Double Opt-in/Confirmed Opt-in

Different names for the same practice.

Whether you call it closed-loop opt-in, confirmed opt-in, verified opt-in or double opt-in, you're generally referring to an email address verification process used to validate an email address before adding it to an electronic mailing list. Double opt-in is something of a misnomer, because it's not a second opt-in; it's address verification. However, what you call it is less important than whether or not you employ it. (For more about the terminology argument, head on over to Pan Am Internet's excellent page on the issue.)

Why should you do it?

You do it to prevent forgeries. The process nearly eliminates spam complaints, and any you do receive can usually be easily disproved.

It can also ensure better deliverability. If you send email, you know how many spam filters (both good and bad) there are out there. They will filter or block even confirmed opt-in email. Why they do is a whole other issue, but if you can demonstrate that you correctly utilize double opt-in, you can get whitelisted by various spam filtering organizations and companies.

How does it work?

Generally, it starts with a web form. A potential recipient will sign up for emails by entering their email address into your form and clicking the submit button. What happens next is they are sent a confirmation request email. In that email, there is a unique coded URL that the recipient clicks on to verify their identity. If the recipient does NOT click on the URL, nothing happens. They are not added to your list, and you don't email them again.

A mailer does it to prevent forgeries. The process nearly eliminates spam complaints, and any you do receive can usually be easily disproved.

If you decide to implement this process on your own, make sure you keep records of all the opt-in requests and completions. IP addresses, opt-in codes, etc. Also, make sure your confirmation method can't be spoofed. Any validation URLs should have a coded URL, not a plain URL that contains the person's email address. For an example of how the process works, click here for a demo I've created.

Links to info and commentary on double opt-in/confirmed opt-in.

From iBizBasics.com - March 6, 2001 by Mark Brownlow. Overall, a good article, though it contains a technical error. Mark claims that double opt-in can't prevent forged subscriptions, which is incorrect. It's only a poor implementation of the process which would have this problem.

From EzineBlast.com's guide to list management and spam issues, here's a quick and simple definition of what double opt-in/closed-loop is and why you should do it.

From Network World - February 19, 2001. Mark Gibbs explains what it is and why you should do it. Why is it important to prevent forgeries? He explains.

Lyris provides software and services to companies who both send and receive email. They point out that double opt-in is the way to go if you don't want to get blocked by the various anti-spam groups.

Marketing consultant Gary North explains that double opt-in is "an internet rule against spamming." I agree; it definitely helps.

Cluelessmailers.org has a very compelling reason why double opt-in/confirmed opt-in is a good practice: It'll keep you out of jail. While phrased whimsically, there's some truth to that. With all the US state anti-spam laws in place, are you sure you're in compliance with all of them? Most require a prior business relationship as a bare minimum to allow you to send someone an advertisement via electronic mail. Is a business relationship established when somebody else forges that recipient's address into your form? That's not clearly defined, and I wouldn't want to bet on it.

Problems with Spamcop

(Note: This is out of date. Click here for a much more up-to-date commentary from me about Spamcop.)

Think long and hard about what spam filtering/blocking systems you utilize, especially if you have users that care about what mail they receive.

I run a bunch of closed-loop opt-in systems for my employer. Periodically Spamcop somehow decides that one of the systems is a source of spam, even though it isn't.

The server, at 208.248.77.244, has been listed at least 3 times in April and May 2003. Check for yourself here. (I've archived the source locally for reference in case the info goes away.)

The first time it happened, I talked to about 20 different site admins. I got a wide variety of replies. Some were kind enough to whitelist the IP or domain. Some actually didn't realize that Spamcop misfired like that, and discontinued their use of the Spamcop blacklist.

Sadly, a couple of the replies showed that some people just don't understand how it works. Here's an excerpt from one of the replies from a medium-sized ISP.
The reason your [sic] are being listed on SpamCop is because a lot of your recipients deem your mailing as unsolicited. Unsolicited means that the recipient has not granted verifiable permission for the message to be sent.Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content.
The problem is, I explained, is that you gain verifiable permission through the use of a confirmed opt-in process, aka closed-loop, aka double opt-in. And that's what this server does. None of the stated metrics apply here; the original listing resulted from two spam complaints, both of which were erronious. "Two" is a poor guess at bulk.

Spamcop tries to guess if a site is sending spam based on a metric measured by how much of the server's mail is reported as spam. Here's why that doesn't work.
  1. Invalid reports. I've worked in a spam prevention capacity for various companies and on various anti-spam group projects. From way back to when I started the RRSS relay blocking list, our biggest problem was people sending in incorrect reports. Intentionally or not, people sent in things that weren't really spam, weren't really relays, sent in the same report over and over, and even faked headers to try to get us to block sites. The lesson here is that unsubstantiated complaints are a worthless measure alone. They need to be coupled with expertise, insight, and investigation by the blocking list operator. That is NOT the case with Spamcop; it's purely complaint driven. There is no manual oversight before a listing takes place.
  2. Spamcop's measurements are invalid. In our case, 2 complaints were measured against 179 total pieces of mail over the previous 7 days. That's approximately a 1.1% complaint ratio, and if that were correct, it would be high. The problem is that it's not correct. The server had served approximately 10,000 subscription confirmations in just the previous 12 hours, and handled somewhere around 70,000 subscription confirmations in the past 7 days. You come out with a vastly different metric in that instance.
  3. Metrics are a poor indicator of poor practices. If you say that you have to have a 2% complaint ratio before you take action against a spamming client, you're saying that you'll let them spam forever as long as they stay under the radar. What's more important is this question: What does the complaint, and your investigation, reveal? In my job, I regularly take action with clients to resolve their problems way before any sort of metric is hit. If I get one complaint about somebody and that complaint shows me that they're doing something against best practices, then it's in my best interest to fix it or make it stop. Obviously this varies under different circumstances.
My specific problem with lists like Spamcop is that they take bad measurements and try to sell them as good. If you want to use the list to block mail, that's your right. You can block all mails containing the letter "h" if you want. However, just like any other choice, the more you know about it, the better able you are to make an informed decision.

MonsterHut in the News

THIS is a PDF of an judge's order regarding a lawsuit in the State of New York against a company named MonsterHut, alleging that they're spammers. It is dated Jan 6, 2003 (not 2002 as it incorrectly says in a couple places).