A double opt-in is where a contact confirms their sign-up for marketing communication and/or membership. It basically makes signing up into a two-step process.

First the contact signs up, maybe at the checkout, using their email address, causing the standard preferences to be set. An email is then sent, containing a link. The contact needs to actively click this link, causing the additional double opt-in consent to also be set. Only then should they be included in any email send-out, and it's up to the Engage admin to confirm this before including them.

Why double opt-in?

Using double opt-in increases the chances that only interested customers receive marketing information. It also protects your sender reputation, since now only real email addresses will be included in send-outs.

Another reason is GDPR. As a data controller you are responsible to ensure that you only process correct personal data and that you have a legal basis for doing so (for example, consent) and that the applicable individual has been informed of the processing. This might be difficult to ensure without double opt-in.

Double opt-in in practice

If you are using Engage’s double opt-in solution as described here, there are important considerations to keep in mind. The double opt-in process alone does not automatically shield a contact from further communication. It still remains your responsibility to ensure that communication only occurs with contacts who have explicitly provided their consent.

Consider a scenario: 

• Your systems requires a contact to take an action to accept communication (such as clicking an email after signing up, which is double opt-in).
• Two new contacts then sign up for your loyalty program and receive the initial confirmation email containing the double opt-in link. 
• One contact clicks the link, confirming their consent as "true." The other contact however ignores the email and, therefore, has not given their consent.
• Both contacts, even though one has clicked the link and one hasn't, are now part of your contact base and can potentially receive both welcome emails and regular campaign send-outs. 

So to prevent the contact who has not yet provided consent from receiving communication, it's essential to factor in double opt-in status whenever a sendout is being done. There are several ways to do this, such as including segments or target audiences that only include contacts with a "true" consent status. 

Email scanners and GDPR

Some email systems scan incoming emails and automatically access any links to confirm they are not malicious. This can cause an opt-in link in an email to be automatically "clicked" before the receiver opens it, generating a false consent. 

There are however solutions to this problem. You can for example:

• Set up a landing page with a second button to click that gives the actual consent
• Use a captcha on that landing page to confirm the visitor is human
• Have a client-side redirect that adds an extra required parameter to the link when it's clicked

Article last reviewed 29 January 2026 14:31