Ken Magill has a story over at DIRECT about how Barack Obama’s email list has been tainted by pranksters. Basically, some pranksters signed up to Obama’s list using some prominent anti-spammers’ email addresses. It’s an example of how a very high profile email list is at risk if you don’t employ the double opt-in (or “confirmed” opt-in) method.
We’ve seen similar cases here at MailChimp. A very high profile radio host (who I listen to almost every day after work) once signed up for an account on our system, and his first campaign got some furious complaints from a group of prominent anti-spammers that I also hold in high regard. There’s no way this radio host is an evil spammer who’d harvest or buy email lists (doesn’t need to), and there’s no way this normally calm, very experienced anti-spam group would get so mad about a little opt-in prank (happens to them all the time), so I did some investigating…
It turns out it was an opt-in prank, magnified by sloppy list management practices, overly harsh ESP policies, and paranoia.
At his first ESP (email service provider), the prank signups seemed to happen to the radio host’s list on a regular basis, like clockwork. It was the same group of anti-spammers that a prankster signed up every 3 months or so. From what I was able to piece together, the first time, the anti-spammers figured it was a stupid prank and asked him and the ESP to clean his list, then switch to double opt-in. The 2nd time it happened, they got angry at the guy for not cleaning his list as requested, and for not employing double opt-in. The 3rd time, they got angry at the guy, and the ESP.
In response, his ESP told the guy to re-confirm his entire list, which I think is a bit harsh for a handful of recurring prank signups (just clean the prank addresses off, then switch the list to double opt-in to lock out the pranksters). He refused to re-confirm his entire list (rightfully so) but he also refused to switch to double opt-in (wrong move). So he was ultimately booted by that ESP’s abuse desk.
At this point, he started to form a conspiracy theory that this anti-spam group was basically a sort of Internet mafia, that controlled ESPs and ISPs. He got on their bad side, and now he was being “singled out” by them. Any advice they gave he swiftly ignored.
So he moves to a 2nd ESP. He claimed he just didn’t like that ESP’s interface so he left them. But who knows—the pranks might have followed him there too, and got him booted.
Finally, he switched to MailChimp. At MailChimp, we only offer the double opt-in method. Maybe he finally saw the light, and recognized the value of double opt-in. Maybe we were just his last resort. So he imported his list. Problem was, he imported his entire old list, not the “cleaned” version. So it included all the old bounces, unsubs, and complainers. Bad, bad, bad move. You know what happens next. He sends his campaign, gets the same group of anti-spammers mad, but also gets a stupendous amount of bounces, unsubscribes, and feedback loop complaints from people who had previously unsubscribed. Red flags popped up all over the place, and we shut his account down immediately.
Maybe his first ESP doesn’t provide an “Export clean version of this list” feature (that would be pretty evil). Maybe he was just being stupid, and thought it would be a good opportunity to reclaim old addresses. Whatever the case, he’s somewhere out there looking for his 4th ESP.
Lessons Learned:
- Double opt-in can help prevent prank email signups
- Double opt-in can help typo and accidental email signups, too
- Sloppy list management practices really do affect your reputation, and can follow you from ESP to ESP.
Wow, thanks for posting that. As somebody that only does casual email marketing I never really saw the importance of double opt-in. Nice to know that it can save headaches in the long run, and a very useful read for clients that insist on single opt-in.
Sure thing. I didn’t want to make the blog post too long, so I left out the fact that double opt-in isn’t perfect. We’ve seen spambots automatically submit spam trap emails to double opt-in signup forms over and over again. Then, when the system sends a double opt-in confirmation to the spamtrap address, you’re added to a blacklist. Siiigh. I actually think that’s what was going on with our user in the story above, because the spambots his like clockwork. Luckily, we’ve got some behind-the-scenes measures to combat that, without forcing people into using captchas or anything like that.
[...] your own single opt-in forms, you may do so, but we still don’t recommend single opt-in. Here’s a great example of why we don’t recommend single [...]
