Streaming live at 10am (PST)

Ability to remove new "Unsubscribe" link from mail notifications

Hi guys, not to mention that Gmail automatically collapses the previous email including the unsubscribe link, when replying or forwarding emails.

It’s VERY EASY to overlook/forget not removing the unsubscribe link manually for every email.

I have said enough. It’s very obvious that this security issue is not treated seriously enough with urgency and it affects everyone using Webflow forms.

Disclaimer: I am not a staff of Webflow, and the opinions expressed above are my own and do not necessarily represent the views of the Webflow team. I disclaim all and any responsibility or liability in respect of information detailed or omitted (or the consequences thereof) from this post.


Hi @samliew, this item is still in development, and at the moment I do not have an exact timeline for when the changes will be pushed out. I am monitoring this carefully and will notify you as soon as a change is made.

The solution is planned and will be implemented without any unnecessary delays.

Thanks in advance

1 Like

@dave So can we just get that unsubsribe link taken off until this is resolved? If a client responds to a form submission the link is still active. Is there a way for the form receiver to resubscribe? If not this is sort of a REALLY BIG ISSUE.


@cyberdave So what do we tell our clients? “Hey, by the way. Your potential leads can now unsubscribe you from your own email. So check that you can receive messages from your site every 30 minutes or so?”


I am very very disappointed at the way this issue is being handled. That’s all.


We apologize for the gap in communication, but site owners started getting notifications that emails were being unsubscribed from form notifications since October 9th. Here’s the github pull request:

The way it works is that when someone clicks on the unsubscribe link, the email that is being unsubscribed will be sent an unsubscribe confirmation email, with the owner of the site BCC’ed.

This was originally implemented to satisfy the CAN-SPAM laws around e-mail privacy and anti-spam measures. If we had waited to implement the unsub link, email delivery rates would have suffered for everyone. Since this was implemented in haste, we failed to communicate it broadly in our typical marketing channels.

This should have been communicated via a Since you’ve been gone, and maybe a blog post, but somewhere along the way the wires got cut/dropped. We sincerely apologize for the miscommunication! You can test this functionality out to see if it covers all scenarios you’ve highlighted.

not trying to be a butt-holias about this… “but”
personally I don’t understand why this thread is so long…
I’ve been complaining about this for months… not since Oct 9.
It should have been fixed a long time ago.

And I agree with @samliew


@brryant To be clear on terminology – the site owner is the owner of the Webflow account Pro/Business, ect? So people were using Webflow to spam and since everything is tied to one webforms address instead of the “from” address?

There is something about this that seems off in this situation.

I’ve used forms on Wordpress setups and they don’t have “unsubscribe” because they are going to the account owner. Why would the account owner want to unsubscribe? I guess people were using forms to spam…shouldn’t they just be kicked off Webflow or the sending somehow tied to “from”.


@brryant Appreciate that this was implemented, but sorry to say that its still not ideal. There will be clients and/or their staff that would simply skip over an email “You have been unsubscribed from form notifications”, or it could just get lost in their daily work/spam/junk etc.

IF they do pay attention, then they will “hopefully” contact us as their website provider and ask us what to do - which is not only going to be more work for us but somewhat embarrassing to try and explain why they could get unsubscribed in the first place.

I agree with @samliew and I am very concerned at the potential client/legal issues.

Please, there has to be a better way… urgently.


I’m more concerned that a potentially damaging security breach is not taken seriously enough - big enough to greatly impact clients and open up lawsuits against WF.

Still not a bug? Hmm

This doesn’t reflect that you are putting us customers and users first. Maybe it’s just because your stakeholders and investors doesn’t know about this situation yet.


@brryant So what is the plan to resolve this issue? Because it can’t be considered resolved at this point!

Part of the hosting agreement is to have forms processed. In good faith that means not setting up a system in which clients can be unsubscribed from their own forms.

Please give us an answer to how this is being resolved.

As a fix… what I did was create a redirect

  • that forwards two copies of everything to
    – 1: a dedicated “support” Exchange account (mine) and
    — (since Exchange is push technology… I immediately get the message and don’t need to “check for messages”)
    – 2: a second redirect creates a support ticket in a (ticket) management system.

Once the support ticket is creates…

  • I respond accordingly to an SLA that we provide our clients.
1 Like

@Revolution When you say redirect do you mean, exactly? Do you just mean adding additional emails? I’m open to a work-aournd solution.

@brryant Just because there is a workaround doesn’t mean this is a solution. It’s just more work for the user when it should work to begin with.

We have a couple scenarios…

  • but this is simplest one…

“Webflow” is “the service”.

On a linux server…

Messages sent to "" are redirected / forwarded to

If Bob unsubscribed from the “service”… you get a copy of the message

  • this gives you’ve the opportunity to “fix the issue” before Bob goes ballistic.

It’s not the best solution - (because for Webflow… only Webflow can true fix this issue)

  • but it’s a solution that works.

To do this… you need a cPanel account and a domain name.

We manage the servers and domain names for over 500+ clients.

I literally have 500+ email addresses that redirect / push client contact emails into one support account.

And the ticket management system we use ensures I address the situation in a timely manner.

We’ve had this process in place for probably 15 years now. I’ve only been a Webflow client for 3 years ?.. maybe going on 4. Don’t remember exactly.

The most important part is… the process has never failed us.

1 Like

Since you are interested… I’ll add a little more.

