Cleanbox
Features Helpdesk Blog Pricing Contact
Sign in Start free trial
Blog
technology newsletters behind the scenes

What Happens When You Click Unsubscribe: The Full Technical Story

15 min read Feb 10, 2026

You click "unsubscribe" at the bottom of a marketing email. Three days later, you are still getting emails. Or worse, you are getting more. What went wrong?

The answer lies in the surprisingly complex machinery behind email unsubscription. There are at least four different unsubscribe mechanisms, each with different technical implementations, legal requirements, and failure modes. This article explains all of them.

Method 1: The List-Unsubscribe header (the good way)

Legitimate mailing lists include a hidden header in every email called List-Unsubscribe. You never see this header in the email body — it is in the email metadata, readable by email clients and management tools.

Two formats

List-Unsubscribe: <https://example.com/unsubscribe?id=abc123>
List-Unsubscribe: <mailto:unsubscribe-abc123@example.com>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
  • URL format — A HTTPS URL that processes the unsubscribe request when fetched
  • Mailto format — An email address that processes the unsubscribe when an email is sent to it
  • One-Click (RFC 8058) — The modern standard. The email client sends an HTTP POST request with List-Unsubscribe=One-Click in the body. No browser, no confirmation page, no tricks.

How Cleanbox uses it

When you toggle the unsubscribe switch on a contact in Cleanbox:

  1. Cleanbox checks if the email has a List-Unsubscribe header
  2. If RFC 8058 one-click is supported, it sends an HTTP POST directly — safest method
  3. If only a URL is available, it makes a GET request to that URL
  4. If only a mailto is available, it sends an unsubscribe email
  5. Regardless of the result, Cleanbox blocks future emails from this sender

The blocking in step 5 is the critical part. Even if the sender ignores the unsubscribe request, their emails are denied by Cleanbox.

Method 2: The unsubscribe link in the email body (the common way)

The link at the bottom of the email, usually in small gray text: "Unsubscribe from these emails" or "Manage your preferences."

What happens when you click

  1. Your browser opens the URL
  2. The URL typically includes a unique identifier tied to your email address
  3. You land on one of several pages:
    • Instant unsubscribe — A confirmation page saying "You have been unsubscribed." Done.
    • Preference center — A page with checkboxes for different email types. You uncheck what you do not want.
    • Confirmation required — A page asking you to confirm by entering your email address and clicking again.
    • "Are you sure?" guilt page — "We will miss you! Are you REALLY sure?" with a tiny "yes, unsubscribe" link.

The risks

  • Tracking — The URL often includes tracking parameters. By clicking, you confirm your email is active and monitored. For legitimate senders, this is fine. For spammers, it is an invitation to send more.
  • Phishing — The "unsubscribe" link in a phishing email leads to a malicious page, not an actual unsubscribe form.
  • Dark patterns — Preference centers with pre-checked boxes, confusing wording, or "unsubscribe from this category but subscribe to three others" tricks.

Method 3: Replying with "unsubscribe" (the old way)

Some older mailing lists (and CAN-SPAM compliant senders) honor the word "unsubscribe" in a reply email. This method:

  • Is manual and slow
  • Requires the sender to process reply emails (many do not)
  • Confirms your address is active (same risk as clicking links)
  • Is legally required to work under CAN-SPAM if advertised

Method 4: Doing nothing (the spam way)

Actual spam — not marketing from legitimate companies, but unsolicited bulk email from unknown senders — typically has:

  • No List-Unsubscribe header
  • A fake unsubscribe link (leads to tracking or malware)
  • No intention of honoring any unsubscribe request

For these emails, do not unsubscribe. Mark as spam and block the sender. Any interaction confirms your address is active.

Legal requirements

CAN-SPAM (United States)

  • Commercial emails must include a working unsubscribe mechanism
  • Unsubscribe requests must be processed within 10 business days
  • The unsubscribe mechanism must work for at least 30 days after the email is sent
  • You cannot require the recipient to pay, provide personal information, or take more than a single step to unsubscribe

GDPR (European Union)

  • Consent must be obtained before sending marketing emails (opt-in, not opt-out)
  • Withdrawal of consent must be as easy as giving it
  • Unsubscribe must be processed "without undue delay"
  • No "legitimate interest" workarounds for direct marketing to individuals

RFC 8058 (technical standard)

  • Defines the List-Unsubscribe-Post header for one-click unsubscribe
  • Supported by Gmail, Apple Mail, Outlook, Yahoo, and most major providers
  • Email clients show a prominent "Unsubscribe" button when this header is present
  • Google requires RFC 8058 compliance for bulk senders (5,000+ emails/day) as of 2024

Why unsubscribing does not always work

Processing delay

CAN-SPAM allows up to 10 business days to process unsubscribe requests. Many senders batch-process unsubscribes daily or weekly. You may receive 1-3 more emails before it takes effect.

Multiple mailing lists

A company may have separate lists for marketing, product updates, and transactional emails. Unsubscribing from one does not unsubscribe from the others. This is technically legal if they are genuinely separate lists.

Third-party data sharing

If the company sold or shared your email with partners, unsubscribing from the original sender does not affect the partners. You need to unsubscribe from each independently — or block the domain/category entirely.

Re-subscription triggers

Some services re-subscribe you when you make a purchase, update your account, or interact with their platform in any way. Read the fine print in their terms of service.

The most effective unsubscribe strategy

  1. For legitimate senders — Use header-based unsubscribe (via Cleanbox or your email client "unsubscribe" button). Safe and effective.
  2. For persistent senders — Block the sender or the entire domain. Cleanbox denies future emails regardless of whether the sender honors the unsubscribe.
  3. For spam — Do not interact. Mark as spam, block, and move on.
  4. For prevention — Use aliases. When an alias gets noisy, disable it. No unsubscribe needed — the address simply stops existing.

The best unsubscribe is the one you never have to do. Aliases make that possible.

Related articles

Cleanbox vs Traditional Email Security: Why Spam Gateways Are Overkill for SMBs

16 min read

Email Security Threats in 2026: A Comprehensive Overview

20 min read

The Best Free Email Tools for Privacy in 2026

10 min read

Ready to take control of your inbox?

Start protecting your email with Cleanbox — free plan available, no credit card required.

Get started free