CAN-SPAM is here

The new U.S. anti-spam law ("CAN-SPAM") is here to stay. It's a compromise law, that really won't make anybody happy on either side of the equation. People who send mail, even non-spammers, will find that it enacts some (fairly mild) restrictions on what they can do. Anti-spam advocates will note it lacks a private right of action, and service providers are the only private entities allowed to sue.

Click here for a copy of the law. Read it through, and make yourself familiar with it.

If you send mail, opt-in or not, especially if you think you send opt-in mail but some places block/filter/reject it, keep this in mind: CAN-SPAM does not give you legal recourse to stop sites from blocking your mail. If you think an ISP has to accept your mail because you comply with CAN-SPAM, then you didn't read section 8:

Nothing in this Act shall be construed to have any effect on the lawfulness or unlawfulness, under any other provision of law, of the adoption, implementation, or enforcement by a provider of Internet access service of a policy of declining to transmit, route, relay, handle, or store certain types of electronic mail messages.

In other words, just because your mail is legal doesn't mean ISPs are forced to accept it. I interpret section 8(c) generally to mean that ISPs are allowed to set policies with regard to what mail they'll accept or transmit. If you're a mailer, that means ISPs can block you if they so desire, based on whatever policy they have in place.

If you're an ISP and are concerned about being able to terminate a spamming client even though their mail complies with CAN-SPAM, this is easy to address. Make sure you have a contract that forbids bulk unsolicited mailings. Don't use the word "spam" or you get stuck in an argument about what spam is or isn't. Make it clear that if you have proof that they're sending mail to recipients when they don't have direct, verifiable consent to mail those recipients, that you are able to break the contract. This would be your policy of declining to transmit certain types of electronic mail messages from your network.

I'm not a lawyer. If you think the law is going to affect you, go get a lawyer and have them review the law with you. Beware the marketing consultants spreading FUD (Fear, Uncertainty, Doubt) about the new law. A lot of it is questionable advice. Keep in mind that if you're a mailer already doing things right, the impact on you is going to be minimal.

Double Opt-in/Confirmed Opt-in

Different names for the same practice.

Whether you call it closed-loop opt-in, confirmed opt-in, verified opt-in or double opt-in, you're generally referring to an email address verification process used to validate an email address before adding it to an electronic mailing list. Double opt-in is something of a misnomer, because it's not a second opt-in; it's address verification. However, what you call it is less important than whether or not you employ it. (For more about the terminology argument, head on over to Pan Am Internet's excellent page on the issue.)

Why should you do it?

You do it to prevent forgeries. The process nearly eliminates spam complaints, and any you do receive can usually be easily disproved.

It can also ensure better deliverability. If you send email, you know how many spam filters (both good and bad) there are out there. They will filter or block even confirmed opt-in email. Why they do is a whole other issue, but if you can demonstrate that you correctly utilize double opt-in, you can get whitelisted by various spam filtering organizations and companies.

How does it work?

Generally, it starts with a web form. A potential recipient will sign up for emails by entering their email address into your form and clicking the submit button. What happens next is they are sent a confirmation request email. In that email, there is a unique coded URL that the recipient clicks on to verify their identity. If the recipient does NOT click on the URL, nothing happens. They are not added to your list, and you don't email them again.

A mailer does it to prevent forgeries. The process nearly eliminates spam complaints, and any you do receive can usually be easily disproved.

If you decide to implement this process on your own, make sure you keep records of all the opt-in requests and completions. IP addresses, opt-in codes, etc. Also, make sure your confirmation method can't be spoofed. Any validation URLs should have a coded URL, not a plain URL that contains the person's email address. For an example of how the process works, click here for a demo I've created.

Links to info and commentary on double opt-in/confirmed opt-in.

From - March 6, 2001 by Mark Brownlow. Overall, a good article, though it contains a technical error. Mark claims that double opt-in can't prevent forged subscriptions, which is incorrect. It's only a poor implementation of the process which would have this problem.

From's guide to list management and spam issues, here's a quick and simple definition of what double opt-in/closed-loop is and why you should do it.

From Network World - February 19, 2001. Mark Gibbs explains what it is and why you should do it. Why is it important to prevent forgeries? He explains.

Lyris provides software and services to companies who both send and receive email. They point out that double opt-in is the way to go if you don't want to get blocked by the various anti-spam groups.

