Even More on Confirmed Opt-in Best Practices

Down in the trenches, as it were, I see a lot of miscommunication and misdirection on the subject of confirmed opt-in/double opt-in. Here's some quick notes, thoughts spurred by recent discussion on various forums I participate in.

Confirmed opt-in and double opt-in both mean the following and only the following: A potential recipient submits an email address at a web page. This triggers a confirmation request email. No further emails are sent to the end recipient until and unless they take positive action to confirm the subscription in response to this confirmation request email. That means the person who received the confirmation message has to click on a link (or respond to a token, but I prefer the link method) to confirm the subscription. If they didn't do that, then you don't consider them opt-in, and you don't email them further.

Sometimes you have people doing the right thing but in the worst possible waydon't be like Goofus and pound on unconfirmed recipients over and over and over, unless you like poor deliverability. A second confirmation request might be reasonable, but anything more and you're guaranteeing spam complaints against you. It defeats the whole purpose (improved deliverability) of doing the right thing.

If somebody uses the term confirmed opt-in to mean filling out a web form and receiving an email saying “Your subscription is confirmed. If this is incorrect, click here,” then they are mistaken. This isn't confirmed opt-in or double opt-in. It's a signup form with a welcome message. The welcome message lets the recipient opt-out if necessary, and that's great – but it's not confirming anything as far as the opt-in police (ISPs, blacklists, etc.) are concerned. I see a lot of confusion surrounding this and it's important to remember the following: It's not confirmed opt-in or double opt-in unless the recipient has to take that active step of clicking on a YES link or taking some other YES-affirming action.

Confirmed opt-in doesn't make it okay to buy/sell lists. If somebody offers to sell you a guaranteed double opt-in list that they've been compiling for years and it's super awesome and you'll get great response!!!, run for the hills. There's no way that people on this list know about you or expect to get your email. It might be totally legal, but it'll put you on the fast track to getting blocked by all the large ISPs. (And the list seller is probably lying about it being double opt-in, anyway.) (Looking for legit ways to build your list? Here's a previous article on the topic.) And if you're taking your confirmed opt-in list and selling it, everybody buying it is a sucker. All of those people are going to start sending to that list, diluting its value and driving high spam complaints. Regardless of how clear the opt-in was, people who send to a list like that are going to get blocked.

I spend lots of time working with clients undoing damage from co-reg lists, append list, etc., because somebody told the client (before I was involved) that this list is guaranteed opt-in and it'll have a great match rate, everybody wants to hear from you, and it'll drive great response. So the client signs on the dotted line, some append vendor does a poor “opt-out introduction” email, then passes over any addresses that don't opt-out, and you never hear from the vendor again.

What happens next? The client's ability to deliver email begins to suffer, shortly after beginning to mail this fabulous new list segment. That's when they end up pulling me into the loop (because, of course, I'm awesome!) to figure out what went wrong. Fixing the problem inevitably boils down to jettisoning these “not direct opt-in” list segments. Save your money and avoid this in the first place.

There are best practices you can and should apply to confirmation emails just like you would for any other email you send.
  • HTML tends to work better (drive a higher confirmation completion rate) than text. My tests have always confirmed this. If you're not sure, test it for yourself.
  • Branding is important. Make sure people know that the message is from you. The from line, subject line, and header in the email should all clearly refer to the sender. A logo is an excellent idea, but also make sure the email degrades gracefully if images are blocked by the recipient.
  • The opt-in process should be nothing more than a simple, easy-to-click hyperlink. Nothing fancy, no captchas, no enter a code, etc. (But make sure that link can't be spoofed to opt-in a different recipient.)
  • Include clear wording that says what the person is signing up for, how often you're going to send them emails, and how they can unsubscribe from the list if/when they change their mind.
  • Include information about the source of the opt-in request. The IP address from where the web form submit occurred, and the date/time (with time zone) are necessary bits of data to include. (You're tracking this already, right? If not, uh oh.) What this does is it allows people who get forged subscription requests to hunt down the source ISP on their own and leave you alone. Anti-spam groups really like this step.
  • Short and sweet is the key. If it takes a three page email to explain why people want to opt-in or how to confirm, then you're doing something wrong. Recipients' eyes will glaze over and your confirmation rate will suffer. You should be able to fit the key messages of why to opt-in, how to opt-in, and anything else you want to convey, in just a few inches of email space.

You will find that none of this is a 100% guarantee against blacklisting. Sadly, there are some people who will attack you , even though you're doing COI/DOI just because they don't like you, or they don't like that somebody forged their address, or that your email contains HTML. Ignore them and do the right thing regardless. Why? Because the smart anti-spam folks who control the keys to the inbox at the large ISPs have significantly fewer issues with folks who run confirmed opt-in/double opt-in. If you do it and stick to it, you'll get blocked much less often and have a strong message to convey to any anti-spam group or ISP who takes issue with you.

