a correct email address for the user account, such as by using a different known email address for that user, postal mail, text message, phone call, app push, or presenting a notification in the user interface of the service. How the sender should accomplish this task is not part of this specification.

Header syntax The ABNF grammar in Section 5 of is augmented as follows:

Additional Requirements The email needs at least one valid authentication identifier, as described in Section 4 of .

Examples

Signed HTTPS URI Header fields in Email: List-Unsubscribe-Post: Wrong-Recipient=One-Click ]]> Resulting POST request:

Security Considerations The considerations are similar to those in Section 6 of . A malicious actor with access to the user's email could maliciously indicate the recipient was a Wrong Recipient with any services that used this protocol, causing mail delivery and potentially account access difficulties for the user. A malicious actor might probe to guess where a recipient has an account, for example by sending multiple messages pretending to be from different banks, and seeing if the recipient marks all but one of them "wrong recipient". Note that the "wrong recipient" signal does not necessarily mean that the address belongs to a real person. It could have belonged to a user who has died, or be a trap that has never belonged to a person and mechanically triggers unubscribe or wrong recipient links.

IANA Considerations This document makes no requests to IANA.

Normative References The mailing list command specification header fields are a set of structured fields to be added to email messages sent by email distribution lists. By including these header fields, list servers can make it possible for mail clients to provide automated tools for users to perform list functions. This could take the form of a menu item, push button, or other user interface element. The intent is to simplify the user experience, providing a common interface to the often cryptic and varied mailing list manager commands. [STANDARDS-TRACK] This document describes a method for signaling a one-click function for the List-Unsubscribe email header field. The need for this arises out of the actuality that mail software sometimes fetches URLs in mail header fields, and thereby accidentally triggers unsubscriptions in the case of the List-Unsubscribe header field. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.

Acknowledgments Many thanks to Oliver Deighton and Murray Kucherawy for their kind and actionable feedback on the language and first draft of the proposal. Thanks to Eliot Lear for helping guide the draft to the right hands for review. A detailed review by Jim Fenton was much appreciated and caught a number of key issues. Many thanks to the members of IETF ART for vigorous discussion thereof and for feedback from the MAILMAINT working group.