Blaser Consulting - Innovative Business Solutions: Web Design, Marketing and Consulting Services
(800) 891 6652
spacer
Man writing articles about web design, marketing, and consulting.

Mailing List Best Practices

Closed-Loop Confirmed Opt-In is the only method of email subscription management that provides actual proof of permission.

Why use a closed-loop confirmed opt-in system?
Because. Submission does not equal subscription. The single submission of an email address carries with it absolutely no proof of permission. Anyone can enter an email address through a web page or via email. Anyone can buy a "Millions" CD and flood your system with addresses. Anyone can sell you a list of unethically harvested addresses and say, "Sure, they're opt-in." Only closed-loop confirmed opt-in can prove that the address owner is the one who asked to be added to the list. If you're not using closed-loop confirmed opt-in, you're not a "permission-based marketer" -- you're a "submission-based marketer".

The unique, un-guessable token stops forged "confirmation replies." If you're paying web publishers for co-registrations, any publisher could submit forged registration requests, and then follow up by sending in forged confirmation replies. Since there is no unique token involved, all the scammer has to do is forge the "from" address of the email, the co-registration is completed... and you've just paid this sleazy scammer for an address that they unethically harvested off the Web, or which they bought for far less than the bounty they've collected from you. But if you use a unique, un-guessable token, that token is sent to the submitted address, not to the scammer. If the scammer tries to forge a confirmation, it's rejected, since there's no matching token.

No one can be signed up for your list against their will. Unless the address owner gives others access to their email password, unauthorized addition of an address is virtually impossible with properly-managed closed-loop confirmed opt-in. If the address was submitted by an unauthorized party, the address owner just ignores the confirmation request. Instead of a series of spam’s arriving in their inbox, followed angry emails being sent to you, and/or abuse reports being sent to your upstream, your subscription server quietly and efficiently takes care of everything.

It'll elevate your status in the Internet community. And the community is well known for its vocal criticism of companies that have a reputation for spamming. The community is also known for boycotting spammer companies, and patronizing companies known to be "white hats." Never underestimate the power of good will.

It'll save you time, and time is, of course, money. No more arguing with addressees over whether they subscribed. No more bowing and scraping to your service provider when a spam complaint comes in. With closed-loop confirmed opt-in, you've got proof of permission.

It'll save you money, and money is... uh... money. Scammers can't rip off your co-registration network by entering unauthorized addresses. And you won't be unceremoniously disconnected by your service provider for spamming.

It'll keep you out of jail. Some states now have, or will soon have laws against unsolicited commercial email. If you have proof of permission, you won't have to have your head shaved, and become a gang member's... uh... girlfriend.

In a closed-loop confirmed opt-in subscription system:

  1. The address owner — or someone else — submits a request, via email or a Web form, that the email address be added to a particular mailing list
  2. In response, your subscription server generates a unique, un-guessable token that is associated with the submission of that email address. This token might consist of a hash combining the date and time of the subscription request, along with the address itself... in addition to a secret key that will make the token truly un-guessable.
  3. Your subscription server records the submission info, including the date and time stamps, the email address, the name of the mailing list, the IP number of the submitting computer, and the URL of the Web form if one is used. If the request was received via email, the full, unedited email headers are stored in place of the URL.
  4. Your subscription server sends a confirmation request email to the submitted email address. The request message contains the same info stored by your server: date and time stamps for the submission, the IP address of the requesting computer, the name of the mailing list, the unique token, and the submitted address.
  5. The submitted address receives the confirmation request, and the owner responds to the confirmation request, returning the unique token to the subscription server — if the subscription request was valid. The address owner can easily complete the subscription by replying to an encoded Reply-To address, or by clicking an encoded link. Note that an automated reply — like a "vacation reply" or "out-of-office reply" or an auto responder message is not a valid confirmation messages... even if the reply quotes the unique token. Methods employing a returned unique token also help avoid all issues of inaccuracy in the user's confirmation reply. If the address was submitted by an unauthorized party, the address owner just ignores the confirmation request, and the subscription server erases the original request data after an arbitrary confirmation period ends.
  6. Your subscription server receives the confirmation reply, and completes the subscription process, first by comparing the returned token with the stored token associated with the originally-submitted address. If they match, the server then stores the complete headers of the confirmation email, along with all the usual info: date and time, unique token, and IP number. If the confirmation reply was submitted via an encoded URL, the URL is stored instead of the headers. Lastly, the submitted address is added to the appropriate mailing list. Optionally, a welcome message can be sent to the new subscriber. — If the confirmation is not returned to you from the submitted address, or the unique token is not present or does not match, then the subscription process is aborted, and no further email is sent to the submitted address. All record of the original submission is erased from the subscription server after some arbitrary period.

What else do you need to remember?
Mailing can begin only after a positive confirmation response. This is closed-loop confirmed opt-in... NOT "single opt-in" — which is actually "opt-out." If the confirmation is not returned to you from the submitted address, or the unique token is not present or does not match, then the subscription process should be aborted, and no further email should be sent to the submitted address. All record of the original submission should be erased from the subscription server after some arbitrary period. NOTE: Some administrators and users are concerned that even the temporary storage of the originally-submitted address could lead to privacy problems. It's been suggested that in addition to the IP number, plus the date and time stamps, only the unique token should be stored. If the token is a one-way hash the address will be protected from prying eyes. When the token-matching confirmation reply is received, the sender's address can be recorded from the email’s From address, or can be retrieved from a value in the encoded URL.

The burden of proof of permission rests solely on the shoulders of the sender... not the recipient. If you can't positively prove that an address owner asked to be on your list, you don't have a right to send them email. Because of this, you must keep records of the original subscription request, as well as the confirmation reply, for the duration of the subscription.

Closed-loop confirmed opt-in practices eliminate "Spam Extortion Syndrome": "Either you reveal your email address to us, or we'll keep spamming you." Again: The burden of proof of permission rests solely on the shoulders of the sender... not the recipient. Remember, the recipient has absolutely no obligation — and probably no will — to surrender their identity or address to an entity that has already begun to abuse their trust through the sending of unsolicited email. With complete subscription records, you have actual proof of subscription. No more going round and round with users who don't want to — and shouldn't have to — surrender their email address.

Closed-loop confirmed opt-in is easy to implement. Include subscription and un-subscription via both web and email. Fulfilled subscription and confirmation data doesn't need to be accessed frequently, so your backend only has to deal with it two to four times (including un-subscription) over the life of the subscription. If you want to use a full CRM solution, you'll probably be able to find a module that can easily handle subscription management, fully integrated with your existing database.

Closed-loop confirmed opt-in is easy for your subscribers to use. For a basic subscription, it's as easy as 1-2-3... 1) Your subscriber types in their address. 2) Your subscriber clicks "Submit" (or sends their email to your subscription server), and 3) Your subscriber clicks the response link in the confirmation email, or replies to your encoded response address. With those three steps, your closed-loop confirmed opt-in system has saved you and your subscriber lots of grief, saved you some coin, and possibly kept a state's Attorney General from sending you to The Big House.

How do you convert your mailing lists to closed-loop confirmed opt-in?

Just remove all addresses for which you have no closed-loop opt-in confirmation, as described above... Or, you can send a single confirmation request — with a unique token — to each address on the list. If the address owner ignores the message, just remove them from your list. If they reply with a confirmation, you'll have proof that the addressee really wants your mail, and you won't be forced to spend all that extra time dealing with spam complaints and avoidable privacy problems.

spacer
spacer
spacer
spacer