The “support” email address we use is a Microsoft Exchange account… which is more of “push service”.

We offer Exchange for “higher end” clients. Otherwise “standard” clients use “linux mail”.

In addition to offering higher reliability / scalability / features such as OWA…

  • it also provides the ability to receive messages instantly.

Google and others services are starting to offer technology similar to this… but it’s just not there yet.

And unlike gmail - those services “are not free”.

Basically - Your email client doesn’t have to “ping the email server” every 5 minutes… 10 minutes… 20 minutes etc… which is a “fetch” service.

Within a short time of the server receiving an email - I get it on my phone / ipad / whatever / where ever.

So basically - I know (fairly) instantly what’s happening. For us - the speed in which we get information is important.

We initially setup this process to monitor our servers… as well as to monitor several SAAS products we offer.

Some of our clients have 20 minute SLA’s… which means we MUST respond within 20 minutes of any contact.

  • otherwise we have broken our support agreement. Not a good thing.
1 Like

It’s some progress but still not ideal. I don’t understand why my previous suggestion couldn’t be implemented - which I see in use on many services/sign-ups:

  • New client = you must verify your email address by reply, to receive forms = sorted.
  • Current client = ‘we have made some improvements to the security of web forms = it’s just one click for you to verify your email address’ = sorted.


Seems like there is some misunderstanding here. Here’s the sequence of actions:

  1. New form entry is submitted
  2. Form triggers email notifications to those subscribed in your site settings
  3. Email contains unsubscribe link
  4. Recipients of email can click the link to unsubscribe themselves
  5. Once unsubscribed, the Recipient gets notified that they have been unsubscribed. The Site Owner is BCC’ed on this email so he/she can be notified.

There are not any security issues with this setup that we’re aware of, and we’re simply following the FTC rules around SPAM, as highlighted in #5 here:


This topic was automatically closed after 60 days. New replies are no longer allowed.

I’m trying my best to stay professional but the way this is being handled has to be one of the biggest embarrassments I have seen in a very long time. I would be laughing if it wasn’t affecting my own business. This post has now been seen 2.6 thousand times to date and continues to grow by the day as both a PR nightmare, a stark warning to our clients who are researching webflow after their developers suggested it and an enormous security risk.

@brryant Unfortunately. it is very clear to me you have absolutely no idea what the issue is, and more importantly, that you, nor anybody else at webflow has been concerned enough about a security report to take a few minutes to reach out directly (off this forum) to any and all of us that have reported this as a security issue to understand the nature and scale of the problem and to thoroughly investigate if an issue does exist or not, as any security report should be.

@cyberdave @brryant
Here is the actual sequence of events:

  1. Paying webflow web developer that pays for your white label solution wants to make the customer contact process easy for their clients

  2. They go into the form settings and copy and paste the suggested {{ Name }} < {{ Email }} > shortcode in the form settings box so that their client who doesn’t necessarily understand can click reply when they receive a new contact form message from a website visitor in their Outlook inbox

  3. The developor enters their client’s email address (the business owner the website is for) in the send to field, so the client can receive emails privately without their business information needing to route through us.

  4. They publish the site on behalf of the client thinking they are safely basing their form’s infrastructure on a security oriented solution which is why they pay for webflow in the first place.

  5. Website visitor Dave visits the pretty website and wants to get in touch with the company using the following details

Dave Tester
Hello - I love your products, how can I buy one?

  1. Message arrives in the client’s inbox in Outlook

The client wants to respond to Dave so they quite logically click reply and send Dave an email.

  1. Dave tester was only messing around. He wasn’t really interested in the client’s products and services. He had actually discovered a hilariously embarrassing security hole in webflow that he can find any webflow-based site on the internet with a simple bot script and send spam contact form messages (it’s much more of a concern in this direction than what you guys are worried about) and then unsubscribe the client from their own website to absolutely any client that replies to them.

  2. And finally just to pour more salt in the wound afterwards Dave Tester then sends an email to the website designer asking why the unsubscribe link goes to when they are paying a lot of money for a white labelled solution.

I honestly cannot believe with all the brain power that exists here no-one at webflow can seem to comprehend, let alone fix this genuinely serious issue. Of course Dave Tester doesn’t need to be a hacker, he might just be a legitamite user that realises he didn’t want to hear about the company’s products afterall.

Until webflow get’s its act together (which I pray happens immediately now this is explicitly clear) there are a few temporary fixes:

  1. Handle all the email as an intermediary (ridiculous and non-client sensitive)
  2. Do not use the sender email address in the from field under form settings so any submitted form cannot be directly replied to (clients think this is ridiculous and in my experience frequently don’t understand how to write back or forget that they should only copy and paste part of the email - specifically when using a mobile email client). Some clients simply don’t understand copy and paste.
  3. Look at yet another 3rd party piece of software to handle basic functionality that webflow customers are already paying for such as formstack, formsite, etc.

I’m not going to waste my breath creating a wishlist item for a security suggestion as it should be instinctive but I honestly think this highlights more than ever why webflow should have a dedicated security telephone contact/private forum area exclusively for paying customers so we don’t have to advertise to the world and potentially future clients these sorts of issues.

If I’ve overlooked absolutely anything in the above process flow I truely and sincerely apologise, but my gut feel and testing suggests I haven’t.

@samliew @Revolution @pxljoy @jdesign @StuM

1 Like