Home / Blogs

Opt-In Permission for Mailing Lists: Is It Enough?

For some time now I have contended that Confirmed Opt-in, ‘COI’ is dead, or at the very least on life support. It certainly is not a major factor in the continued relation between sender and receiver; that relies far more heavily on the ongoing and historical reputation of the mailer and the mail stream. Proof of permission doesn’t scale; end-users complain all the time, but it is rare if not impossible for a receiving site to request proof when an end-user complains, then the receiver complains to the sender, and the sender says that permission was actually in place. Much more commonly, the sender unsubscribes the address and moves on, permission or not, since the subscriber doesn’t want the mail any more.

But then, I recently had two eye-opening experiences as to exactly why Confirmed Opt-in is critical to the email whole equation.

As you probably know, CAUCE recently had some major news, we announced it on our website and we also did a mailing to our membership lists. One email resulted in someone challenging us on their subscription—the subscriber insisted he had never signed up to our lists and was pretty upset.

We pulled out his confirmed, ‘Double’ Opt-in record, showed him the date and time he asked to be subscribed, and the time and date he clicked through on the confirmation mail.

After his red face subsided, he apologized for the kafuffle.

Having sign-up data on-hand is fine, but despite confirmation being a little more difficult to attain, it is worth the effort to settle complaints such as these right at the get-go!

Another incident happened on the same day. A mailer contacted us, very upset because his ESP (email service provider) had just cancelled his account. Apparently they had received a complaint about mailing to one of our CAUCE addresses on a public website. Some joker had added the address to his lists, which were only single opt-in, and when he mailed, BAM! Our mail admin auto-complained, and included the ESP in the cc list.

Apparently, they took the complaint seriously.

We calmed the gentleman down, and suggested that he institute a confirmation system for his opt-in mailings. He went a step further and decided to reconfirm his entire list, in an attempt to placate his ESP.

It is unfortunate that he had to suffer an interruption to his business because someone maliciously added a CAUCE ‘poison pill’ address to his lists, but the reality of the situation is that there are heavy weight complainers out there that can stop a list dead in its tracks. Far more common than that are that without Confirmed/Double Opt-in, zombies and typos can result in mailers adding spamtrap addresses to a list.

The very best way to avoid ending up in a long-term world of pain is to confirm them before sending a single email.

Permission might not be forever, but it looms heavily over the first mailings.

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE

Filed Under


Jim Popovitch  –  Jun 20, 2007 3:55 AM

DOI is not the real problem with mailinglists, although it could be addressed better.  The real problem with mailinglists is that they will accept any email From: a subscriber (whether or not the actual subscriber sent it).  This makes SPF and DK/IM very important, just as long as there is majority support for those technologies.

Suresh Ramasubramanian  –  Jun 22, 2007 10:04 AM

Well Neil.  I am sure you have enough independent numbers to verify what is just empirical observation, but I’ve found that single optin lists do have an appreciably higher rate of complaints.

The rate gets even higher (and moves very quickly into blocking territory) when single optin addresses are sold or repurposed to third parties.  Coreg, purchased leads and such.

Alessandro Vesely  –  Jun 26, 2007 7:01 PM

Imagine one day some spammers get crazy for the tons of bad email addresses and spam traps that poison their databases and seek some kind of retaliation by mass subscribing suspicious addresses to a number of mailing lists. COI will then be a must, and it will be better off featuring pretty robust checks either, such as CAPTCHA. If not, relevant mailing lists servers will automatically get listed on most spamtrap driven DNSBLs.

Matthew Elvey  –  Jun 28, 2007 1:45 AM

Good point, Ale.  Expanding on that : Most people in the anti-spam space are still amazingly shortsighted.  There’s as much mail getting past my filters as ever - the filters get better, and the spammers tactics advance.  But implementing short-sighted solutions keeps everyone in business.

Dave Zan  –  Jun 28, 2007 9:29 AM

Don’t know if this means anything, but one thing a few internet marketers I know have observed is many of their spam complaints (despite proof of confirmed opt-in to their mailing lists) appear to be from AOL users. It’d be interesting if someone can possibly come up with some kind of “study” to gauge such complaints, though of course I’m not too hopeful if anyone’s up to it.

Matthew Elvey  –  Jul 2, 2007 2:04 AM

Every argument I’ve ever heard against COI boils down to ‘we don’t want to verify our lists’.  And I’ve heard that from bosses and customers, and I sympathize, but I’ve learned from being hard and soft about it.  Given spamhaus’ market power, their definition has has significant weight.

I see a big (typically 30%) difference in Inbox deliverability betweens I can get whitelisted because I can report that the lists are explicitly owner opted-in, and everything else.

Specific example:  One must address ‘deprioritization’ at Yahoo! by meeting their requirement:

Don’t send unsolicited email. Make sure that all email addresses are confirmed with an opt-in process that ensures the recipient wants to receive your mail. Obtaining permission from a third party to send an email does not ensure the email is solicited. Probably the best way to confirm an email addresses before adding them to a mailing list is by using closed-loop confirmation (sometimes referred to as “full confirmation,” “full verification,” “confirmed voluntary subscription,” or “double opt-in”). In this process, after you receive a subscription request, you send a confirmation email to that address which requires some affirmative action before that email address is added to the mailing list. Since only the true owner of that email address can respond, you will know that the true owner has truly intended to subscribe and that the address is valid. 
————————————Source: Yahoo Postmaster Advice

Neil, it would be helpful if you defined what you mean when you say COI.  I’d say it’s not COI unless the recipient has verifiably granted deliberate, explicit, and still-revocable permission to be sent a mailstream (I believe this matches spamhaus’ definition).  Do you agree or have a different definition?  Some people do, hence the question.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global