Regardless of what google and yahoo say, I need to be able to verify that when user@domain wants to unsubscribe they MUST verify their account ownership first.
Simply embedding a long per-person (email address) token in CLEAR text in an email is liable to interception?
If any bad actor has the email they can simply curl the URL for the unsubscribe and that person will be unsubscribed.
Does your platform offer "validated owner account unsubscribe" i.e. password or 2FA protected?
Thanks
PS part of my organisation is a customer and I specialize in security.
... View more