Opt-in email

Opt-in email is a term used when someone is not initially added to an emailing list and is instead given the option to join the emailing list. Typically, this is some sort of mailing list, newsletter, or advertising. Opt-out emails do not ask for permission to send emails, these emails are typically criticized as unsolicited bulk emails, better known as spam.

Forms
There are several common forms of opt-in email:

Unconfirmed opt-in/single opt-in
Someone first gives an email address to the list software (for instance, on a Web page), but no steps are taken to make sure that this address belongs to the person submitting it. This can cause email from the mailing list to be considered spam because simple typos of the email address can cause the email to be sent to someone else. Malicious subscriptions are also possible, as are subscriptions that are due to spammers forging email addresses that are sent to the email address used to subscribe to the mailing list.

Confirmed opt-in (COI)/double opt-in (DOI)
A new subscriber asks to be subscribed to the mailing list, but unlike unconfirmed or single opt-in, a confirmation email is sent to verify it was really them. Generally, unless the explicit step is taken to verify the end-subscriber's e-mail address, such as clicking a special web link or sending back a reply email, it is difficult to establish that the e-mail address in question indeed belongs to the person who submitted the request to receive the e-mail. Using a confirmed opt-in (COI) (also known as a Double opt-in) procedure helps to ensure that a third party is not able to subscribe someone else accidentally, or out of malice, since if no action is taken on the part of the e-mail recipient, they will simply no longer receive any messages from the list operator. Mail system administrators and non-spam mailing list operators refer to this as confirmed subscription or closed-loop opt-in. Some marketers call closed-loop opt-in "double opt-in". This term was coined by marketers in the late 90s to differentiate it from what they call "single opt-in", where a new subscriber to an email list gets a confirmation email telling them they will begin to receive emails if they take no action. Some marketers contend that "double opt-in" is like asking for permission twice and that it constitutes unnecessary interference with someone who has already said they want to hear from the marketer. However, it does drastically reduce the likelihood of someone being signed up to an email list by another person. Double opt-in method is used by email marketers to ensure the quality of their list by adding an extra stop in the verification process.

The US CAN-SPAM Act of 2003 does not require an opt-in approach, only an easy opt-out system. But opt-in is required by law in many European countries and elsewhere. It turns out that confirmed opt-in is the only way that you can prove that a person actually opted in, if challenged legally.

Opt-out
Instead of giving people the option to be put in the list, they are automatically put in and then have the option to request to be taken out. This approach is illegal in the European Union and many other jurisdictions.

Address authentication
Email address authentication is a technique for validating that a person claiming to possess a particular email address actually does so. This is normally done by sending an email containing a token to the address, and requiring that the party being authenticated supply that token before the authentication proceeds. The email containing the token is usually worded so as to explain the situation to the recipient and discourage them from supplying the token (often via visiting a URL) unless they in fact were attempting to authenticate.

For example, suppose that one party, Alice, operates a website on which visitors can make accounts to participate or gain access to content. Another party, Bob, comes to that website and creates an account. Bob supplies an email address at which he can be contacted, but Alice does not yet know that Bob is being truthful (consciously or not) about the address. Alice sends a token to Bob's email address for an authentication request, asking Bob to click on a particular URL if and only if the recipient of the mail was making an account on Alice's website. Bob receives the mail and clicks the URL, demonstrating to Alice that he controls the email address he claimed to have. If instead a hostile party, Chuck, were to visit Alice's website attempting to masquerade as Bob, he would be unable to complete the account registration process because the confirmation would be sent to Bob's email address, to which Chuck does not have access. Wikipedia uses this mechanism too.

Best practice
The step of email address verification (confirmation) is considered by many anti-spam advocates to be the minimum degree necessary for any opt-in email advertising or other ongoing email communication.