Confirmed opt-in: subscription with address verification

Confirmed opt-in (COI) is a subscription method where filling out a form is not enough. After the form is submitted, the server sends a confirmation email with a unique link. The address stays inactive until the recipient clicks that link. No click, no subscription.

Confirmed opt-in and double opt-in: the difference

In practice, the terms are used interchangeably and the technical flow is identical: form submission, confirmation email, click, activation.

The terminology does diverge slightly when compliance documents parse it carefully. Double opt-in stresses two separate consent actions: filling the form (first consent) and clicking the link (second consent). Confirmed opt-in stresses verification: one consent act at the form, plus proof of address ownership at the click. The distinction matters more in legal briefs than in code.

If you see one term in a GDPR audit report and the other in your ESP documentation, they almost certainly describe the same mechanism.

How the process works

Step 1: the user fills out a subscription form and clicks the button. The server stores the address with a “pending” status.

Step 2: a confirmation email goes out immediately. It contains a unique link with a token tied to that specific signup. Tokens typically expire in 24 to 72 hours.

Step 3: the mailbox owner opens the email and clicks the link. The server validates the token and changes the status to “confirmed.” From that point on, the address receives campaigns.

If the token expires without a click, the address stays in “pending” and receives nothing. Unconfirmed entries are purged periodically.

What confirmation actually gives you

Proof of address ownership. Only the person with access to the inbox can click the link. This rules out the scenario where someone signs up a stranger’s address without their knowledge.

Typo filtering. A mistyped address either bounces the confirmation email or delivers it to the wrong person, who will not click. Either way, the invalid address never enters your list.

Bot resistance. Bots can fill out forms at scale. They cannot click a confirmation link inside a mailbox they do not control. COI is the most reliable barrier against automated signups.

Legal record. The confirmation click is logged with an IP address, date, and timestamp. That log answers a regulator’s question before it is asked.

Better engagement. Subscribers who went through confirmation chose to be there. Open rates and CTR for confirmed lists run noticeably higher than for single opt-in lists collected the same way.

Confirmation drop-off

Between 20% and 40% of people who fill out a form never complete the confirmation. The email lands in spam. They get distracted. They cannot find it among a dozen other messages.

That number looks alarming, but most of those unconfirmed entries were not going to generate value anyway. Some are typos. Some are bot-filled. Some belong to people who clicked “subscribe” on impulse and would have unsubscribed after the first email.

To improve the confirmation rate: send the email within seconds of submission (a five-minute delay measurably cuts conversions). Use a direct subject line: “Confirm your subscription to [name].” Make the confirmation button the only call-to-action in the email. Send one reminder after 24 hours if the click has not come in.

Legal context

GDPR does not require confirmed opt-in by name, but German courts have repeatedly ruled it the only reliable evidence of consent for commercial email. In Germany and Austria, COI is effectively mandatory.

CAN-SPAM takes the opposite stance: it does not require any opt-in at all (the model is opt-out). That said, Google and Yahoo updated their sender requirements in 2024 and now expect confirmed subscriptions from bulk senders, enforcing the standard through filtering rather than law.

If your list includes EU recipients or you send from a domain you cannot afford to damage, the legal and deliverability cases for COI point in the same direction.

When to use confirmed opt-in

For most email marketing programs, COI is the safer default. The subscribers you “lose” at the confirmation step were unlikely to become active readers, and the ones you keep are cleaner, more engaged, and legally documented.

It becomes especially important if you target EU audiences, send significant volume from a shared or new domain, or have seen bot activity on your signup forms.

The one case where skipping confirmation is defensible: address ownership is already verified by another mechanism. Account registration with email verification, a checkout flow where the customer entered their address and completed a purchase, or an in-app subscription inside an authenticated session all satisfy the same ownership check.