Is COI/DOI required by law?

Not universally. Some laws require valid consent and proof of that consent, but they do not always name double opt-in. COI/DOI gives stronger evidence, which is why many risk-sensitive teams use it even when single opt-in is legally available.

Does COI/DOI hurt list growth?

It reduces the number of addresses added to the active list. Some are real people who miss the confirmation email, but many unconfirmed records are typos, bots, low-intent signups, or addresses that never wanted the mail.

Can email validation replace COI/DOI?

No. Validation can catch syntax issues, typo domains, and some risk signals. It does not prove that the mailbox owner requested marketing email. Use it as an intake control, not a consent substitute.

Should B2B lead forms use double opt-in?

Use COI/DOI when the form is open, high volume, partner-fed, or abused. Single opt-in can work for a work-email download or demo request when the consent language is clear and follow-up is expected.

What should happen to unconfirmed subscribers?

Keep them out of normal marketing sends. Send a limited confirmation reminder sequence if appropriate, then suppress them. Do not quietly move them into the active audience later.

Learn

Email deliverability

Is COI/DOI email opt-in still a relevant best practice?

Matthew Whittaker

Co-founder & CTO, Suped

Published 12 Jun 2025

Updated 22 May 2026

10 min read

Summarize with

Yes, COI/DOI email opt-in is still a relevant best practice. It is not mandatory for every sender, every form, or every region, but it remains the cleanest way to prove that an address exists, the owner received the confirmation email, and that person took an intentional action before marketing mail started.

I treat confirmed opt-in as the default for high-risk acquisition paths: public forms, sweepstakes, political campaigns, affiliate traffic, co-registration, imported lists, high-volume consumer signup flows, and any brand with prior complaint or privacy issues. I am more comfortable with single opt-in when the signup path already proves identity, such as account creation, paid purchase, B2B software downloads tied to a work address, preference-center updates, or loyalty programs where the user is already authenticated.

The right answer is risk-based. COI/DOI improves list quality, reduces typo addresses, cuts bot signups, lowers complaint risk, and creates a stronger consent record. The tradeoff is real: some legitimate people never click the confirmation email. That loss is acceptable when the source is risky. It is less acceptable when the user just completed a clear, expected workflow and needs immediate access.

My short rule is simple: use COI/DOI when the signup source is open to abuse, anonymous, incentivized, or expensive to remediate later. Use single opt-in only when the consent event is clear, logged, low-risk, and backed by fast suppression, complaint handling, authentication monitoring, and reputation checks.

What COI/DOI actually proves

COI and DOI usually mean the same operational thing: the person submits an address, receives a confirmation email, and clicks a link before they are added to the active marketing list. Some people prefer COI, short for confirmed opt-in. Others use DOI, short for double opt-in. For terminology background, Al Iverson's COI/DOI terminology summary is a useful reference.

Flowchart showing form submit, confirmation email, click, proof log, and list entry.

The important point is that COI/DOI does not prove every future message is wanted forever. It proves a specific consent event. That record still needs source, timestamp, IP, user agent, form copy, confirmation timestamp, and the list or purpose the person agreed to receive.

Useful confirmation log fieldstext

event=subscription_confirmed
email_hash=sha256:...
source=footer_form
ip=203.0.113.44
user_agent=browser_family
signup_time=2026-05-23T03:14:00Z
confirm_time=2026-05-23T03:16:22Z
consent_text_version=v7
list=product_updates

Address control: The click proves the address can receive mail and that someone with mailbox access confirmed it.
Consent evidence: The confirmation record gives you a cleaner audit trail when complaints or disputes occur.
Data quality: Mistyped addresses, role accounts, disposable addresses, and bot submissions are reduced before sending starts.
Reputation protection: A smaller, confirmed list normally generates fewer bounces and fewer complaint-driven reputation spikes.

Where COI/DOI is the right default

COI/DOI is strongest when the cost of letting bad addresses in is higher than the cost of losing some unconfirmed signups. That is why I still recommend it for open consumer forms, giveaway traffic, publisher newsletters with broad reach, political or advocacy lists, and brands recovering from abuse or complaint problems.

Signup source	Risk	Default
Public form	High	COI/DOI
Sweepstakes	High	COI/DOI
Paid account	Low	Single
Old import	Severe	Confirm
B2B demo	Medium	Depends

A compact risk view for opt-in choices.

