Skip to content
Get in touch

Should I use a double opt-in?

Picture of Beth O'Malley

 

My recommendation is this (save you reading): turn off double opt-in.

I know that will make some people uncomfortable and other people will disagree with me (that's totally fine!).

Double opt-in has been positioned as the gold standard of email list building for decades. It is the thing the compliance people insist on, the thing the deliverability guides recommend, the thing that sounds responsible and considered and safe.

But here is my honest view after years of working with programmes across every industry and business model: double opt-in is solving a problem that better tools now solve more elegantly — and in solving it, it is creating a worse problem. It is breaking the subscriber experience at exactly the moment it matters most.

This blog explains where double opt-in came from, why it made sense at the time, why the logic no longer holds in 2026, and what you should be doing instead.

 

Before you dig in, why don't you get access to RE:markable

 RE:markable is the weekly email about emails. Dropping the latest email marketing news, updates, insights, free resources, upcoming masterclasses, webinars, and of course, a little inbox mischief. 
Subscribe to RE:markable

 

Where double opt-in actually came from

To understand why double opt-in exists, you have to go back to 1993.

The origin story:

The first double opt-in email was sent by LISTSERV — one of the original email list management tools — in 1993. The internet was sixteen months old. Spam, as a concept applied to email, had not yet entered the public vocabulary. LISTSERV added a feature that required new subscribers to reply with "ok" to confirm their subscription before they would start receiving emails from the list. The purpose was simple: verify that the email address was real and that the person who submitted it was actually the person who owned it.

The term "double opt-in" itself was coined by marketers in the late 1990s to describe this confirmation process. By the turn of the century it had become widely established practice — and by the time GDPR arrived in 2018, many people assumed it was a legal requirement (it is not, except in a small number of specific countries including Germany, Austria, and Norway).

 

In 1993, this made complete sense. Email address validation tools did not exist. There was no infrastructure to check whether an address was real or belonged to the person submitting it. The only way to verify intent and data quality was to make the subscriber take a second action. A reply, later a link click, was both a data quality check and an engagement signal.

Fast forward to 2026. Email address validation tools are sophisticated, fast, and affordable. They can tell you, at the point of form submission, whether an address is real, whether it belongs to an active mailbox, whether it is a known spam trap, whether it is a disposable address, whether it looks like a typo. In real time. Before you ever send anything.

The problem double opt-in was solving in 1993 now has much better solutions. But the double opt-in remains — largely out of habit, partly out of misunderstood compliance guidance, and in many cases because nobody has stopped to question whether the cure is worse than the disease.

 

The deliverability argument and why it doesn't hold

The main argument for double opt-in is a deliverability one. The logic goes like this:

  • If someone confirms their subscription by clicking a link or replying, they generate a positive engagement signal that feeds inbox provider reputation systems

  • If their email address is wrong or invalid, the confirmation email bounces and we never send to that address again

  • This means we only ever email people who are genuinely interested, with verified addresses — which protects deliverability

On paper, that logic makes sense. And I am not going to pretend it has no merit at all. A confirmed subscriber is, in theory, a more intentional subscriber.

But the logic has a fundamental flaw that nobody talks about openly enough.

If the email address is wrong, the double opt-in email bounces. So does your welcome email. So does any other email you send. The bounce happens regardless of whether you use double opt-in. You are not preventing the bounce — you are just moving which email triggers it. And a bounce from a double opt-in confirmation email damages your deliverability in exactly the same way as a bounce from a welcome email.

Double opt-in does not prevent bounces. It just puts a slightly different email in front of the bounce.

What actually prevents bad data from reaching your sending infrastructure is validation at the point of entry — checking the address before you ever send anything at all. That is the prevention. Double opt-in is not prevention. It is just an earlier event in the same sequence of problems.

 

Key takeaway:

Double opt-in does not protect your deliverability in the way most people assume. A bounced confirmation email damages your reputation just as much as a bounced welcome email. The real deliverability protection comes from address validation at the point of form submission — before you send anything. 

 

The experience problem — and this one is serious

Even if the deliverability argument held up perfectly, I would still have reservations about double opt-in. Because the experience it creates is genuinely problematic.

Think about what happens from the subscriber's perspective.

Someone takes an action. They fill in a form on your website. They purchase something. They download a resource. They sign up for a webinar. They have already done the thing. They have already made the decision. They have already given you their email address and, implicitly or explicitly, indicated they are open to receiving communication from you.

Then they get the double opt-in email. Which essentially says: are you sure?

From a human psychology perspective, this is odd. You have already answered yes. Being asked again to confirm your yes is, at best, slightly confusing and, at worst, a prompt to reconsider. You have already said yes. Why is someone asking if you mean it?

