My recommendation is this (save you reading): turn off double opt-in.
I know that will make some people uncomfortable and other people will disagree with me (that's totally fine!).
Double opt-in has been positioned as the gold standard of email list building for decades. It is the thing the compliance people insist on, the thing the deliverability guides recommend, the thing that sounds responsible and considered and safe.
But here is my honest view after years of working with programmes across every industry and business model: double opt-in is solving a problem that better tools now solve more elegantly — and in solving it, it is creating a worse problem. It is breaking the subscriber experience at exactly the moment it matters most.
This blog explains where double opt-in came from, why it made sense at the time, why the logic no longer holds in 2026, and what you should be doing instead.
To understand why double opt-in exists, you have to go back to 1993.
In 1993, this made complete sense. Email address validation tools did not exist. There was no infrastructure to check whether an address was real or belonged to the person submitting it. The only way to verify intent and data quality was to make the subscriber take a second action. A reply, later a link click, was both a data quality check and an engagement signal.
Fast forward to 2026. Email address validation tools are sophisticated, fast, and affordable. They can tell you, at the point of form submission, whether an address is real, whether it belongs to an active mailbox, whether it is a known spam trap, whether it is a disposable address, whether it looks like a typo. In real time. Before you ever send anything.
The problem double opt-in was solving in 1993 now has much better solutions. But the double opt-in remains — largely out of habit, partly out of misunderstood compliance guidance, and in many cases because nobody has stopped to question whether the cure is worse than the disease.
The main argument for double opt-in is a deliverability one. The logic goes like this:
If someone confirms their subscription by clicking a link or replying, they generate a positive engagement signal that feeds inbox provider reputation systems
If their email address is wrong or invalid, the confirmation email bounces and we never send to that address again
This means we only ever email people who are genuinely interested, with verified addresses — which protects deliverability
On paper, that logic makes sense. And I am not going to pretend it has no merit at all. A confirmed subscriber is, in theory, a more intentional subscriber.
But the logic has a fundamental flaw that nobody talks about openly enough.
If the email address is wrong, the double opt-in email bounces. So does your welcome email. So does any other email you send. The bounce happens regardless of whether you use double opt-in. You are not preventing the bounce — you are just moving which email triggers it. And a bounce from a double opt-in confirmation email damages your deliverability in exactly the same way as a bounce from a welcome email.
Double opt-in does not prevent bounces. It just puts a slightly different email in front of the bounce.
What actually prevents bad data from reaching your sending infrastructure is validation at the point of entry — checking the address before you ever send anything at all. That is the prevention. Double opt-in is not prevention. It is just an earlier event in the same sequence of problems.
Even if the deliverability argument held up perfectly, I would still have reservations about double opt-in. Because the experience it creates is genuinely problematic.
Think about what happens from the subscriber's perspective.
Someone takes an action. They fill in a form on your website. They purchase something. They download a resource. They sign up for a webinar. They have already done the thing. They have already made the decision. They have already given you their email address and, implicitly or explicitly, indicated they are open to receiving communication from you.
Then they get the double opt-in email. Which essentially says: are you sure?
From a human psychology perspective, this is odd. You have already answered yes. Being asked again to confirm your yes is, at best, slightly confusing and, at worst, a prompt to reconsider. You have already said yes. Why is someone asking if you mean it?
It gets worse when the subscriber came onto your list through a consequential action — a purchase, a form submission, an event registration — rather than an explicit newsletter sign-up.
In those cases, the subscriber's primary action was not to join your email list. They bought something. They inquired about something. The email list was incidental. And now, as a consequence of that action, they receive a double opt-in email asking them to confirm a subscription they did not explicitly ask for.
From their perspective: I just bought something from you, I have already received a purchase confirmation, and now you are sending me a separate email asking me to confirm I want to receive emails from you. This is confusing. It is also, in many cases, poorly timed against the other automated emails they are receiving simultaneously.
This kind of friction — asking for confirmation of something that was implicit in the original action — erodes trust rather than building it. It makes the subscriber feel like they are being enrolled in something rather than welcomed into a relationship.
There is also a practical systems problem with double opt-in that causes real damage and is almost never discussed.
Many ESPs and CRM platforms default to suppressing automated emails — triggered flows, welcome sequences, lead magnet deliveries — until the subscriber has completed double opt-in confirmation. Which means that if someone fills in a form to download a white paper and your system is set to require double opt-in, they will not receive the white paper until they click the confirmation link.
They signed up to get something. You are now holding it hostage behind an extra step.
In the best case, they click the confirmation and eventually get the content, having experienced unnecessary friction. In the realistic case, a meaningful proportion of people never click the confirmation, never get the content, and leave with a negative first impression of your brand. You have failed to deliver on the promise you made at the point of sign-up.
One of the most persistent reasons organisations keep double opt-in is a belief that GDPR or other privacy legislation requires it. This is a misunderstanding that has been circulating for years.
GDPR requires that you can demonstrate consent to receive marketing communications. It requires that you have a clear record of when, how, and for what someone opted in. It does not specify double opt-in as the mechanism for achieving this.
A single opt-in with a clear, specific, unchecked consent checkbox, proper privacy policy, and records of the consent event meets GDPR requirements. The Information Commissioner's Office in the UK and the European Data Protection Board are both clear on this.
Double opt-in is legally required as a specific mechanism only in a small number of jurisdictions, notably Germany, Austria, Norway, Switzerland, Luxembourg, and Greece. If you are not specifically sending to those markets with marketing emails, double opt-in is a choice — not an obligation.
The US CAN-SPAM Act does not require opt-in at all, only an opt-out mechanism. Canada's CASL requires express or implied consent, which a single opt-in with proper records satisfies.
If your compliance team is insisting on double opt-in as a legal requirement in markets where it is not legally required, it is worth having a conversation with them about what consent documentation actually looks like — because you may be creating unnecessary friction and losing subscribers for a compliance requirement that does not exist.
Removing double opt-in does not mean removing rigour. It means replacing a blunt, outdated mechanism with better, more targeted tools that solve the actual problems more effectively.
I said at the start that my recommendation is to turn off double opt-in. I stand by that as a general position. But like most things in email, context matters.
There are situations where double opt-in remains reasonable:
You are sending to German, Austrian, or Norwegian audiences with marketing emails — double opt-in is legally required in these markets. This is not optional.
You are building a very small, highly curated list where quality is more important than volume — if you are deliberately trying to build a list of people who are absolutely certain they want to hear from you, the friction of confirmation may be a useful filter
You have a specific deliverability problem that is being caused by a high volume of invalid addresses — in the short term, while you implement proper validation, double opt-in can provide a temporary backstop
Outside of those situations, the evidence is clear. Better data quality tools, better onboarding sequences, and better list hygiene practices do everything double opt-in does — and they do it without breaking the subscriber experience at the moment it matters most.
Double opt-in made sense in 1993. LISTSERV was solving a real problem with the tools available at the time. The confirmation email was the only reliable way to verify that an email address was real and that the person who submitted it was the person who owned it.
Thirty-two years later, we have real-time validation tools, sophisticated list hygiene services, and a much deeper understanding of how the subscriber experience at the point of sign-up shapes the long-term relationship.
Asking someone to confirm a subscription they already made is not rigorous. It is friction. And in 2026, friction at the most important moment in the subscriber relationship is the last thing any email programme needs.
Turn it off. Implement validation at the point of entry. Build an orientation flow that earns the relationship rather than just checking a compliance box. Monitor your bounce causes and address them at the source.
Do the thing that actually works. Not the thing that has always been done.