Email Marketers, it is time for Confirmed Opt-in

Imagine coming into work one morning to find that over 10,000 emails had come in overnight with more flooding your mailbox right in front of your eyes. Most people would panic and their level of frustration would shoot through the roof. They would blame every brand in their inbox for causing this problem, not realising that they are the target of an email bomb attack.

An email bomb attack is essentially a Distributed Denial of Service (DDoS) attack on a particular email address and since August 1st there has been a coordinated and sustained attack aimed at US government email addresses. Essentially a hacker is using a botnet that finds any websites which have an email subscription form and registers these addresses to receive that brand’s email marketing. It is important to point out that this is an attack on the target email addresses; the retail brands are just unwitting tools used to carry out the attack.

The number of target addresses is unknown at this point but the hacker has been clever in not adding the whole target list in one go. By adding them in ones and twos with time gaps between sessions, brands and web administrators cannot differentiate the attack data from normal subscriptions. This is exacerbated because they are real email addresses (remember this is an attack on the email addresses not the websites). This style of attack is called email bombing and Brian Krebs has written a much more detailed description on his blog.

To say that this is not an attack on the brands is only partially true. While the brands are not the main targets of the attack, there is certainly collateral damage. As mentioned above, the recipients would blame every brand in their inbox for causing this problem. They would also complain to their email administrator, who would then complain to the various spam blacklists, which would block the brand’s domain and IP address. So not only is the brand being blamed for sending out this spam which is unfair, their legitimate emails get blocked as well.

So, how should brands protect themselves? There are a number of partial steps that can be taken such as adding a challenge response mechanic onto your data capture page. The first thing you should implement however, is confirmed opt-in (COI). COI is the process where the first email that goes to a recipient should thank them for signing up and ask them to click a link to confirm they are a real person.

Now you may be thinking that COI will not help because the target address would still get an email. As I said above, this is not a complete solution but it is easy to implement quickly and it will help in two ways. First, you should only send one confirmation email which limits your brand’s exposure in email bomb target’s inbox. Second, if yours is one of the emails that does get seen and/or opened, it shows that you care about your subscribers and their data.

COI has been around for years and there are loads of historical arguments against using it but as I thought about this in the broader context, I do not think these arguments really hold together any more. Regardless of whether your website is being used to facilitate a mail bomb attack or not, the pros of COI outweigh the cons. Let’s look at each of the most common arguments against COI in turn.

Confirmed opt-in is one step too many. The argument against COI has always been that not everybody will click the link and those email addresses will be lost. I have seen industry stats that claim 20%-40% drop off rates for people who do not confirm their opt-in. I have two problems with these stats. First, they have been floating around the industry for years which doesn’t necessarily make them wrong but I worry that they are now more urban legend than based on actual data. My second concern is that these stats are never presented within the context of the user journey. I completely agree that implementing COI without any explanation or signposting on your website will lead to a high confirmation failure rate but a well thought-out user experience should make the confirmation email step seamless. Signing up for your email marketing is the highest level of engagement with your brand that each subscriber has had to that point. What kind of customer do you think they will be if you cannot even motivate them to open and click on one email? Finally, Germany has been double opt-in for years and email marketing is still the best performing channel.

Confirmed opt-in adds a layer of complexity and therefore additional points of failure. Well yes, extra steps by definition add extra complexity. An opt-in confirmation email however, must be the simplest form of email automation. How can we expect to get something like abandoned basket right if we cannot clear this relatively low hurdle?

Single opt-in produces more engagement. Again this is a mathematical truth, so yes. Bigger lists drive more opens and clicks than smaller lists because you have more opportunities for the open or click. It seems to me that a confirmed opt-in list would offer you the same number of opportunities. Your confirmed opt-in list will have greater emotional attachment with the brand and will therefore want emails from you more frequently than a single opt-in list, which will give your readers greater opportunity to engage.

There are other ways to ensure the quality of your list. Tried and tested methods such as double entry of the email address and real time data verification are both great at reducing errors at the point of data collection, but neither of these are new and most clients should be doing them anyway. Also these steps are not fool proof. Just think about how often you copy what you put in the first email field and paste it in the confirmation box. The other list quality tactic mentioned is not mailing people who have become unengaged. Again, email marketers should be doing this anyway, so there is no incremental gain.

One last thing to consider is how this plays out under the new General Data Protection Regulations (GDPR). One of the requirements of this new law is that marketers have to be able to prove that they have consent. Relying on just the date and IP address from the web log will not be enough; the only way to get this confirmation is by the subscriber clicking an email.

Confirmed opt-in is a good first step to protect your brand from email bombing’s collateral damage. More than that however, you should be thinking about it in the wider context of establishing the relationship with your readers that is based on your brand being open, honest and fair.