Confirmed Opt-In: An Old Topic Resurrected


Looking back through my archives it’s been about 4 years or so since I wrote about confirmed opt in. The last post was how COI wasn’t important, but making sure you were reaching the right person was important. Of course, I’ve also written about confirmed opt-in in general and how it was a tool somewhat akin to a sledgehammer. I’m inspired to write about it today because it’s been a topic of discussion on multiple mailing lists today and I’ve already written a bunch about it (cut-n-paste-n-edit blog post! win!).
Confirmed opt-in is the process where you send an email to a recipient and ask them to click on a link to confirm they want the mail. It’s also called double opt-in, although there are some folks who think that’s “spammer” terminology. It’s not, but that’s a story for another day. The question we were discussing was what to do with the addresses that don’t click. Can you email them? Should you email them? Is there still value in them?

We have to treat the addresses as a non-homogenous pool. There are a lot of reasons confirmation links don’t get clicked.

  • Some recipients aren’t going to click because they really don’t want the mail  and the extra step is too much effort. If the mail had just shown up they might read it, might even engage with it, but don’t want to actually have to make an effort to engage with the confirmation.
  • Some recipients aren’t going to click because they’ve already gotten what they want, like access to a website or a white paper or free download.
  • Some recipients aren’t going to click because they aren’t your customer. Someone used their email address to sign up and they sincerely do not want the mail.
  • Some recipients aren’t going to click because they never saw the mail. It may have gone to bulk, they may have not recognized the subject line and just deleted it, it may have ended up dropped on the floor. Whatever happened, it wasn’t seen by the recipient.
  • Some recipients aren’t going to click because there is no recipient. Sure, the mail is accepted by the receiving mail server, but the user never logs in, or it’s a spamtrap.

There is some value in the pool, but statistically, some of that value is negative. Each company needs to do their own risk analysis and determine what best to do with these addresses.
Different subscription techniques are going to generate different subscriber pools. Those different pools are going to have different risk profiles. Some subscription processes will generate more of one type of subscriber than another. That means the risk of mailing users who didn’t click on the link is going to vary depending on the pool.
Lots of “no recipients” on the list means sending followups is high risk. Lots of non-customers on the list, ditto. But if the pool is lots of people who can’t be bothered or missed the email the first time? That’s probably OK to mail once or twice.
Details matter.
Overall, the entire goal here is to get a list of email addresses that are owned by people who want mail from you. There are two parts to that: identity and permission. The identity part is tying the email address to the person who is your customers / subscriber / lottery winner / potential future customer who wants to know what you sell. The permission part is discovering if they want mail from you.
Traditional COI combines the identity and permission piece into one step. Send the person a mail and ask for permission to mail them more email. That covers the identity and the permission – if the person clicks you have both. But there are other ways to prove identity and there are other ways to gauge permission.


About the author


This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Hi Laura,
    Regarding “no-recipients” and people who can’t be bothered, how would one differentiate if the emails are successfully accepted? The scenario I propose is no bounces, no opens/clicks/unsubs, nothing to tell you one has engaged with the mail.
    To me, between 1-3 times is risk with it going up the more times you send. I would rather not take a risk full stop in the hope there is some win.

  • There isn’t really a way to distinguish between “no-recipients” and people who can’t be bothered. But they’re different categories of recipients, so it’s relevant to discuss them.
    This kind of risk is really specific to each business. It’s a tool, with benefits and limitations. Understanding those benefits and limitations is a big part of knowing when and how to use that tool.

  • “It’s also called double opt-in, although there are some folks who think that’s “spammer” terminology.”
    That’s because it is. You never have to opt-in twice, just once. COI or VOI are both legitimate terms; DOI is not. If you sign up for a mailing list, then confirm or verify your subscription, guess where that leads to…
    >Some recipients aren’t going to click because they really don’t want the mail and the extra step is too much effort.
    That’s a risk you’re going to have to take.
    >Some recipients aren’t going to click because they’ve already gotten what they want
    That’s a risk you’re going to have to take. If you require someone to sign up for a mailing list to get something, like a download, well, it’s a bit scummy IMO, but if they don’t confirm that’s your loss.
    >Some recipients aren’t going to click because they aren’t your customer.
    And this is good, because if you emailed them you *would* be a spammer by nearly all definitions. This is one of the things that COI/VOI works and protects.
    >Some recipients aren’t going to click because they never saw the mail.
    That’s a risk you’re going to have to take. If you’re ending up in spam, you’re either sending out an email that looks like spam (at which point you need to fix that), or you’re sending from a location that has a low reputation — usually due to openly sending spam. Both of which are fixable by you.
    >Some recipients aren’t going to click because there is no recipient.
    And again, that’s a risk you’re going to have to take.