Marketing consultant Gary North explains that double opt-in is "an internet rule against spamming." I agree; it definitely helps. has a very compelling reason why double opt-in/confirmed opt-in is a good practice: It'll keep you out of jail. While phrased whimsically, there's some truth to that. With all the US state anti-spam laws in place, are you sure you're in compliance with all of them? Most require a prior business relationship as a bare minimum to allow you to send someone an advertisement via electronic mail. Is a business relationship established when somebody else forges that recipient's address into your form? That's not clearly defined, and I wouldn't want to bet on it.

Problems with Spamcop

(Note: This is out of date. Click here for a much more up-to-date commentary from me about Spamcop.)

Think long and hard about what spam filtering/blocking systems you utilize, especially if you have users that care about what mail they receive.

I run a bunch of closed-loop opt-in systems for my employer. Periodically Spamcop somehow decides that one of the systems is a source of spam, even though it isn't.

The server, at, has been listed at least 3 times in April and May 2003. Check for yourself here. (I've archived the source locally for reference in case the info goes away.)

The first time it happened, I talked to about 20 different site admins. I got a wide variety of replies. Some were kind enough to whitelist the IP or domain. Some actually didn't realize that Spamcop misfired like that, and discontinued their use of the Spamcop blacklist.

Sadly, a couple of the replies showed that some people just don't understand how it works. Here's an excerpt from one of the replies from a medium-sized ISP.
The reason your [sic] are being listed on SpamCop is because a lot of your recipients deem your mailing as unsolicited. Unsolicited means that the recipient has not granted verifiable permission for the message to be sent.Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content.
The problem is, I explained, is that you gain verifiable permission through the use of a confirmed opt-in process, aka closed-loop, aka double opt-in. And that's what this server does. None of the stated metrics apply here; the original listing resulted from two spam complaints, both of which were erronious. "Two" is a poor guess at bulk.

Spamcop tries to guess if a site is sending spam based on a metric measured by how much of the server's mail is reported as spam. Here's why that doesn't work.
  1. Invalid reports. I've worked in a spam prevention capacity for various companies and on various anti-spam group projects. From way back to when I started the RRSS relay blocking list, our biggest problem was people sending in incorrect reports. Intentionally or not, people sent in things that weren't really spam, weren't really relays, sent in the same report over and over, and even faked headers to try to get us to block sites. The lesson here is that unsubstantiated complaints are a worthless measure alone. They need to be coupled with expertise, insight, and investigation by the blocking list operator. That is NOT the case with Spamcop; it's purely complaint driven. There is no manual oversight before a listing takes place.
  2. Spamcop's measurements are invalid. In our case, 2 complaints were measured against 179 total pieces of mail over the previous 7 days. That's approximately a 1.1% complaint ratio, and if that were correct, it would be high. The problem is that it's not correct. The server had served approximately 10,000 subscription confirmations in just the previous 12 hours, and handled somewhere around 70,000 subscription confirmations in the past 7 days. You come out with a vastly different metric in that instance.
  3. Metrics are a poor indicator of poor practices. If you say that you have to have a 2% complaint ratio before you take action against a spamming client, you're saying that you'll let them spam forever as long as they stay under the radar. What's more important is this question: What does the complaint, and your investigation, reveal? In my job, I regularly take action with clients to resolve their problems way before any sort of metric is hit. If I get one complaint about somebody and that complaint shows me that they're doing something against best practices, then it's in my best interest to fix it or make it stop. Obviously this varies under different circumstances.
My specific problem with lists like Spamcop is that they take bad measurements and try to sell them as good. If you want to use the list to block mail, that's your right. You can block all mails containing the letter "h" if you want. However, just like any other choice, the more you know about it, the better able you are to make an informed decision.

MonsterHut in the News

THIS is a PDF of an judge's order regarding a lawsuit in the State of New York against a company named MonsterHut, alleging that they're spammers. It is dated Jan 6, 2003 (not 2002 as it incorrectly says in a couple places).

Buying dirty lists doesn't pay

I was quoted in the August, 28th 2001 SpamCon Foundation newsletter, where I shared my experiences relating to spam complaints and ROI on purchased mailing lists. More >>

Selling your e-mail address for fun and profit

Michael Rathbun runs, and started noticing lots of attempts to deliver mail to an invalid email address there. Follow the travels of Nadine, as various companies share and spread this address around, with no apparent care for permission or verification. More >>