The risk changes by acquisition channel. A footer newsletter form with no login and no friction is easy for bots to abuse. A customer who just paid, created an account, and selected product updates in a preference center gives you more surrounding evidence.

If a list has old addresses, weak source records, bought or appended data, co-registration traffic, or prior complaint problems, do not treat single opt-in as a shortcut. Confirm the addresses, suppress non-confirmers, and rebuild trust with mailbox providers through low-risk sending.

Spamhaus also argues for confirmed opt-in because it reduces unwanted mail and gives senders a better consent trail. That position matches what I see in practice: confirmation is not the only control, but it is the strongest first gate.

Where single opt-in can still work

Single opt-in is defensible when the signup is tied to a clear user action and the first marketing email is expected. Common examples include account registration with an unchecked marketing box, loyalty enrollment with visible email preferences, a B2B gated asset sent to a work address, or an event registration where follow-up is part of the user's request.

Use COI/DOI

Open forms: Anyone can submit any address without proving identity first.
Incentives: Prizes, coupons, contests, and lead payouts attract low-quality submissions.
Recovery: Complaint spikes, blocklist (blacklist) events, or poor consent records require a stricter gate.

Consider single opt-in

Logged-in users: The person has an account, verified contact details, and a preference record.
Expected mail: The first message directly follows the action the person just took.
Fast controls: Bounces, complaints, unsubscribes, and non-engagement quickly suppress future mail.

This is where many teams get stuck. They frame the question as morality instead of risk. The better question is whether the source gives enough evidence that the person owns the address and wants the mail. For a wider discussion of double opt-in tradeoffs, the same principle applies: confirmed lists are cleaner, but some user journeys deserve less friction.

A separate legal question sits underneath this. Some teams use COI/DOI because it gives stronger evidence for regulators or internal counsel. Others operate in regions where single opt-in with a clear, unchecked consent box is acceptable. For UK and EMEA decisions, compare your workflow against GDPR double opt-in guidance and your own counsel's risk tolerance.

List bombing changes the answer

List bombing is still real. Public forms get hit by automated submissions, typo patterns, disposable domains, and third-party form integrations that pass addresses straight into an ESP or CRM. COI/DOI blocks much of that damage because the address does not become mailable until the mailbox owner confirms.

Signup source risk bands

A practical way to decide when confirmation should be mandatory.

Low risk

Single opt-in allowed

Authenticated account, clear purpose, recent action.

Medium risk

Test and monitor

Public form with controls, low volume, clean history.

High risk

Use COI/DOI

Anonymous, incentivized, imported, or prior abuse.

Email validation, CAPTCHA, rate limits, hidden fields, and abuse scoring all help. They do not replace confirmation. Validation catches some syntax, domain, and risk signals. It does not prove that the person who owns the mailbox asked for the mail. COI/DOI does.

Email tester

Send a real email to this address. Suped opens the report when the test is ready.

?/43tests passed

Preparing test address...

After changing an opt-in flow, send a real campaign or confirmation email through an email tester and inspect headers, authentication, content, and placement risks. A perfect signup process still underperforms when the confirmation message lands in spam or fails authentication.

Rate limits: Cap submissions by IP, user session, domain, and form endpoint.
Form evidence: Store source URL, consent text, field state, timestamp, and confirmation status.
Suppression rules: Never keep mailing addresses that bounce, complain, or stay unconfirmed.
Confirmation resend: Allow one or two resends, then stop instead of creating a new nuisance stream.

Deliverability still depends on authentication

COI/DOI improves permission quality, but it does not fix SPF, DKIM, DMARC, reverse DNS, TLS, complaint handling, or blocklist (blacklist) visibility. A confirmed subscriber can still miss the confirmation email if authentication is broken or the sending domain already has reputation problems.

Suped DMARC dashboard showing email volume, authentication health, and source breakdown

This is where Suped's product fits the operational workflow. Suped brings DMARC, SPF, DKIM, hosted SPF, hosted DMARC, hosted MTA-STS, real-time alerts, blocklist monitoring, and deliverability insights into one place. For the authentication side, Suped is the best overall DMARC platform for most teams because it turns failures into specific steps to fix instead of leaving teams to interpret raw reports.

