Why is double opt-in still not used by everyone?!

Without validating your clients' email addresses your company is showing that it is either ignorant or lazy or both

at sign 33776 1280
Credit: ClkerFreeVectorImages/Pixabay

Out there in the big wide world there are, beside me, unfortunately, a few other people named “Mark Gibbs” and a number of these individuals don’t know their Gmail addresses. This is a problem as I am the proud owner of “” and have been since the start of Gmail while they are not. The trouble with these people is they keep giving my Gmail address to organizations they deal with and more than a few of these organizations fail to do the one thing that they should be doing when it comes to building an email relationship with a customer: Verifying the customer’s email address.

These companies - and I find this an amazing thing to happen in the 21st Century - do not use double opt-in. In other words, when someone gives them an email address, they don’t send a message to that address requesting that a link be followed or some other action taken on the next site login to verify that the address is valid.

Now some of you (who should know better) might be asking why this matters. It matters because if the customer gives them the wrong email address and the recipient isn't asked to confirm that they signed up for whatever is being sent, then the owner of said email address will be receiving messages in perpetuity unless they can figure out how to get their email address removed from the account. When the company involved can’t be contacted, the recipient has two choices: Either just tolerate the irritation and hit delete a lot or create a filter to automatically delete the messages.

screencapture mail google com mail u 0 1444435140862

Mark Gibbs' Sprint account summary

An example of a company that doesn't use double opt-in and can’t be easily contacted when this does happen is Sprint. How do I know? Because "Mark Gibbs" in Indianapolis opened a new account with Sprint in December last year and gave the company my Gmail address. Sprint immediately sent me summary of his account which included his home address, primary telephone number, what was supposed to be the last four digits of his social security number (he gave “9999”), what might be the month and year of his birthday (again, he could have lied about this), his user name, the last four digits of his credit card, and the card’s expiry date. 

That’s a lot of personal detail that I suspect Mr. Gibbs would probably prefer to not have shared with just anyone. But as I noted, there’s no easy way to communicate with Sprint about this because as a non-customer, figuring out how to get through to customer service by email is difficult, and it's far too time consuming to try by telephone. 

I assumed that Mr. Gibbs would realize the email address was particularly when he didn't get his bills electronically, so I forgot about it until I received his bill the next month. Again, I assumed he’d fix it but when, after a few more bills, he hadn't I decided to give him a call with the number Sprint had provided. Our conversation went something like:

Me. Hi. This is going to sound weird but my name is Mark Gibbs and when you signed up for cell service from Sprint, you used my Gmail address,

Him: No, that’s my email address. I’ve had it for five years.

Me: No, you haven’t.

Him: Yes, I have …

That was it, Mr. Gibbs just wouldn’t believe me, so we got nowhere. Since then Sprint has continued to send me Mr. Gibbs’ bills every month including cranky messages when his credit card is declined. 

With the information Sprint so willingly provided to me by email and their really weak customer account security I could easily get into Mr. Gibbs account and do something evil such as change his service options or change his cell number but I wouldn’t do something that evil … I swear. What I’m going to do is simply black hole the Sprint messages which will require setting up at least three filters as they use different sending addresses for account, sales, and marketing communications.

But lest you think this might be a one-off, pretty much the same thing has been happening with BP Plus … BP Plus in Australia. Yes, Mark Gibbs in Oberon, New South Wales, opened an account with BP Plus and used my Gmail address.

BP Plus’s email billing messages gave me his address so, out of curiosity, I looked him up in the NSW phone book and called him to explain the problem. He clearly didn’t understand what it was all about and so I have yet another stream of messages to deal with. And, as with Sprint, you can’t easily send BP Plus customer service an email message. 

I won’t bother the torturous path to how I finally did get a message to BP Plus customer service but when I asked them to change the email address on the account they replied that they could only do so if I sent them a signed request on company letterhead paper. Idiotic. With minimal fuss you can set up an account using wrong data but to change it you need a formal process?! 

These are just two of the many examples I have (and have been irritated by) of large organizations that are clueless about how to established reliable email relationships with their customers.

So, what should these corporations be doing? Well, double opt-in, obviously, but that doesn’t solve the problem of a customer using the wrong email address and the actual recipient getting information about the customer that they shouldn’t have. Here’s the correct way to do it:

  1. Ask for customer’s email address
  2. Give the customer a PIN or passphrase. It doesn’t have to be a long one, just three or four numbers or a single random word will do.
  3. Send an message to the given email address that contains a link back to your Web site
  4. When the link is followed, the customer should be asked for the PIN or passphrase before any other setup steps can be performed. Without the correct PIN or passphrase, the account’s email address should be considered unverified.

This method ensures that not only does the email address actually work but also that the person responding is actually the customer. Simple, isn’t it? But most large companies are generally so clueless and or lazy they don’t bother doing it the right way.

So, finally, what is your organization doing about this? Does your company care or do they consider it to be an edge case that will only affect a handful of people so why worry? 

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10