How to send privacy friendly emails

As a privacy friendly company who work mainly with newsletters, we spend a lot of time thinking about the ethics of email.

We've recently been working on a sort of "code of ethics" for email senders who are interested in privacy, and after getting a lot of feedback have condensed our main points down to the following. This is still a work in progress (and in some places highly subjective), so if you have any feedback at all then please raise a ticket on the GitHub repo, or leave a comment on the Hacker News discussion.

1. Don't send unsolicited emails

Let's start off with a simple one. Above all else, recurring emails should be opt-in. If I receive an email from you it should not be a surprise.

In real terms this means;

  • For newsletter creators, if someone signed up for your monthly newsletter, then don't sometimes send them weekly without asking.
  • For app makers and SaaS, a welcome email is okay, but don't automatically add a new customer to your automated Drip campaign of 25 on-boarding emails.

This really is a no-brainer and benefits everyone. If you send emails that people don't expect, you make them angry and more likely to mark you as spam, hurting your reputation.

2. Let people easily unsubscribe

I've spoken about this before, letting your recipients easily unsubscribe from emails helps to maintain a healthy mailing list. But lets go one step further...

Being granted permission to send an email to a persons inbox should be treated as a privilege, and we should respect their right to easily deny us that permission at any time and for any reason.

This means we must provide an unsubscribe link within each email that is accessible to the recipient, this link should ideally unsubscribe in one-click and not require any additional steps.

Being granted permission to send an email to a persons inbox should be treated as a privilege

The best way to do this is to provide an "unsubscribe" link in the email body. This should be clear and purposeful by;

  • Using clear language
    • "Click here to unsubscribe" is good
    • "Manage your preferences here" is not.
  • Being accessible
    • Make your unsubscribe link obvious
    • Keep the contrast ratio high - eg don't use light grey text on a white background. This is not cool.

If possible, it's also good to provide a machine-readable List-Unsubscribe header with every email (RFC 2369). This allows automated tools to help your recipients unsubscribe. The URL in the List-Unsubscribe can be the same as the one you use in your unsubscribe link in the email body.

List-Unsubscribe: 
    <http://www.host.com/list.cgi?cmd=unsub&lst=list>,
    <mailto:list-request@host.com?subject=unsubscribe>

In case this doesn't go without saying, if a recipient unsubscribes from your mailing list then you should not send them any more emails from that address!

P.S. Recently I've seen more mailing lists including an unsubscribe link at the top of the email as well as at the bottom. This seems like a great idea.

3. Make intent clear

There should be no doubt why someone is receiving your email, or how frequently they should expect it. It sucks to receive an email but not know why.

I understand that recipients may forget that they signed up for your service or to receive your newsletter (especially if it is not sent frequently), so make the intent of the email clear at the start. For example, by leading the content with the sentence "You are receiving this email because you signed up for an account on example.com".

Newsletter creators, if you sent emails on a schedule then let your recipient know when they will receive your next email.

Here's how we manage this in some of our recurring emails

There's also an email header for this as well, the List-Help header. This provides a place to discover more information about the mailing list.

List-Help: <http://www.host.com/list/>, <mailto:list-info@host.com>

4. Don't perform unnecessary tracking

Probably the most controversial point I need to make - emails should not contain spy-pixels/pixel-trackers or any other mechanism that measures open-rates.

I know it's nice to see how many people are opening your emails, but since this tracking can be done without the consent of the recipient, it should be considered a violation of privacy. Requiring recipients to disable images in their email client in order to not be tracked is not acceptable.

Read tracking can be crazy intrusive (image courtesy of the SuperHuman exposé last year)

If you wish to see if recipients are engaging with your emails, then provide actionable elements for them. For example, clicking a link in the email is easily measurable, shows engagement, and is less intrusive.

Ideally, I think it would be nice to return to mainly plaintext emails, with a few embedded images here and there. Embedded images don't have to be fetched from an external server, and thus can't be used for tracking purposes. I tweeted some info on how to embed images recently if you want more info on this.


I think these 4 points cover most shady email practices, a good start!

None of this is governed by any specific law, but a bunch of it probably falls under either CAN-SPAM or GDPR email regulations.

That said, governments have been consistently slow to react with regards to protecting online privacy and barely enforce any protections they have managed to pass. So I think the best way forward is encourage email senders to act ethically, and as consumers, point out ethical violations and not do business with those who do not meet our standards wherever possible.

There's a long way to go in this space, and I want to explore it in the open with as much feedback as possible. My first draft of an Ethical Email Manifesto that we will be following at my company is public on GitHub and open to contributions.

If you want to support this movement and tell the world you're an "ethical email sender", then open an issue and we'll add your company as a signatory to the document ❤


Agree (or disagree) with me about any of this? Jump on the HN thread, or follow me on Twitter, where I post a lot about shady email practices.