 

The consequential opt-in collision

It gets worse when the subscriber came onto your list through a consequential action — a purchase, a form submission, an event registration — rather than an explicit newsletter sign-up.

In those cases, the subscriber's primary action was not to join your email list. They bought something. They inquired about something. The email list was incidental. And now, as a consequence of that action, they receive a double opt-in email asking them to confirm a subscription they did not explicitly ask for.

From their perspective: I just bought something from you, I have already received a purchase confirmation, and now you are sending me a separate email asking me to confirm I want to receive emails from you. This is confusing. It is also, in many cases, poorly timed against the other automated emails they are receiving simultaneously.

This kind of friction — asking for confirmation of something that was implicit in the original action — erodes trust rather than building it. It makes the subscriber feel like they are being enrolled in something rather than welcomed into a relationship.

 

The settings trap that breaks journeys

There is also a practical systems problem with double opt-in that causes real damage and is almost never discussed.

Many ESPs and CRM platforms default to suppressing automated emails — triggered flows, welcome sequences, lead magnet deliveries — until the subscriber has completed double opt-in confirmation. Which means that if someone fills in a form to download a white paper and your system is set to require double opt-in, they will not receive the white paper until they click the confirmation link.

They signed up to get something. You are now holding it hostage behind an extra step.

In the best case, they click the confirmation and eventually get the content, having experienced unnecessary friction. In the realistic case, a meaningful proportion of people never click the confirmation, never get the content, and leave with a negative first impression of your brand. You have failed to deliver on the promise you made at the point of sign-up.

 

Watch out for:

Go and check your ESP settings right now. If double opt-in is turned on, check which automated emails are being suppressed for non-confirmed subscribers. There is a real chance that your lead magnet delivery emails, your welcome sequences, and your triggered flows are not reaching new subscribers who have not completed confirmation. This is a common, expensive, and entirely silent problem.

 

Email health check

Free Email Marketing Health Check

Audit your entire ecosystem in under 30 minutes

Answer a set of honest questions across every area of email marketing and get a personalised score, traffic-light priorities, and clear actions and improvements you can make today. 

Take the Health Check →

The compliance myth — double opt-in is not legally required almost anywhere

One of the most persistent reasons organisations keep double opt-in is a belief that GDPR or other privacy legislation requires it. This is a misunderstanding that has been circulating for years.

GDPR requires that you can demonstrate consent to receive marketing communications. It requires that you have a clear record of when, how, and for what someone opted in. It does not specify double opt-in as the mechanism for achieving this.

A single opt-in with a clear, specific, unchecked consent checkbox, proper privacy policy, and records of the consent event meets GDPR requirements. The Information Commissioner's Office in the UK and the European Data Protection Board are both clear on this.

Double opt-in is legally required as a specific mechanism only in a small number of jurisdictions, notably Germany, Austria, Norway, Switzerland, Luxembourg, and Greece. If you are not specifically sending to those markets with marketing emails, double opt-in is a choice — not an obligation.

The US CAN-SPAM Act does not require opt-in at all, only an opt-out mechanism. Canada's CASL requires express or implied consent, which a single opt-in with proper records satisfies.

If your compliance team is insisting on double opt-in as a legal requirement in markets where it is not legally required, it is worth having a conversation with them about what consent documentation actually looks like — because you may be creating unnecessary friction and losing subscribers for a compliance requirement that does not exist.

 

What to do instead — a better approach in five parts

Removing double opt-in does not mean removing rigour. It means replacing a blunt, outdated mechanism with better, more targeted tools that solve the actual problems more effectively.

 
1. Validate at the point of entry

The single most impactful thing you can do to replace the data quality function of double opt-in is to implement real-time email address validation on your forms.

Email validation tools — ZeroBounce, NeverBounce, Kickbox, BriteVerify — can check an email address at the moment of submission and flag or reject addresses that are invalid, disposable, or known spam traps. This is prevention at the source, before you have sent anything at all.

If someone types their email address incorrectly, the validator can catch it in real time and prompt them to correct it — "looks like there may be a typo, did you mean [suggestion]?" — before they complete the form. That single intervention eliminates the most common cause of preventable bounces.

This is the deliverability protection that double opt-in was trying to provide in 1993. It does it better, without the subscriber experience friction.

2. Diagnose your bounce causes before reaching for any solution

If you have a bounce problem, understand it before you try to solve it. The fix for different types of bounces looks completely different.

  • If people are spelling their email addresses wrong — implement a real-time validator on your forms

  • If bounces are concentrated in a specific acquisition source — investigate and fix that source, whether it is a lead gen form, a cold data import, or a particular ad campaign

  • If bounces are coming from cold data added by the sales team — that is a data strategy conversation, not a double opt-in conversation

  • If bounce rates are spiking from an older segment — run the list through a validation tool before sending and remove stale addresses

Different causes need different solutions. Double opt-in applies the same blunt instrument to all of them — and in most cases, a more targeted intervention solves the actual problem more effectively.

