How can ESPs verify double opt-in compliance?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
If consent is ever challenged, you'll want more than a spreadsheet of email addresses. You'll want a paper trail. That's what double opt-in compliance verification is really about: being able to show, step by step, that a real person signed up, received a confirmation email, and clicked to confirm.
Here's what that trail looks like when it's working correctly. Your ESP should log three events for every confirmed subscriber: the original form submission (with timestamp and IP address), the confirmation email send (with timestamp and the unique link generated), and the confirmation click (with timestamp and IP address). If any of those three records is missing, your double opt-in record has a gap.
To audit your own compliance, walk through this checklist:
- Check that DOI is actually turned on. In Mailchimp, Klaviyo, Brevo, and most major ESPs, double opt-in is a per-list or per-form setting. It's not always on by default. Go into your signup form settings and confirm it's enabled, not just assumed.
- Test with a real address. Sign up through your own form using a fresh email address you control. Check that a confirmation email arrives, that the link works, and that you only appear in your active list after clicking. If you appear before clicking, something's misconfigured.
- Check where unconfirmed contacts go. Your ESP should be holding them in a pending state, not adding them to your main list. Look for a "pending" or "unconfirmed" segment and confirm those contacts aren't receiving campaign emails.
- Export a consent record sample. Pull the subscriber data for 10 to 20 contacts and check that each record includes the signup source, the opt-in timestamp, and a confirmed date. If confirmed dates are missing, your records aren't audit-ready.
- Review your confirmation email. The email itself should clearly state what the person is signing up for, who is sending it, and what clicking confirm means. Vague confirmation emails can undermine consent records even when the technical setup is correct.
For GDPR purposes specifically, the consent record needs to capture what the person was told at the time of signup, not just that they clicked. That means storing the form URL, the consent language shown, and the date. Some ESPs do this automatically. Others require you to pass those fields in via a hidden form field or API parameter. Worth checking what your ESP captures by default and whether you need to fill in the gaps.
If you're running on a custom setup or using a developer-managed form feeding into Twilio SendGrid, Mailgun, or Amazon SES, the logging responsibility falls on your application. You'll need to store those three events in your own database, because the ESP won't do it for you automatically.
One thing worth noting: consent records have a shelf life in terms of usefulness. A record from five years ago with no engagement since isn't evidence of an ongoing relationship. Laws like GDPR expect consent to be refreshed if the relationship has gone cold, not just stored forever and treated as permanent proof.
Not sure where your setup has gaps? The SOS hotline is free and we'll take a look at your actual configuration with you, no pitch involved. Come say hi.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.