How can ESPs verify double opt-in compliance?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

If consent is ever challenged, you'll want more than a spreadsheet of email addresses. You'll want a paper trail. That's what double opt-in compliance verification is really about: being able to show, step by step, that a real person signed up, received a confirmation email, and clicked to confirm.

Here's what that trail looks like when it's working correctly. Your ESP should log three events for every confirmed subscriber: the original form submission (with timestamp and IP address), the confirmation email send (with timestamp and the unique link generated), and the confirmation click (with timestamp and IP address). If any of those three records is missing, your double opt-in record has a gap.

To audit your own compliance, walk through this checklist:

  • Check that DOI is actually turned on. In Mailchimp, Klaviyo, Brevo, and most major ESPs, double opt-in is a per-list or per-form setting. It's not always on by default. Go into your signup form settings and confirm it's enabled, not just assumed.
  • Test with a real address. Sign up through your own form using a fresh email address you control. Check that a confirmation email arrives, that the link works, and that you only appear in your active list after clicking. If you appear before clicking, something's misconfigured.
  • Check where unconfirmed contacts go. Your ESP should be holding them in a pending state, not adding them to your main list. Look for a "pending" or "unconfirmed" segment and confirm those contacts aren't receiving campaign emails.
  • Export a consent record sample. Pull the subscriber data for 10 to 20 contacts and check that each record includes the signup source, the opt-in timestamp, and a confirmed date. If confirmed dates are missing, your records aren't audit-ready.
  • Review your confirmation email. The email itself should clearly state what the person is signing up for, who is sending it, and what clicking confirm means. Vague confirmation emails can undermine consent records even when the technical setup is correct.

For GDPR purposes specifically, the consent record needs to capture what the person was told at the time of signup, not just that they clicked. That means storing the form URL, the consent language shown, and the date. Some ESPs do this automatically. Others require you to pass those fields in via a hidden form field or API parameter. Worth checking what your ESP captures by default and whether you need to fill in the gaps.

If you're running on a custom setup or using a developer-managed form feeding into Twilio SendGrid, Mailgun, or Amazon SES, the logging responsibility falls on your application. You'll need to store those three events in your own database, because the ESP won't do it for you automatically.

One thing worth noting: consent records have a shelf life in terms of usefulness. A record from five years ago with no engagement since isn't evidence of an ongoing relationship. Laws like GDPR expect consent to be refreshed if the relationship has gone cold, not just stored forever and treated as permanent proof.

Not sure where your setup has gaps? The SOS hotline is free and we'll take a look at your actual configuration with you, no pitch involved. Come say hi.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Audit my DOI compliance setup

I just read the Email Almanac guide on verifying double opt-in compliance. I want to audit my specific setup and find out if my consent records would hold up. Please help me with: 1. What to check in my specific ESP to confirm DOI is configured correctly 2. What my consent records should contain for GDPR or CAN-SPAM purposes 3. How to identify gaps in my current logging or data capture 4. What to do if I find unconfirmed contacts on my active list My details (fill in what applies): - ESP or platform: e.g. Mailchimp, Klaviyo, Brevo, custom API - How signups are collected: embedded form / landing page / API / third-party tool - Audience locations: US only / EU / global / specific countries - Applicable laws: GDPR / CAN-SPAM / CASL / unsure - What consent data I currently store: timestamp only / full record / unsure / nothing - Business type: B2B / B2C / both - Any recent compliance concerns: describe or leave blank

Edit the yellow boxes, then send to the AI of your choice.