If you’re not familiar with it, double opt-in is a key requirement for email lists of any kind. It doesn’t matter what your email list exists to do, if you send emails to that list should always use a double opt-in standard. Maybe you run a forum, a mailing list, a notification list, or just a blog that people can register to comment on. Any of those use cases, as well as many others, are relevant to this.

However, in 2020 we’re in need of further complications for our lives, which provides a call that the world has clearly answered effectively. Among those complications lands this new reality: Double opt-in is no longer enough to protect you from the dangers that it sets out to protect you from. Let’s dive in.

What is Double Opt-In?

Double opt-in works like this:

  1. The subscriber fills out a form to subscribe to your {newsletter, alerts, blog}.
  2. You send them an email requesting that they confirm their subscription.
  3. They have to confirm by replying or clicking a link, that they accept it.

What is double opt-in designed to protect against?

I’m glossing over this a bit, but double opt-in is designed to protect systems and people at these layers:

  1. The recipient from receiving email that they don’t want to receive.
  2. Your website from being easily open to registration by bots that intend to spam on it. Could be forum spam, blog comment spam, etc.

Why isn’t it enough?

Let’s say that your goal is to prevent someone from receiving email that they didn’t want to receive. This is not only about complying with spam laws or things of that nature, this is also about protecting your emails from being filtered to spam folders due to users reporting your emails as spam. So let me present to you a very real scenario that we’ve dealt with recently, with several customers:

The customer runs a blog (or just a website that runs using blog software – WordPress, Joomla, etc). Whether or not the user intended to allow users to sign up for the website for any purpose, the website has a registration form because it’s default behavior is to allow users to register so that they can comment on blog posts (even if the website doesn’t have any blog posts). Now there are a bunch of “hackers” (for lack of a word that is both widely understood and remotely relevant) out there who hack your email accounts. They end up getting a large list of email accounts that they’ve gained control of, often emails at Yahoo, Comcast, and others. They use those email addresses as throw-away emails to sign up for the customer’s blog, with intent to post spam in comments on the blog (again, doesn’t matter if a blog actually exists, they’re scanning for the registration pages and automating the registrations, they’ll check for blog posts later). The customer’s web application (let’s say WordPress) sends them an email thanking them for signing up, and/or requesting that they click a link to confirm their subscription. The original owner of that email account gets their account back, changes their password, and then starts reporting all of the emails relevant to the hacker’s activity as spam. Now your domain is being reported as spam for an email that was, on the face of it, perfectly fine.

Now let’s imagine that happens hundreds of times per day/week/month. You are now routinely being reported as spam and you’ve done nothing particularly unreasonable to cause it. The reason doesn’t matter, the impact is the same. Your domain is now becoming known more and more for spam. Our IP addresses are part of it as well, and while this problem isn’t out of hand (because we demand that our customers deal with it, we have no choice) it would cause our IPs to be reduced in reputation if we let it continue unchecked.

What is the solution?

You need to stop bots from signing up for your website, mailing list, etc. Maybe that’s a captcha, maybe it’s disabling a registration page you didn’t know was there. Whatever the culprit, whatever the solution, this is yours to own. A captcha should be the bare minimum, but you may escalate to other solutions if you see fit. Blocking VPN IPs and Russia (funny, but true) might reduce it as well, but could block legitimate users from your website/mailing list as well.

What is MXroute’s role in this?

Quite simply, we cannot allow this to get out of hand on our platform. Our customers trust us to maintain high reputation IP addresses by ensuring that they are not wasted by useless cases that devalue them for the benefit of no one. We are learning how to identify this, automate resolutions, and we are demanding that customers work out solutions to this. In fact, there’s a good chance you’re reading this because we linked you to it in an email.