The new Insecure Unsubscribe Link in Form Submission Email Notifications Allow Third-parties to Unsubscribe Us (and without any warnings that we are removed)
Would it be possible to remove the “Unsubscribe from notifications for this site.” link from the emails?
Hi @samliew and @pxljoy, thanks for getting back in touch. I am checking on this issue with the Usubscribe link. There were some changes made a few days ago to allow for email recipients to stop receiving notifications.
As soon as I have more info, I will get back to you with an update.
Hi @samliew and @pxljoy, the link to unsubscribe was added to the form notifications as it was possible for designers to add peoples emails for form notifications without a way for the end user receiving the mails to opt out of those.
At the moment it is not possible to remove the “Unsubscribe from Notifications link”
This is a bit frustrating, in several ways, but my main concern is that the Unsubscribe link unsubscribes my client from receiving form notifications.
So when my client hits reply to an enquiry, that enquirer (or anyone this notification email is forwarded to) can click on the unsubscribe link and my client won’t get form notifications anymore?
Can you clarify please… this concerns me.
I will now have to explain to my clients, who do not abuse the system, why the Unsubscribe link is there and why it goes to Webflow.
As an aside, I build sites that are not branded with Webflow for a reason. I shifted from Wordpress to Webflow - to protect my years of investment of design, copywriting and marketing skills that can’t be replicated as easy as people think just by using a “do it yourself” website tool.
For whoever to click the link, have to key in the email address in a form again (PLEASE DO NOT AUTOFILL) before confirming un-subscription, followed by an un-subscription notification to that email address should the un-subscription be accidental (or initiated by someone who knows the original recipent’s email address).
I personally tested your current implementation by copying the link and pasting into an incognito window, to test what would happen if someone I replied to decides to click on that button.
PLEASE DO NOT AUTOFILL!!!
My email address appeared in that unsubscription form, making it VERY EASY for somebody to just click that button and remove myself.
PLEASE SEND CONFIRMATION EMAIL!!!
I did not receive any indication that my email address was removed from the form settings, which will lead to missed notifications in the future
Have unsubscribing user login to the account to verify un-subscription. This won’t work currently as the email field is unverified and you can insert anybody’s email address and they won’t have access to your account.
Another simpler way would be to only select verified/confirmed email addresses in the form settings - this way we can remove the link in the email as now we are unable to insert anybody’s account to receive those email notifications
Yup, this message is not needed, as clients (or random strangers if you insert random emails) most likely do not have access to a site in your dashboard (#2)
I strongly recommend the addition of this Insecure Link be removed immediately until a proper solution is implemented:
Another simpler way would be to only select verified/confirmed email addresses in the form settings
due to the following reasons:
as this can mess up everybody’s form notifications if they are unaware of this new change and unknowingly forward the email to a third-party or reply to the “reply-to” sender.
Which is more important?
Us/Clients continue to receive form submission email notifications (leads/feedback/complaints/etc.), that may cause lost revenue and PR damage/lawsuits if not received in a timely manner, or
perhaps maybe allowing unauthorised third-parties to unsubscribe ourselves?
In the meantime…
If you have recently forwarded, replied-to, or even have Zapier or auto-forwarding connected to the form in your project, you have to constantly monitor that the Notification Email Address is not removed/modified, for each project.
Disclaimer: I am not a staff of Webflow, and the opinions expressed above are my own and do not necessarily represent the views of the Webflow team. I disclaim all and any responsibility or liability in respect of information detailed or omitted (or the consequences thereof) from this post.
Why is it not a bug when third-parties can use the unsubscribe link to remove my own email address from the form notification settings in my project dashboard, without authorization and without warning?
Disclaimer: I am not a staff of Webflow, and the opinions expressed above are my own and do not necessarily represent the views of the Webflow team. I disclaim all and any responsibility or liability in respect of information detailed or omitted (or the consequences thereof) from this post.
@cyberdave I currently have clients on Webflow sites that spend thousands of dollars per month on Adwords. They rely on the form notifications. It is a serious problem if they are unsubscribed at all, especially without warning.
Can Webflow please update us as to what is the remedy here?
Hi @pxljoy and @samliew, thanks for your patience. @samliew, this was changed to the General category from Bug due to fact that the change was not due to an unexpected technical issue but an intended change, sorry for the confusion there.
In the past, form notifications that were sent without the unsub link were being sent to individuals, in some cases without their knowledge, resulting in those individuals marking the emails coming from Webflow as spam.
When emails sent from a bulk mailing system are marked by an excessive amount of Receivers as Spam, this can damage the email reputation of the service, causing mail delivery issues for the entire platform.
To help improve this and prevent the unwarranted email reputation dings and to best serve the community using Webflow, we have added an industry standard Unsubscribe notification to all form submissions.
Other major platforms such as Zapier also have the same kind of system, where unsubscribe links are always provided and is considered “Best Practice” and really should have been implemented in Webflow before this time.
I do apologize for the lack of communication on this change, that is on us to improve that for changes like this in the future.