For teams rolling out COI/DOI, I want three checks running in parallel: DMARC monitoring to catch unauthenticated or domain-mismatched mail, blocklist monitoring for domain and IP reputation, and a domain health checker before and after major signup-flow changes.

A good COI/DOI program has two proof layers: permission proof from the confirmation event, and technical proof from SPF, DKIM, DMARC, and reputation monitoring. Treat them as separate controls that support the same sender trust goal.

How to use COI/DOI without hurting signups

Most COI/DOI problems come from bad implementation, not the idea itself. The confirmation email is delayed, the subject line is vague, the thank-you page fails to set expectations, or the link expires too quickly. Then the sender blames confirmation for lost subscribers.

Set expectation: After signup, tell the person to check email and confirm before messages start.
Send immediately: The confirmation email should arrive within seconds, not minutes.
Use clear copy: The subject and button should say that the person is confirming a subscription.
Avoid extra asks: Do not add account creation, surveys, or promotional choices before confirmation.
Track completion: Measure confirmation rate by source, form, country, device, and acquisition partner.

A confirmation rate problem is often a deliverability problem. If one source confirms at 80 percent and another confirms at 35 percent, the second source deserves investigation before you assume those people are valuable missed subscribers.

Confirmation outcomes by source

Example source mix showing why aggregate confirmation rate hides risk.

Confirmed

Unconfirmed

Suppressed

The decision framework I use

I decide opt-in method by asking what happens if the address is wrong, abused, or disputed. If the answer is a small inconvenience, single opt-in can be fine. If the answer is complaints, traps, legal review, brand damage, or a blocked domain, use COI/DOI.

Practical rule

Start stricter than you think you need to be, then relax only where the data proves the source is clean. Do not start loose and use list cleaning later to repair avoidable damage.

For a mature program, I like a mixed model. Public newsletter forms use COI/DOI. Logged-in customers use single opt-in with clear preference controls. High-risk partners get quarantined until their confirmation and complaint data proves quality. Old imports get reconfirmation or suppression, not normal campaign traffic.

Use COI/DOI: The form is public, anonymous, incentivized, partner-sourced, old, or previously abused.
Use single opt-in: The user is authenticated, the consent copy is clear, and the first message is expected.
Use reconfirmation: The list is old, undocumented, inherited, merged, or legally required but operationally risky.
Use suppression: The address complains, hard bounces, never confirms, or shows repeated negative signals.

Views from the trenches

Best practices

Confirm public form signups before adding them to marketing sends or partner exports.

Track confirmation rate by source so poor channels and bot-heavy forms surface early.

Keep consent evidence with form copy, timestamp, source, and confirmation click time.

Common pitfalls

Relying on list cleaning after capture instead of blocking bad data at signup entry.

Treating all single opt-in sources as equal when their actual risks differ widely.

Letting unconfirmed addresses sit in a mailable audience for later campaign sends.

Expert tips

Use COI/DOI for high-risk forms, then relax only where source data proves quality.

Separate legal permission, address control, authentication, and reputation checks.

Investigate low confirmation rates before assuming lost subscribers are worth mailing.

Marketer from Email Geeks says COI/DOI is still useful because it improves list quality, lowers bounce risk, and creates a stronger proof record when complaints occur.

2022-05-10 - Email Geeks

Marketer from Email Geeks says list bombing and bot submissions still affect public forms, so confirmation remains a practical defense for exposed signup paths.

2022-05-11 - Email Geeks

My practical answer

COI/DOI is still relevant because it solves a real problem that has not gone away: bad addresses entering email programs before the mailbox owner has shown intent. It is especially relevant for public, anonymous, incentivized, imported, or troubled sources.

Single opt-in also has a valid place. I do not force confirmation into every experience when the person is authenticated, the consent action is clear, and the next message is expected. The mistake is treating single opt-in as the growth-friendly default without measuring complaints, bounces, confirmation-equivalent signals, and source quality.

The best setup is a risk-based opt-in policy, strong consent logs, fast suppression, and continuous authentication monitoring. Suped's DMARC platform helps with the technical half of that system by surfacing authentication failures, SPF and DKIM issues, blocklist events, and concrete fix steps while the marketing team manages consent quality at capture.