Confirmed Opt-In: An Old Topic Resurrected

Looking back through my archives it’s been about 4 years or so since I wrote about confirmed opt in. The last post was how COI wasn’t important, but making sure you were reaching the right person was important. Of course, I’ve also written about confirmed opt-in in general and how it was a tool somewhat akin to a sledgehammer. I’m inspired to write about it today because it’s been a topic of discussion on multiple mailing lists today and I’ve already written a bunch about it (cut-n-paste-n-edit blog post! win!).

Confirmed opt-in is the process where you send an email to a recipient and ask them to click on a link to confirm they want the mail. It’s also called double opt-in, although there are some folks who think that’s “spammer” terminology. It’s not, but that’s a story for another day. The question we were discussing was what to do with the addresses that don’t click. Can you email them? Should you email them? Is there still value in them?

We have to treat the addresses as a non-homogenous pool. There are a lot of reasons confirmation links don’t get clicked.

  • Some recipients aren’t going to click because they really don’t want the mail  and the extra step is too much effort. If the mail had just shown up they might read it, might even engage with it, but don’t want to actually have to make an effort to engage with the confirmation.
  • Some recipients aren’t going to click because they’ve already gotten what they want, like access to a website or a white paper or free download.
  • Some recipients aren’t going to click because they aren’t your customer. Someone used their email address to sign up and they sincerely do not want the mail.
  • Some recipients aren’t going to click because they never saw the mail. It may have gone to bulk, they may have not recognized the subject line and just deleted it, it may have ended up dropped on the floor. Whatever happened, it wasn’t seen by the recipient.
  • Some recipients aren’t going to click because there is no recipient. Sure, the mail is accepted by the receiving mail server, but the user never logs in, or it’s a spamtrap.

There is some value in the pool, but statistically, some of that value is negative. Each company needs to do their own risk analysis and determine what best to do with these addresses.

Different subscription techniques are going to generate different subscriber pools. Those different pools are going to have different risk profiles. Some subscription processes will generate more of one type of subscriber than another. That means the risk of mailing users who didn’t click on the link is going to vary depending on the pool.

Lots of “no recipients” on the list means sending followups is high risk. Lots of non-customers on the list, ditto. But if the pool is lots of people who can’t be bothered or missed the email the first time? That’s probably OK to mail once or twice.

Details matter.

Overall, the entire goal here is to get a list of email addresses that are owned by people who want mail from you. There are two parts to that: identity and permission. The identity part is tying the email address to the person who is your customers / subscriber / lottery winner / potential future customer who wants to know what you sell. The permission part is discovering if they want mail from you.

Traditional COI combines the identity and permission piece into one step. Send the person a mail and ask for permission to mail them more email. That covers the identity and the permission – if the person clicks you have both. But there are other ways to prove identity and there are other ways to gauge permission.



  1. Moliverabililty says

    Hi Laura,

    Regarding “no-recipients” and people who can’t be bothered, how would one differentiate if the emails are successfully accepted? The scenario I propose is no bounces, no opens/clicks/unsubs, nothing to tell you one has engaged with the mail.

    To me, between 1-3 times is risk with it going up the more times you send. I would rather not take a risk full stop in the hope there is some win.

    1. laura says

      There isn’t really a way to distinguish between “no-recipients” and people who can’t be bothered. But they’re different categories of recipients, so it’s relevant to discuss them.

      This kind of risk is really specific to each business. It’s a tool, with benefits and limitations. Understanding those benefits and limitations is a big part of knowing when and how to use that tool.

  2. Darron Wyke says

    “It’s also called double opt-in, although there are some folks who think that’s “spammer” terminology.”
    That’s because it is. You never have to opt-in twice, just once. COI or VOI are both legitimate terms; DOI is not. If you sign up for a mailing list, then confirm or verify your subscription, guess where that leads to…

    >Some recipients aren’t going to click because they really don’t want the mail and the extra step is too much effort.
    That’s a risk you’re going to have to take.

    >Some recipients aren’t going to click because they’ve already gotten what they want
    That’s a risk you’re going to have to take. If you require someone to sign up for a mailing list to get something, like a download, well, it’s a bit scummy IMO, but if they don’t confirm that’s your loss.

    >Some recipients aren’t going to click because they aren’t your customer.
    And this is good, because if you emailed them you *would* be a spammer by nearly all definitions. This is one of the things that COI/VOI works and protects.

