There are good reasons to avoid GET requests for changing state, but that’s not what idempotent means.

Two step unsubscribe, where the link in the email goes to a webpage with a prominent “click here to unsubscribe” button is often a good thing for unsubscription. It also gives people an option to not unsubscribe, when they click on the wrong link, or hit “return” with the wrong link focused, in a mail inadvertently, which isn’t that unusual in link-laden emails.

As for closed-loop opt-in… if someone is mailed a magic cookie that must be returned in order to subscribe them to a mailing list, and they give permission to others to use that cookie by posting the cookie somewhere public I have very little sympathy when those people they’ve delegated responsibility to use the cookie to add them to a mailing list. Installing software that automatically clicks on links in their inbound email isn’t quite the same, but I still won’t have any sympathy for the recipient (I’ll reserve that sympathy for the mailer who’ll later have to put up with frivolous spam complaints from the recipient).

A lot of people ignore this for convenience’s sake, but this is just one way that you can get bitten. Anyone remember the Google Web Accelerator that came out a while ago, then promptly disappeared? It’d pre-fetch links on a page to speed up things if you clicked them later on. And if one of those links happened to delete something from a blog, or log you out… well, then you begin to see why GET shouldn’t change things.

So yes, the perfect solution to this is a 2-step unsubscribe link: the first step takes to you a page with a form on it, and that form then POSTs something back that finalizes the unsubscribe request.

Tracking links, unfortunately, would need some other solution…