And finally, DON'T LIE! If I had a nickel for every time somebody lied to me about a list being confirmed opt-in, I'd be a rich man. How stupid do you think ISPs are? They can instantly tell when you're hitting spamtraps, when too much of your mail attempts bounce, and when your mail generates too many complaints. Just because some ISPs provide data on this back to you doesn't mean it'll help you evade their filters and processes. Trust me, I've met most of these ISP guys, and they're smarter than both me and you.

Know when to quit!

I sign up for hundreds upon hundreds of lists. I maintain multiple "hamtraps," collections of received mail that I actually asked for. So it's not spam, but sometimes the line gets a little blurred.

Take, for example, a random veterans affairs site. In April I signed up on their site, but never completed registration.

In the past thirty days, they've sent me five requests to complete my registration. They may have sent me more requests to complete; I don't know, because Gmail claims to empty out my spam folder every thirty days.

Yup, they're going to the spam folder at Gmail.

I have some idea why. It's for something they did. Or rather, something they won't do: They won't let go.

If you keep sending mail to unconfirmed signups every week, you're driving people nuts. People who don't want your mail, so they're reporting it as spam every single time. People who didn't complete because they don't want to complete. Maybe sending them a second nudge to complete was OK, but five is far beyond what I'd call an acceptable best practice.

Is it legal? Absolutely. Is it blockable? Absolutely. It wouldn't suprise me to find that they were having delivery issues at other ISPs, not just Gmail. ISPs, especially the big dogs (AOL, Yahoo, Hotmail) do not take kindly to senders who generate complaints, and it seems very likely that this practice does exactly that.

If you want to be a good sender, confirming your list is great. Asking people to complete their registration is fine. But stop and think: What is reasonable? Five requests (so far, I might add) is overkill. The whole point of confirming is to validate them as a user, counting them as engaged, knowing they want your mail. It's silly, and damaging, to keep nudging people over and over and over, if they're clearly choosing not to join this group.

As a sender, you greatly improve your deliverability by jettisoning non-responders. If you keep pinging them repeatedly, you're denying yourself the benefit of this process, and ensuring that ISPs are going to block your mail.

Not smart.

Vonage did WHAT?

This has been making the rounds in the blogosphere these past few days: Vonage is taking months/years old addresses, submitted ONLY for a forward-to-a-friend promotion, and sending advertising to those people years later.

If true, it violates all best practice guidelines for appropriate email marketing.

If true, it's questionably legal.

The worst/best part is that the emails Vonage sent claim to be new referrals, saying "Andy Sernowitz asked us to tell you..." even though Andy Sernowitz apparently hasn't asked Vonage to do this in many, many months.

Psst, Vonage? Ever heard of Jumpstart? If not, I suspect you will be learning more about that particular FTC action soon enough.

Opt-in vs. Relevancy

I spoke at both INBOX and Internet Retailer recently, and at both events heard smart marketers ask, "Why do readers unsubscribe, ignore or complain about my emails? They opted-in!"

-- Stephanie Miller from Return Path. Worth reading.

I'd like to extend Stephanie's argument from senders to receivers and question whether permission is as relevant as it once was in terms of how ISPs, filters, and blacklists determine whether or not to block mail.

-- Matt Blumberg from Return Path keeps the discussion going.

My two cents to add here is simply this (very brief, as I'm on an awful keyboard): Permission still matters. Opt-in still matters. ISPs define spam as mail their users don't want, and if you don't have permission, you're clearly sending mail users don't want. Spam complaint data shows a clear correlation: Mail that isn't opt-it gets you much higher spam complaints than mail that is opt-in.

The RP folks raise great, valid points though, in that opt-in isn't good enough. You can be all 100% opt-in, and still have very poor delivery, spam foldering, and blocking, because you're still not sending users mail they want. That's why even with opt-in permission, or even 100% confirmed opt-in/double opt-in, you don't get a "get out of jail free" card directing your mail straight to the inbox.

That's why relevancy matters, too.

Spamming That New Account

Q: How long does it take a new Gmail account to get spam?
A: In my case, one day.

May 26: Create account. Address has never been given out to anyone.
May 27: Receive weird spam in Chinese.

Q: How long does it take for an address, published on the web, to be harvested?
A: In my case, two days.

May 26: Create email address at (non-webmail) domain. Post address on one website.
May 28: Receive weight loss spam and fraudulent lottery notifications, to that address only. And fourteen spams since.

Greetings from San Jose

Greetings from the San Jose airport, where I am waiting to fly home after attending the INBOX Event. I was there to participate in a panel on deliverability and authentication, along with my good friend Morgan Witt from BlueHornet.

The highlight for me was Patrick Peterson from Ironport. He spent an hour detailing the nefarious things spam gangs are up to. He laid out the details of their investigation into a single spammer's operation over a two week period, covering about twenty billion pharma spams (wow), where they lead, and how they trace back to the same sender. Lots of what happens with credit cards, merchant accounts, do the spammers actually ship the promised pills, etc. Very insightful.