I've got an email settings page that a user can only access if logged in. They include:
[X] Send an email when someone replies to my post
[X] Send me an email when someone comments on my post
[X] Send me site announcements
[X] Send me a weekly digest
Currently, in any of those emails that send, there is only a link at the bottom which links the user to their settings page, which adds friction since it requires them to login in order to change their settings.
What I'm considering is adding a one-click unsubscribe, but I'm not sure if I should limit it to the current email type that they are receiving. E.g. If it's a notificaiton email from [] Send an email when someone replies to my post, there is an unsubscribe link that would only deselect that setting (and not the others).
Is this the right way to approach this, or should I treat that one-click unsubscribe as an unsubscription from ALL email setting notifications? One alternative idea I had was to dump them on a page that lists above all the email types (basically a logged out version of the email settings logged in page), but I'm wondering what the security risks with implementing that would be and if I should have an expiration time on that type of link if I implemented it?
Twitter does one click unsubscribe by email type. Most companies I see however unsubscribe all emails in one click. As a consumer I prefer the unsubscribe all.
For sending email in the US you need to follow these guidelines:
http://www.business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business
I don't see any real security risks as long as you sign all URLs you send out for one-click unsubscribe. Then no one could maliciously unsubscribe users and users will always be able to easily unsubscribe if they want to.