    >Some recipients aren’t going to click because they never saw the mail.
    That’s a risk you’re going to have to take. If you’re ending up in spam, you’re either sending out an email that looks like spam (at which point you need to fix that), or you’re sending from a location that has a low reputation — usually due to openly sending spam. Both of which are fixable by you.

    >Some recipients aren’t going to click because there is no recipient.
    And again, that’s a risk you’re going to have to take.

  3. Mickey says

    Ah. “That’s a risk you’re going to have to take.”

    The thing about it, as with most “security vs user experience” issues is that it’s NOT a risk that you’re GOING TO HAVE to take. Rather, it’s a decision that has to be made. Some companies will decide one way and others will decide another after making a risk assessment where one of the factors will absolutely be “how much does this affect the user experience?”

  4. Darron Wyke says

    Except, Mickey, it is a risk you have to take. That risk is that you’re going to give something up and get nothing in return. That’s part of the marketing game.

    If you choose to start spamming because you didn’t want to tarnish user experience, or because the benefits outweighed the risk, it’s no different than a company that figures that paying off lawsuits and claims is cheaper than stopping production. See: Bhopal, India after Union Carbide.

    At that point, you’re taking a position that’s not only morally and ethically bankrupt, but also typically legally bankrupt, in favor of a better hit rate.

  5. Mickey says

    Darron, it’s actually quite a bit different than choosing to pay off lawsuits and claims rather than retool for safety issues. The biggest difference is that no one’s life is at stake (cf. Bhopal).

    There’s always a risk involved in making business decisions. That’s really what Laura’s post is about: Outlining the reasons why someone would choose not to click a confirmation link so that a proper risk assessment could be made.

    What you appear to be saying is “There is no other way but this way.” The honest truth is that for the vast majority of marketers in the world today, that statement rings hollow both in theory and in experience.

    I constantly deal with clients who are using full COI/VOI/DOI-with-a-cherry-on-top who still suffer from spam complaints and who still hit spamtraps with regular traffic (i.e.: not just confirmation requests). I’m absolutely certain that Laura deals with such clients on a far more regular basis than I do.

    There are other ways to verify that the person sitting behind the keyboard is the person who is making the request than COI/VOI. Making the decision as to what works best (both the standpoints of UX and securing-the-mailstream) in a particular circumstance is what the risk analysis is all about.

  6. Darron Wyke says

    Of course there’s more than the way I outlined. There’s the way that violates ethics, morals, and in many juridictions, the law.

    If they’re using full COI/VOI, then the amounts of times they hit spamtraps and more should be miniscule. Either they’re still sending to an email, after getting permission, that’s been repurposed into a spamtrap (in which case, shame on the spamtrap owner for not purging legitimate traffic out), or they’re mailing repeatedly to a spamtrap without verifying the subscriber. A single email with a request to subscribe isn’t spam. If you repeatedly email them informing them of their request to subscribe (nagging), that’s spam.

    The latter can easily be avoided by culling old addresses that haven’t subscribed. If within X days an address hasn’t confirmed, remove them from the list. Periodically asking people to confirm their interest is also good, and putting them in a ‘hold’ list until they do re-confirm their subscription is also a good idea.

    Having proper COI/VOI isn’t going to guarantee that you’re not going to get complaints. You will. But when a complaint comes in from your host, you can provide proof that yes, you did collect consent, and it should include some specific metadata to give credence to your claim — such as IP, time, browser, etc. As a network operator, if I receive a complaint from someone that accuses you of spamming, I will ask for proof of COI/VOI. If your response is simply ‘they confirmed’, I’m going to ask for proof. If you can’t provide proof, I’m killing your access.

  7. Al Iverson says

    Your network, your rules, of course. But an anecdote — i.e. how you do things — is not the same as data — i.e. Mickey’s truth that your way doesn’t match the most common ways.


Your email address will not be published. Required fields are marked *

  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments

  • Blogging

    It's been a wild week here in the US. I have to admit, the current political climate is affecting my ability to blog about email. I've always said email is not life or death. And how can I focus on the minutia of deliverability when things are in such turmoil and uncertainty? There are many things I want to write about, including some resources for those of us who are struggling with the current administration and changes in the US. What we can do. What we must do.  It just takes work and focus I don't have right now.    1 Comment

  • Email trends for 2017

    Freshmail has published a list of email marketing trends for 2017 from some of their favorite experts. I am honored to be included. Go check it out!No Comments