Should I Use Single Opt-In or Double Opt-In For My Newsletter?

These stories are presented thanks to Litmus, the all-in-one marketing platform that empowers you to build, test, review, and analyze emails more efficiently and effectively than ever so you can get the most out of every send. Optimize and personalize your emails to maximize ROI and create exceptional brand experiences for every subscriber. Learn why 700,000+ professionals across companies of all industries and sizes trust Litmus to make every send count.™

Here’s the situation: A visitor to your site notices your newsletter sign-up form. Eager for more content, they enter their email address to subscribe.

Now here’s the big question: What’s the very next step you should take?

Do you immediately move them into a welcome series and start sending newsletters?

Or do you have them take an additional step — confirming their email address — before they’re officially added to your list?

The answer isn’t quite as straightforward as you’d expect. Some email experts say you should absolutely require a confirmation step, and that not doing so will have a huge, negative effect on your deliverability. Others say just the opposite: It’s not all that important and you should allow sign-ups without it.

So who’s right? And what’s the right step for you?

It depends on a few factors, like how fast you’re growing, how often you clean your email lists, which email platform you use — even where you live.

Let’s talk through the options and try to figure out what makes sense for your newsletter.

Understanding the two big choices

There are names for the two paths I described earlier:

• Single opt-in is the path that requires no additional steps. Someone signs up and they’re added to your list right away.

• Double opt-in, or confirmed opt-in, requires one extra step. After signing up, a reader is prompted to check their inbox for a confirmation message. They must click on the verification link in that email before they can start receiving newsletters. 

Adding any sort of friction to the newsletter subscription process will result in fewer sign-ups. Confirmation emails don’t get clicked on for all sorts of reasons. They get ignored. They get routed to the spam folder. They arrive hours (or days) later. 

At organizations doing an exceptional job with confirmation messages, I’ll see about 80 or 90% of users confirming their email address. That means that at best-in-class operations, 1 or 2 out of every 10 email sign-ups will never be added to the list.

And at fairly average organizations? The number is often closer to 50%. For every 10 new sign-ups, 5 never confirm their email.

With that in mind, you may wonder why anyone goes the double opt-in route. There are actually some compelling reasons. Some email service providers require all readers to confirm their email address. Some countries, mostly in Europe, require double opt-in for any sort of marketing email.

And then there’s a third reason, maybe most important of all: To protect your email list.

The risk with single opt-in

I remember the first time a spambot attacked one of the sign-up pages at BuzzFeed. At first, we didn’t realize what was happening. We were looking at our email lists and saw that a ton of new subscribers were signing up for our newsletters that day — exciting! But then we looked a little closer. Almost all of the subscribers were from the same domain, yahoo.co.uk, which seemed odd. (At that moment, most of our traffic came from the U.S.) And then we looked even closer: The sign-ups were coming in so quickly — dozens of new yahoo.co.uk emails every minute —  there was no way the email addresses were submitted by actual humans.

That’s when we realized that something was seriously wrong. But we didn’t realize how much trouble we were in.

We were the victims of a spambot, which had been crawling the web looking for a form like ours. These bots are usually looking for forums with a comment section where they can drop in a link to a page where someone can buy something, like pharmaceutical drugs. These bots don’t always realize that they’ve found a newsletter sign-up form — not a comment section.

In our case, this bot had found the main BuzzFeed newsletters page. We didn’t have any sort of authentication tool on that page to confirm that the email addresses being signed up were real, and we weren’t using a double opt-in process to add an extra layer of verification. Thousands of email addresses were being added to our lists, and those spammy emails could have caused huge damage to our email program. If we hit a spam trap — like a mouse trap, but for spam — a few things could have happened:

• Our IP addresses could have been blocklisted by one of the major anti-spam organizations, like Spamhaus.
• Our newsletters could have been temporarily or permanently blocked by major inboxes, like Gmail or Yahoo.
• Our deliverability could have tanked, sending newsletters to the spam folder instead of the inbox.

BuzzFeed wasn’t alone in experiencing these issues. At one other organization I worked with, we found over 100,000 fake email addresses in their database, and each of those email addresses were signed up for every single newsletter the brand had. Based on the cost per newsletter sent, we realized that the organization was spending over $100,000 per year to send newsletters to fake email addresses.

Double opt-in would have helped in both of those cases. If we’d been using it, the spambots still would have been able to enter email addresses into the sign-up forms. But since the addresses would never have been confirmed, we wouldn’t have deployed newsletters to those emails. Double opt-in would’ve protected those lists and kept costs down.

But double opt-in isn’t the only option to consider. There are a few different choices on the table.

Putting together your optimal strategy

The first big choice in your strategy is straightforward: Do you want to require someone to confirm their email address, or will you add them to the list right away?

Local laws might dictate your choice in countries like Germany, where double opt-in is required for senders. Or, if you’ve experienced deliverability issues in the past, you might be more cautious and go with double opt-in. 

However, if you’re trying to grow quickly and are concerned readers may not confirm their emails, you might stick with single opt-in.

Ultimately, when I sit down with a client to figure out single opt-in vs. double opt-in, I always tell them it’s not enough to simply choose one over the other — you also have to make a few other decisions to keep your lists clean in the long run.

How will you protect your sign-up forms?

