Double Opt-in How-To

Note: This is a guide I wrote back in 2005/2006 to share with folks how to properly implement confirmed opt-in aka double opt-in. I'm sharing a copy of it here to protect it against digital bit rot. -- Al Iverson

Double Opt-in How-To: Implementation Suggestions from BlueHornet and Digital River
By Al Iverson – (aiverson@digitalriver.com) – February 14, 2006 (rev 2)

What is double opt-in? Double opt-in is email address verification.

The process is simple:

1. A consumer fills out a web form and hits the submit button.
2. The system then generates an “opt-in confirmation request” email to the consumer.
3. The consumer must click on a link in the email to validate their email address and complete the opt-in process.

Why do it? This greatly reduces spam complaints against the resulting mailed list; as there are no instances of bogus/invalid email addresses on the list that shouldn’t be there, and nobody can successfully sign up an email address other than their own. As a result, any spam complaints received later are refutable; they are the result of somebody who wants to unsubscribe, forgot that they subscribed, or decided to send a false complaint. With a double opt-in process and associated tracking data, you can prove to ISPs and anti-spam groups that the mail was solicited and that your mail is not spam.

Nowadays, the top three reasons ISPs block your mail are:

1. You’re sending mail to spam trap addresses. AOL, Hotmail, and others take long-dead addresses and convert them to spam traps. Their reasoning is that legitimate mailers should not be sending mail to old and bad addresses. Sometimes mailing to just one spam trap can prevent your mail from reaching millions of inboxes at a large ISP.
2. Too much of your mail bounces. The top tier ISPs watch and notice if a lot of your attempted mail is undeliverable. Their reasoning is that mailers with responsible list hygiene would be weeding out bad addresses by processing bounces and preventing them from being signed up in the first place.
3. Too many spam complaints. Any ISP or web mail provider that has a “this is spam” or “report spam” mechanism uses those metrics to identify which mailers are sending unwanted mail. If you cross their threshold, you are telling them that you are angering their users by allowing those users to receive unwanted mail.

Double opt-in greatly reduces all three of these issues:

1. Spam traps don’t get on your list because they’re not addresses of real people and will not click the link.
2. Your undeliverable rate (bounce rate) will go down because you’re confirming that addresses are valid before adding them to the list.
3. Your spam complaints will go down because you’re verifying consent prior to adding somebody to your list.

Process recommendations follow. Learn from our mistakes; we handle many thousands of successful double opt-in email address signups daily.

Note that not all practices fit every situation. If you have any questions on specifics, please contact us to discuss.

Web Form Process/Limiting:

1. Limiting capability. Include a function that limits the number of opt-in requests that can be sent to the same recipient’s email address in an hour or in a day. This will prevent your system from being misused by abusers to “mail bomb” other people.
2. Include “suppression” capability. Ensure that if a recipient asks you to prevent your server from sending them confirmation requests, you are able to comply. Both by email address or by domain. ISPs will appreciate this. Failure to do so will increase the risk of blocking your confirmation request mails.
3. Block “role” email addresses that traditionally do not belong to a single individual. Examples: abuse@any domain, postmaster@any domain, root@any domain, info@any domain, etc. There may be a small number of instances where legitimate signups can come from these addresses. In those instances, consumers are encouraged to use their personal email address to register, instead. This further reduces complaints – if somebody signs up an email address that goes to 20 people, the other 19 people on that list are going to think it is spam and will report it.
4. Do not block or limit based on IP addresses. Many sites and ISPs use proxy technology, which allows multiple users (sometimes many thousands) to browse the web from a single IP address. This will result in you impeding many legitimate signups.
5. After submitting the web form, the next screen should clearly state that an email is being sent to the recipient, and that the consumer will have to read and act on this email to continue. It is important to let your web visitor know that they should now check their email, and tell them what from address and subject line the message will use. 

Address Validation:

1. Validate email address format. String followed by @ followed by string followed by . followed by string. The part after the @ sign may contain more than one period (but not in a row).
2. We recommend against maintaining a list of valid TLDs (top level domains like .com, .net, etc.). New ones come along and this would require ongoing maintenance.
3. Optional: Confirm that the domain entered actually exists and has an A/MX record. This may require too many system resources, if your lists receive many thousands of signup requests daily. The upside is that you can tell consumers “hey, you entered an invalid” address right then, as opposed to them going away and wondering why they never received a confirmation message.
4. Decline signups from “role” or suppressed addresses (see section above.)
5. Downcase (convert to lowercase) email addresses submitted. Internet RFC allows for mix-cased addresses, but in practice, this is rarely, if ever, implemented. Storing addresses in lowercase will help to prevent database collisions if you ever store this information in a database that allows email address selection based on case.
6. Disallow invalid characters such as space, ampersand (&), asterisk (*), control characters, etc.
7. Consider disallowing obvious attempts at profanity in the email address or other fields. This will block obvious attempts at trickery, but could also impede signup from anyone who happens to have a name that contains four letters in an unfortunate combination.