For now, the recommendation is that if you need to remove the Unsubscribe link, is to first delete the link manually and then manually forward the mail.
The service related to Forms is currently being looked at to see how this can be improved. As soon as there is new updates for this, I will let you know.
@cyberdave@samliew
Appreciate your response Dave, and totally understand why Webflow email reputation has to be maintained.
“…remove the Unsubscribe link, is to first delete the link manually and then manually forward the mail.”
That is not going to work seeing as we have clients that have sensitive information in forms, and/or don’t want us tampering with EVERY single form submission (or they have staff for it), and manually stripping it out. We cannot be the only ones with these requirements.
…where unsubscribe links are always provided and is considered “Best Practice”…
Correct me if I am wrong, but shouldn’t an ‘unsubscribe’ link be available to people who ‘subscribe’? Like a newsletter, email list, etc?
What do I tell my client? “If a single person forgets to strip out the Unsubscribe link, (from replying to forwarding) and someone clicks on that link, all of your form submissions will go dark and your adwords/seo/conversion budget will mean nothing. Furthermore, your form submissions will go dark and you won’t even know about it.”? (this could seriously harm company/client relations)
I know this is a difficult situation, and I don’t know how much of a problem spammers have been for Webflow, but it seems that this does more harm than good.
Can we be assured that this is being looked at urgently?
Another simpler way would be to only select verified/confirmed email addresses in the form settings
Disclaimer: I am not a staff of Webflow, and the opinions expressed above are my own and do not necessarily represent the views of the Webflow team. I disclaim all and any responsibility or liability in respect of information detailed or omitted (or the consequences thereof) from this post.
And how easy is it to forget to remove it first? I just accidentally sent out a third email with that unsubscribe link. Now three people has hostage over my form settings, forcing me to check my form settings every 10 minutes while Webflow is thinking about it.
Not to forget those who are still unaware of this change. I sincerely hope Webflow customers don’t shoot themselves in the foot.
This is also the wrong answer.
Shouldn’t everyone be notified of this issue ASAP??
Disclaimer: I am not a staff of Webflow, and the opinions expressed above are my own and do not necessarily represent the views of the Webflow team. I disclaim all and any responsibility or liability in respect of information detailed or omitted (or the consequences thereof) from this post.
I totally agree, and whilst I recognise it’s a difficult one to navigate on both sides, Webflow are essentially saying we are not going to trust signed-up Webflow users/designers to add genuine recipient email addresses, but we are going to trust literally any member of the public (who could have good/bad intentions) and give them potential to unsubscribe a client.
Even without the @pxljoy use case with Adwords, on a lower level, simply not receiving an enquiry email = lost business.
When you sign up for information/accounts online, the vast majority of the time there is a second step, you receive an email asking you to click a button and confirm it was you/you did want to subscribe/join etc. Surely this is how to resolve the matter?
When a recipient is added to a form notification, and the Webflow user clicks ‘save’ - this should fire an email to the recipient for confirmation.
We then tell our clients they will need to confirm acceptance of that first notification, in order to receive future ones.
Webflow sleep easier knowing any emails that have been added, are verified, confirmed accounts.
Maybe that’s over simplistic, but the new system now has a gaping hole in it…eek
Hi @StuM, @samliew, @pxljoy and @Revolution, thanks again for your comments. I can totally understand your concerns. The Webflow team has been working to find a solution that covers all the bases.
The Webflow team is going to be pushing out an update that will keep the unsubscribe link with some changes:
White-label the form to remove reference to Webflow
Remove the autofill of the email address, requiring input instead.
This should help prevent accidental “unsubscribe” taking place.
As soon as I have confirmation that the changes are pushed out, I will post an update.
Thanks Dave. That is certainly better, however I have a few questions:
What if they put in the form’s owner e-mail address? I.E if the form is to admin@company.org, and some end user puts in admin@company.org, can they still unsubscribe us?
Wouldn’t a confirmation e-mail be a great idea? When you put in your e-mail to receive e-mails from a form, Webflow shoots a confirmation e-mail to that address, and if confirmed, uses that e-mail. That would get rid of spammers. (as @StuM said)
If that isn’t possible, (even though this could be anti-pattern), could a “confirm” unsubscribe e-mail be a possibility?
Hi @pxljoy, thanks and that is also a great question.
The initial changes should help, however the discussion is ongoing on having a way to improve this. I will get back to you with more information as I have that.
Webflow is here to help and to make the changes that best support our customers and preserve the reliability of form submissions.
Thanks for taking the time to be proactive and for the constructive comments.
I’m glad it’s in discussion and we can hopefully find a solution together.
If for some reason mine or pxljoy’s suggestion confirmation stages can’t be implemented, at the very very least can we (the designer) receive an email alert when a form recipient that we added unsubscribed. From there we can manually check with the client/recipient if they intended to unsubscribe or it has been done either accidentally or maliciously.
Not an ideal workaround, but this would at least save us from needing to check form settings potentially every 10 mins as @samliew mentioned.