Even if you’re using double opt-in, you still want to keep your sign-up pages and forms protected from spam. As I mentioned in that BuzzFeed example, you might end up in a situation where thousands of email addresses are being added to your account. Even if you’ve got double opt-in turned on, any email address can still be entered into that sign-up form. The protection doesn’t kick in until the confirmation message is sent out. That means your email platform will be sending thousands of confirmation emails to those fake emails. A high bounce rate on those could still cause problems, since many email platforms monitor the metrics on confirmation emails. If they see suspicious activity, they may suspend your account.

So you could protect your forms one of three ways:

1.) You could use a third-party tool to verify email addresses — Services like Kickbox can verify each email address entered into your forms, and even block IP addresses that attempt to sign up too many email addresses at once. (Use this link and Kickbox will give you your first 100 email verifications free.) Kickbox has a Zapier integration, so you can pass the sign-up automatically from your forms to Kickbox to your ESP without needing to hire a developer. Kickbox also blocks any spam traps from coming through — an important step in maintaining good deliverability.

You should also check with your ESP to see if they do any email verification. Some platforms, like Beehiiv, automatically run every email address through a verification tool at no additional charge. 

2.) You could use reCAPTCHA — I do this on my website. If Google suspects suspicious behavior, a user is required to answer a few questions before they can submit the subscription form. The benefits with reCAPTCHA? It’s free, and it integrates with tools like WP Forms.

If you go this route, Google has an excellent guide to adding reCAPTCHA to your subscription forms.

3.) You could use a honeypot on your sign-up forms — This is an advanced option, but it can be effective. A honeypot is a hidden field within your sign-up form that only a bot can see. Once you set up the honeypot, you’d tell your email platform to automatically suppress or delete email addresses that have the hidden field filled out.

How will you clean your lists?

You’re also going to want to set up a reactivation series to both win back inactive readers and clean your lists. The frequency and length of the series really depend on how fast your list is growing. Newsletters that add tens of thousands of subscribers per month tend to run reactivation campaigns on an ongoing basis — they’re working to win back readers after they’ve been inactive for 30, 60, or 90 days. Newsletters that grow a bit slower may run these campaigns monthly or quarterly.

You should have some sort of reactivation series in place, just in case a spammy sign-up does slip through the cracks. That way, you’ll always be cleaning your list and removing those inactive readers from your list.

I put together a full guide here to setting up a reactivation series, including what to send to readers and when. Make sure a series like this is part of your overall strategy — it’s a crucial step for keeping your lists clean.

How will you handle edge cases?

If you go with single opt-in, you may still want to use double opt-in for certain types of users. For instance, newsletters that grow through sweepstakes tend to grow quickly, but those who sign up don’t necessarily want your newsletter. Often, they’re just signing up because they want to win the grand prize. For just those sweepstakes entries, you may want to use double opt-in.

Let’s say I was doing this with my newsletter. I use WP Forms for sign-up boxes, and Mailchimp to send newsletters. Instead of passing the email straight from WP Forms to Mailchimp, I’d add an in-between step via Zapier. Using Zapier, I could instruct Mailchimp to send the double opt-in email to that user — even if double opt-in is turned off for everyone else.

If you go the alternative route and turn double opt-in on for all sign-ups, I’d suggest setting up sniper links for users. Instead of simply telling users to “check your inbox to confirm your subscription” after they sign up, you can use sniper links so a reader can click a link and be taken to the exact place in their inbox where the confirmation message will be waiting for them. The team at Growth Design put together an excellent walk-through of how to set these up. They saw a 7% lift in confirmations after setting up sniper links for their newsletter.

How we handled the spambot issue at BuzzFeed

The faster your list is growing, the more important it is to be aggressive in keeping your lists clean, both at the point of newsletter sign-up and after.

At BuzzFeed, with our rapid rate of growth, we took a few steps — some to fix the immediate problem, and some to stop the problem in the long run.

In the short run: We figured out the IP address where the spambot was operating from, and worked with our developers to block that IP from accessing our site. Then we removed the spammy sign-ups from our list. Spambots often submit email addresses from the same email domain (in this case, yahoo.co.uk), so we identified the domain and went into our ESP to create a segment of users with that domain who’d signed up since the spam attack had started. Then we deleted those email addresses from our list. 

We may have lost a handful of legitimate email addresses in the process. If a real reader with a yahoo.co.uk address happened to sign up that day, they unfortunately would have been deleted from our list as well. But that was still a far better option than keeping the emails on our list.

In the long run: We decided to add a third-party verification tool into our sign-up flow, and later moved to reCAPTCHA. That helped keep our list clean and prevent spam from getting through on our forms. We also continued to send regular reactivation campaigns to win back inactive users, and we removed readers who weren’t regularly opening our newsletters.

That multi-level approach works well for most newsletters. It’s not just about single opt-in or double opt-in — it’s about piecing together a few tactics to make sure that you can get readers onto your newsletter while also keeping your lists clean.

Thanks to our sponsor

The stories you’re reading on inboxcollective.com are made possible thanks to the generous support of our spring sponsor, Litmus. They’re an all-in-one marketing platform that empowers you to build, test, review, and analyze emails more effectively than ever so you can get the most out of every send. Learn why 700,000+ professionals trust Litmus to make every send count.