Email Technical Notes:

1. Mail should be MIME (multipart alternative) with a plain text part and HTML part.
2. The text version of the email should contain all of the text represented in the HTML version. It should not simply say “see the HTML version” or equivalent. Skimping on the text version will result in a higher spam score in some spam filters.
3. These emails should be served from an IP address separate from others used to serve mail. This will assist you in getting this IP address whitelisted by major ISPs, and will help minimize any blacklisting.
4. It is not a universally agreed upon process, but some sites have found success in re-serving the confirmation request email if the confirmation link is not clicked on within 24 to 48 hours.

Email Body/Subject Line Content:

1. Overall design should be simple and clean. Don’t confuse recipients with giant fancy graphics that obscure the request for consent and verification.
2. DO include a logo or other simple graphic identifier at the top of the email to help recipients quickly recognize the message from you.
3. The important part of the email – the request for confirmation – should be clearly and cleanly visible “above the fold.” That is, it should be visible in the top few inches of the email message.
4. The subject line and/or body of the message should clearly state that positive action (i.e. clicking on the link) is required to complete the signup/registration process.
5. The body of the message should clearly state that by completing this registration the consumer will receive future emails.
6. We recommend you include information that states that recipients may unsubscribe at any time.
7. Sell yourself. Remind recipients with bullet points reminding them of what incentive they are to receive by completing the registration process. (“Don’t forget, by signing up, you’ll get our great deals newsletter every Wednesday!” Or, “to get your free widget, just complete your registration now by clicking on the link below!”)
8. Don’t ask for anything other than confirmation in your message. If you have links leading anywhere else, you risk the possibility of your recipient following that link and never coming back to confirm their signup. Sometimes this may be okay, but if your main focus is list building, then allowing other links out of the email undermines your list building ability.
9. The body of the message should contain the IP address, date/time, and time zone of the originating request. This will help ISPs and consumers track unwanted attempts at signup back to the real source of the abuse (i.e. not you). Bogus confirmation requests are annoying for both you and for the recipient – if you give the recipient the info needed to handle it, it helps deflect ire away from you.

Email Confirmation “Click Here” link:

1. The opt-in link should not contain URL elements that computer savvy recipients can modify or rearrange to modify the result. In other words, if you can see an email address in a clickable URL, so can hackers, and they will abuse it to try to sign up other people.
   BAD URL: http://www.bluehornet.com/optin/ss/oi=doijohn7@mnjazz.com&action=signup
   (Contains the email address. Bad guys look at that and think, “can I game the system by feeding other email addresses into this URL?”)
   GOOD URL: http://www.bluehornet.com/optin/ss/oi=qqu3cz0qd9z0lxsedd4&zti=90 (Email address is encrypted and URL is no longer “hackable.”)
2. Don’t embed the “click here” link behind an image. Some recipients will have images disabled and will not be able to click.
3. Display the URL both as a hyperlink, and also write out the URL in the email body. This enables consumers to copy and paste the link into a web browser, in situations where their ISP blocks email links from being clickable.

Tracking:

1. Log all signup attempts to a database. Log the email address, other data collected, date and time, IP address, etc.
2. When the consumer clicks on the confirmation link, also log the IP address and date and time. Sometimes this IP address will be different than the original, and this secondary data point will be very helpful when addressing allegations of abuse.
3. Consider retiring unconfirmed database entries after a period of time. We expire incomplete records after 21 days. This will free up valuable database space. No anti-spam group or ISP has indicated that this data must be archived forever.
4. Open detection of the confirmation email does not equal consent. Active, affirmative consent (and tracking that information) is what gives you the defense against spam complaints and blocking. “But they viewed the email” does not.
5. After implementing the double opt-in process, do not ever short-circuit this process by allowing names to be added even if they did not confirm. That is at odds with the concept of email address verification. Those unconfirmed addresses will generate higher complaints, and you will not have sufficient data to prove to ISPs that these are recipients who really wanted your mail. 

Email Reply Handling:

1. There is no current industry agreed upon best practice as to how to handle replies to opt-in confirmation request emails.
2. Our recommendation would be to have the replies be silently discarded. We have found the following: 99% of the replies are spam, viruses, misdirected bounces, and other garbage. The other 1% are primarily people who can’t figure out how to click on a link in an email. Those people will have a similar inability to click on links in your promo email, and are usually not considered to be a valuable target demographic.
3. Responding to the From: or Reply-To: address SHOULD NOT confirm a subscription. This will result in spam/virus blowback accidentally confirming subscriptions. There are technical means you can take to minimize this, but we recommend that you avoid this issue simply and easily by not accepting emailed confirmations.
4. Create an abuse mailbox. Standard address is abuse@yourcompany.com – this should be a valid, human readable mailbox that can receive requests for information or spam complaints regarding your opt-in confirmation emails. When receiving a complaint, have a standard reply that explains how your web form and double opt-in process work, and explain that a recipient will not be added to a list unless they click on the link. Be able to manually unsubscribe the person, this will come in handy when somebody reports the mail as spam even though they clicked on the confirmation link.