I had a similar issue on import of addresses from another provider. It would be really good if it were possible to import a list of ‘unsubscribed’ email addresses to mailchimp in order to be able to safely reimport old lists without worrying about adding back in someone who already unsubscribed.
Unless I’m mistaken, there is no way to do that is there?
Hi Will, you can mass-unsub people form your list pretty easy in MC. Just go to the lists page, and click the “remove people” link for your list. Then copy-paste the people who unsub’d. Those people can’t be added to *that* list again (unless they double opt-in).
There are times when double opt in is valuable, but to insist on it all the time devalues Mailchimp badly. There are other times, such as when using an opt-in box during a checkout process (providing it isn’t checked by default) where a double opt in is downright terrible service, it’s just really annoying to the customer. There is no risk of spoofing, no risk of mis-identification, and the customer is carefully answering questions because he is spending money. Ask me if I’d like to sign up at this point by all means, but once I’ve thought about it and said yes, I do NOT want to be asked again 2 minutes later. Despite what Microsoft think, there are questions which really don’t need an “are you sure” stage after they are answered.
You already police list quality by warning owners if spam complaints rise above a draconian 0.1%, that should be enough. By all means have double opt-in as a default/recommended setting, but let experienced marketers manage their own lists please, you don’t know best all the time.
I agree with Barry. I’m tempted to go find another ESP because i’m more concerned with the unsubscribes I will receive. Usually when someone enters their email its due to an impulse decision they had at that time.
When you’re in Best Buy, they don’t ask, “Are you sure you want to buy this TV?” right before you walk up to check out.
If you were to split test the double opt-in process vs the single opt-in process you would see a 30% – 50% unsubscribe rate with the double opt-in.
It’s not like I can complain since I’m using the Free version but I couldn’t see myself growing into a paid version since there’s no documentation on how to use the single opt-in process.
It’s good to be concerned with unsubs, but that’s incorrect terminology here. When you use the double opt-in process, and people don’t confirm, that’s more like a “never did want” than an “unsub.”
When you go to pay for that TV with your credit card, they ask for identification in order to protect themselves (and the owner of the credit card) from fraud. That’s a closer analogy to what double opt-in does. It’s to prevent spambots and mischievous people from subscribing email addresses that don’t want to be on the list.
People who never go through the confirmation process are not “unsubscribing.” They’re people who didn’t want to be on the list anyway. They’re not truly engaged, and would only cause delivery problems moving forward. This number of 30%-50% is close, but there are also cases where spambots absolutely hammer opt-in forms with dictionary attacks (and many of the fake emails they submit are actually spam traps) in order to submit thousands of emails per minute. Double opt-in helps a lot in this case.
We listen to feedback from all users, whether you’re free or paid. Single opt-in subscriptions are available through the API, so that it can be integrated with e-commerce systems (I think as Barry suggested) and it’s also available via many integrations out there. Keep in mind it can cause some significant delivery issues if you don’t have proper processes in place to manage your list, so proceed with caution if you decide to go down this path.
What about cases like just now where I had to check my SPAM folder for the confirmation email? I’m using the default confirmation email, too. Ugh, I just want to collect email addresses for now and I don’t want to require double opt in and I don’t want to implement the API.
The cases mentioned in the post above do make a point. However, I think it’s also shortsighted to always assume a list will get abused as such.
I wonder if in some cases it would be just as effective to fight spam if, instead of a double opt-in, a subscriber gets an ‘opt-out email’ rather than another opt-in? The email would then only require action if people that receive the email indicate that they have either changed their mind or think that their email address has been submitted without their consent (accidentally or by spammers) to the list.
Some people are offended that they’ve been added to a marketing list without permission, and now it’s *their* job to click unsubscribe. I kinda feel the same way. I get these emails and say, “How dare you make *me* clean your list for you?” And there’s always the risk that the recipient doesn’t receive the confirmation email due to a spam filter (same risk as sending DOI confirmations). There’s no really easy way around it. It’s hard work keeping stuff clean (email lists are no exception).