> On Sep 19, 2016, at 2:35 PM, John R Levine <johnl@xxxxxxxxx> wrote: > > I went through and addressed a bunch of the editorial suggestions, which were indeed helpful. Before I post the next and I hope last version let's wait and see if the smoke settles. A couple of comments: In: A List-Unsubscribe header can also contain a mailto: URI with an address to which an unsubscription request is sent. While these URIs can be for a one-click unsubscribe, experience has shown that they do not work well in high volume environments, because the recipient mail systems (typically e-mail service providers that are optimized to send large volumes of mail) cannot keep up with the required number of mailed removal requests. Hence this document considers only HTTPS URIs. It seems to me that catering to senders whose unsubscribe volume is so high as to overwhelm their email systems should not be a priority. Can you explain the DKIM requirement in more detail? Is the MUA required to verify the DKIM signature? Or is it expected to alternatively trust any Authentication-Results header? What purpose does the DKIM signature serve, if there is no required correlation between the authenticated "d=" value and the authority of HTTPS unsubscribe URI? What are the cross-origin risks in allowing the incoming mail to trigger a POST to a URI of the sender's choice with sender selected parameters? The Examples in Section 7 don't have anything resembling HMAC signatures over the recipient + list data, or opaque nonces that identify both. -- Viktor.