Here's an alternative idea: what if clients would only honor rel='unsubscribe' links with an HTTPS URL scheme, and only finish the TLS handshake for those requests if the host sends the client a valid Extended-Validation certificate?
Every spammer who wanted to "trick" the auto-unsub mechanism would basically have to first dox themselves for all the world to see. And any certificate that turned out to not be a valid means of contacting the spammer would be quickly revoked.
Every spammer who wanted to "trick" the auto-unsub mechanism would basically have to first dox themselves for all the world to see. And any certificate that turned out to not be a valid means of contacting the spammer would be quickly revoked.