3. Make the first email earn the relationship

The energy that most teams put into building a double opt-in confirmation email — making sure it gets delivered, worrying about whether subscribers will confirm, monitoring confirmation rates — should go into making the first real email extraordinary.

The first email a new subscriber receives from you is your most important email. It is the moment predictive coding begins — the moment the brain starts forming its expectation of what your emails will be. If that first email is a confirmation prompt asking them to verify their address, that is the experience they are starting from.

If that first email is a genuinely warm, clear, valuable orientation into what they have signed up for — what they will receive, why it is worth their time, and what to do next — that is a completely different starting point for the relationship.

Read the orientation flows blog for a detailed breakdown of how to build a first email sequence that earns engagement rather than just requesting it.

4. Use your data to understand engagement quality over time

One of the arguments for double opt-in is that it produces a higher-quality, more engaged list. The research on this is more nuanced than the headlines suggest. AWeber found in the early 2000s that while double opt-in produced fewer subscribers, the overall sales generated from subsequent emails were the same — because the people who could not be bothered to click a confirmation link were also less likely to convert anyway.

But here is the thing: you do not need double opt-in to get that information. You get it by monitoring engagement in the first 30 days after sign-up. Which acquisition sources produce subscribers who engage? Which produce subscribers who immediately go cold? That data tells you about list quality far more accurately and actionably than confirmation rates do.

Track meaningful actions — not opens, not clicks, but real engagement signals — in the first month for new subscribers by source. The sources with consistently low 30-day engagement are the ones to review, regardless of whether double opt-in is in place.

5. Clean your list regularly — not just at acquisition

Data quality is not a one-time event at the point of sign-up. Email addresses decay over time. People change jobs. Mailboxes get abandoned. Yahoo closes inactive accounts after 12 months. Gmail after 24 months. An address that was valid when someone signed up two years ago may be a bounce risk today.

Run your list through a validation tool regularly — quarterly at minimum for high-volume senders, before any significant campaign to a segment that has not been emailed recently. This ongoing hygiene does more for deliverability over the long term than double opt-in at the point of sign-up.

 

The exceptions — when double opt-in does still make sense

I said at the start that my recommendation is to turn off double opt-in. I stand by that as a general position. But like most things in email, context matters.

There are situations where double opt-in remains reasonable:

  • You are sending to German, Austrian, or Norwegian audiences with marketing emails — double opt-in is legally required in these markets. This is not optional.

  • You are building a very small, highly curated list where quality is more important than volume — if you are deliberately trying to build a list of people who are absolutely certain they want to hear from you, the friction of confirmation may be a useful filter

  • You have a specific deliverability problem that is being caused by a high volume of invalid addresses — in the short term, while you implement proper validation, double opt-in can provide a temporary backstop

Outside of those situations, the evidence is clear. Better data quality tools, better onboarding sequences, and better list hygiene practices do everything double opt-in does — and they do it without breaking the subscriber experience at the moment it matters most.

 

The honest summary

Double opt-in made sense in 1993. LISTSERV was solving a real problem with the tools available at the time. The confirmation email was the only reliable way to verify that an email address was real and that the person who submitted it was the person who owned it.

Thirty-two years later, we have real-time validation tools, sophisticated list hygiene services, and a much deeper understanding of how the subscriber experience at the point of sign-up shapes the long-term relationship.

Asking someone to confirm a subscription they already made is not rigorous. It is friction. And in 2026, friction at the most important moment in the subscriber relationship is the last thing any email programme needs.

Turn it off. Implement validation at the point of entry. Build an orientation flow that earns the relationship rather than just checking a compliance box. Monitor your bounce causes and address them at the source.

Do the thing that actually works. Not the thing that has always been done.

 

 

Further reading from The Vault:


 

Like this blog? You'll love RE:markable

 RE:markable is the weekly email about emails. Dropping the latest email marketing news, updates, insights, free resources, upcoming masterclasses, webinars, and of course, a little inbox mischief. 
Subscribe to RE:markable

Email, CRM and HubSpot Support

I help marketers and businesses globally improve, design and fix their email, CRM, and HubSpot ecosystems, from strategy through to execution.

My services include:

  • Email marketing strategy, audits, training, workshops, and consultancy

  • CRM strategy and enablement

  • Full HubSpot implementations, optimisation and onboarding through my agency

If you’re looking for experienced external support (and lots of enjoyment along the way), this is where to start.

Work with Beth

 
,