Double opt-in: confirmed subscription in two steps

Double opt-in (DOI) is a subscription mechanism that requires two explicit actions from the person signing up. First, they fill out a form. Second, they click a confirmation link sent to the address they provided. Only after that click does the address enter the active mailing list.

How the process works

Step 1. A visitor enters their email address into a subscription form and submits it. The address is saved to the database with a “pending” status.

Step 2. The system immediately sends a confirmation email to that address. The email contains a unique link tied to a token for that specific signup.

Step 3. The recipient opens the email and clicks the link. The server validates the token, flips the status to “confirmed,” and adds the address to the active list.

If no click happens within the configured window (typically 24 to 72 hours), the address stays unconfirmed and receives no mail. Most systems either delete it automatically or leave it in a dormant queue.

Why the second step matters

Single opt-in accepts any address without verification. Someone can type a stranger’s email, make a typo, or enter a random string. The result: invalid addresses, bounces, and spam complaints from people who never signed up.

A confirmed click proves three things at once: (a) the address exists, (b) the person has access to that inbox, and (c) they deliberately chose to subscribe. None of those facts are available with single opt-in.

Effect on list quality

Lists built through DOI typically carry a bounce rate below 0.5%. Single opt-in lists from new subscribers can hit 5–8%. That gap matters: mailbox providers start throttling senders whose bounce rate crosses 2%.

DOI also filters out spam traps. Recycled traps (old addresses reclaimed by anti-spam organizations) will not click a confirmation link. Pristine traps (addresses that have never belonged to a real person) cannot. Both kinds disappear from the queue without affecting your sender reputation.

The tradeoff: subscriber drop-off

Not everyone who fills out a form will open the confirmation email. Some forget. Some miss it because it landed in the Promotions tab or spam folder. Some lose interest in the few minutes between submitting the form and checking their inbox. Conversion from form fill to confirmed subscription runs 60–85% in practice.

That sounds like a real cost, but the 15–40% who drop off are mostly low-intent users and invalid addresses. The subscribers who do confirm open more, click more, and complain less. A smaller, engaged list almost always outperforms a larger, indifferent one.

When DOI is required

In Germany, double opt-in is effectively mandatory. German courts have repeatedly ruled that single opt-in does not constitute adequate proof of consent for commercial mailings.

GDPR does not mention double opt-in by name, but it requires “demonstrable consent.” DOI is the clearest way to demonstrate it: you have a log with the signup date, the subscriber’s IP address, and the timestamp of the confirmation click. That log answers a regulator’s questions before they are asked.

Many ESPs enforce it too. Mailchimp enables DOI by default for new audiences. Brevo and Unisender both recommend it. Some platforms require it before you can send to a purchased or imported list.

Implementation tips

• Send the confirmation email within seconds of the form submission. Every minute of delay loses conversions.
• Use a direct subject line: “Confirm your subscription” or “One click to finish signing up.” Skip the marketing copy.
• Make the confirmation button large and the only call-to-action in the email.
• Set link expiry to 24–48 hours. Longer windows increase the risk of bot clicks on stale tokens.
• After the click, redirect to a clear “Subscription confirmed” page so the user knows it worked.