  • Ah. “That’s a risk you’re going to have to take.”
    The thing about it, as with most “security vs user experience” issues is that it’s NOT a risk that you’re GOING TO HAVE to take. Rather, it’s a decision that has to be made. Some companies will decide one way and others will decide another after making a risk assessment where one of the factors will absolutely be “how much does this affect the user experience?”

  • Except, Mickey, it is a risk you have to take. That risk is that you’re going to give something up and get nothing in return. That’s part of the marketing game.
    If you choose to start spamming because you didn’t want to tarnish user experience, or because the benefits outweighed the risk, it’s no different than a company that figures that paying off lawsuits and claims is cheaper than stopping production. See: Bhopal, India after Union Carbide.
    At that point, you’re taking a position that’s not only morally and ethically bankrupt, but also typically legally bankrupt, in favor of a better hit rate.

  • Darron, it’s actually quite a bit different than choosing to pay off lawsuits and claims rather than retool for safety issues. The biggest difference is that no one’s life is at stake (cf. Bhopal).
    There’s always a risk involved in making business decisions. That’s really what Laura’s post is about: Outlining the reasons why someone would choose not to click a confirmation link so that a proper risk assessment could be made.
    What you appear to be saying is “There is no other way but this way.” The honest truth is that for the vast majority of marketers in the world today, that statement rings hollow both in theory and in experience.
    I constantly deal with clients who are using full COI/VOI/DOI-with-a-cherry-on-top who still suffer from spam complaints and who still hit spamtraps with regular traffic (i.e.: not just confirmation requests). I’m absolutely certain that Laura deals with such clients on a far more regular basis than I do.
    There are other ways to verify that the person sitting behind the keyboard is the person who is making the request than COI/VOI. Making the decision as to what works best (both the standpoints of UX and securing-the-mailstream) in a particular circumstance is what the risk analysis is all about.

  • Of course there’s more than the way I outlined. There’s the way that violates ethics, morals, and in many juridictions, the law.
    If they’re using full COI/VOI, then the amounts of times they hit spamtraps and more should be miniscule. Either they’re still sending to an email, after getting permission, that’s been repurposed into a spamtrap (in which case, shame on the spamtrap owner for not purging legitimate traffic out), or they’re mailing repeatedly to a spamtrap without verifying the subscriber. A single email with a request to subscribe isn’t spam. If you repeatedly email them informing them of their request to subscribe (nagging), that’s spam.
    The latter can easily be avoided by culling old addresses that haven’t subscribed. If within X days an address hasn’t confirmed, remove them from the list. Periodically asking people to confirm their interest is also good, and putting them in a ‘hold’ list until they do re-confirm their subscription is also a good idea.
    Having proper COI/VOI isn’t going to guarantee that you’re not going to get complaints. You will. But when a complaint comes in from your host, you can provide proof that yes, you did collect consent, and it should include some specific metadata to give credence to your claim — such as IP, time, browser, etc. As a network operator, if I receive a complaint from someone that accuses you of spamming, I will ask for proof of COI/VOI. If your response is simply ‘they confirmed’, I’m going to ask for proof. If you can’t provide proof, I’m killing your access.

  • Your network, your rules, of course. But an anecdote — i.e. how you do things — is not the same as data — i.e. Mickey’s truth that your way doesn’t match the most common ways.

  • If you want to use another means that violates the law, and every common definition of “spam”, then by all means, go ahead. You can enjoy fines and being added to the ROKSO database.

  • There’s no inherent problem with arguing the case for ideological purity; the problem is that you’re arguing the wrong case.
    The goal of an anti-spam perspective from the sending end should not be “send only confirmed opt-in mail”, it should be “send mail people want, and don’t send mail people don’t want”. And while confirmed opt-in can be a useful part of the latter, it isn’t a guaranteed prevention of the failure mode of the former.
    Examples: LinkedIn has my email address. I’ve also told them on countless occasions to stop sending me email. They still send a couple a day. There’s an industry group that I stopped paying money to more than ten years ago; still can’t figure out how to get them to stop mailing me. A store that I used to patronize changed ownership and started sending piles of email I didn’t want. All of those are confirmed opt-in, and also spam. At scale, address churn is another problem senders need to be aware of.
    Meanwhile: what’s the most useful mail stream I get? The local businesses where I’ve written my email address on a receipt and they’ve started sending me email. Not COI at all, but still email I enjoy getting.

By laura

Recent Posts


Follow Us