Even More on Confirmed Opt-in Best Practices

Down in the trenches, as it were, I see a lot of miscommunication and misdirection on the subject of confirmed opt-in/double opt-in. Here's some quick notes, thoughts spurred by recent discussion on various forums I participate in.

Confirmed opt-in and double opt-in both mean the following and only the following: A potential recipient submits an email address at a web page. This triggers a confirmation request email. No further emails are sent to the end recipient until and unless they take positive action to confirm the subscription in response to this confirmation request email. That means the person who received the confirmation message has to click on a link (or respond to a token, but I prefer the link method) to confirm the subscription. If they didn't do that, then you don't consider them opt-in, and you don't email them further.

Sometimes you have people doing the right thing but in the worst possible waydon't be like Goofus and pound on unconfirmed recipients over and over and over, unless you like poor deliverability. A second confirmation request might be reasonable, but anything more and you're guaranteeing spam complaints against you. It defeats the whole purpose (improved deliverability) of doing the right thing.

If somebody uses the term confirmed opt-in to mean filling out a web form and receiving an email saying “Your subscription is confirmed. If this is incorrect, click here,” then they are mistaken. This isn't confirmed opt-in or double opt-in. It's a signup form with a welcome message. The welcome message lets the recipient opt-out if necessary, and that's great – but it's not confirming anything as far as the opt-in police (ISPs, blacklists, etc.) are concerned. I see a lot of confusion surrounding this and it's important to remember the following: It's not confirmed opt-in or double opt-in unless the recipient has to take that active step of clicking on a YES link or taking some other YES-affirming action.

Confirmed opt-in doesn't make it okay to buy/sell lists. If somebody offers to sell you a guaranteed double opt-in list that they've been compiling for years and it's super awesome and you'll get great response!!!, run for the hills. There's no way that people on this list know about you or expect to get your email. It might be totally legal, but it'll put you on the fast track to getting blocked by all the large ISPs. (And the list seller is probably lying about it being double opt-in, anyway.) (Looking for legit ways to build your list? Here's a previous article on the topic.) And if you're taking your confirmed opt-in list and selling it, everybody buying it is a sucker. All of those people are going to start sending to that list, diluting its value and driving high spam complaints. Regardless of how clear the opt-in was, people who send to a list like that are going to get blocked.

I spend lots of time working with clients undoing damage from co-reg lists, append list, etc., because somebody told the client (before I was involved) that this list is guaranteed opt-in and it'll have a great match rate, everybody wants to hear from you, and it'll drive great response. So the client signs on the dotted line, some append vendor does a poor “opt-out introduction” email, then passes over any addresses that don't opt-out, and you never hear from the vendor again.

What happens next? The client's ability to deliver email begins to suffer, shortly after beginning to mail this fabulous new list segment. That's when they end up pulling me into the loop (because, of course, I'm awesome!) to figure out what went wrong. Fixing the problem inevitably boils down to jettisoning these “not direct opt-in” list segments. Save your money and avoid this in the first place.

There are best practices you can and should apply to confirmation emails just like you would for any other email you send.
  • HTML tends to work better (drive a higher confirmation completion rate) than text. My tests have always confirmed this. If you're not sure, test it for yourself.
  • Branding is important. Make sure people know that the message is from you. The from line, subject line, and header in the email should all clearly refer to the sender. A logo is an excellent idea, but also make sure the email degrades gracefully if images are blocked by the recipient.
  • The opt-in process should be nothing more than a simple, easy-to-click hyperlink. Nothing fancy, no captchas, no enter a code, etc. (But make sure that link can't be spoofed to opt-in a different recipient.)
  • Include clear wording that says what the person is signing up for, how often you're going to send them emails, and how they can unsubscribe from the list if/when they change their mind.
  • Include information about the source of the opt-in request. The IP address from where the web form submit occurred, and the date/time (with time zone) are necessary bits of data to include. (You're tracking this already, right? If not, uh oh.) What this does is it allows people who get forged subscription requests to hunt down the source ISP on their own and leave you alone. Anti-spam groups really like this step.
  • Short and sweet is the key. If it takes a three page email to explain why people want to opt-in or how to confirm, then you're doing something wrong. Recipients' eyes will glaze over and your confirmation rate will suffer. You should be able to fit the key messages of why to opt-in, how to opt-in, and anything else you want to convey, in just a few inches of email space.

You will find that none of this is a 100% guarantee against blacklisting. Sadly, there are some people who will attack you , even though you're doing COI/DOI just because they don't like you, or they don't like that somebody forged their address, or that your email contains HTML. Ignore them and do the right thing regardless. Why? Because the smart anti-spam folks who control the keys to the inbox at the large ISPs have significantly fewer issues with folks who run confirmed opt-in/double opt-in. If you do it and stick to it, you'll get blocked much less often and have a strong message to convey to any anti-spam group or ISP who takes issue with you.

And finally, DON'T LIE! If I had a nickel for every time somebody lied to me about a list being confirmed opt-in, I'd be a rich man. How stupid do you think ISPs are? They can instantly tell when you're hitting spamtraps, when too much of your mail attempts bounce, and when your mail generates too many complaints. Just because some ISPs provide data on this back to you doesn't mean it'll help you evade their filters and processes. Trust me, I've met most of these ISP guys, and they're smarter than both me and you.


  1. This comment has been removed by the author.

  2. Unfortunately, you couldn't be more wrong. There are many of us who have been actively pushing senders to utilize double opt-in/confirmed opt-in for many years, and the use of the term double opt-in is not a negative indicator of intent, and hasn't been for many years.

    The proper term -- as used by people who send email -- is double opt-in.

    The choice of technical term used by some anti-spam advocates is confirmed opt-in. Before that it was "closed loop opt-in." Sometimes it was called "verified opt-in."

    Those that cling tenaciously to these terms and get mad when people use a term they don't like are often part of the problem, not part of the solution.

    I hope you'll consider broadening your horizons to focus more on what people are doing correctly (or incorrectly) instead of getting hung up on semantics.

  3. Nice post. I agree with it.


Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.