

Activation emails - piers

I recently read something on A List Apart going against sign up forms, but what about activation emails? Are they a big no no, or a useful tool in the fight against bots? Is there any proof that an activation email actually drives away users?
======
nickb
Having a user's email can be extremely useful and many times necessary. When
you make changes to your TOS/privacy policy, you can send them notifications.
When they receive an internal private message, you can send them a
notification. You can also send them updates about your service. Also, email
is probably still the most powerful marketing vehicle. If you ignore it,
you've just lost a very powerful ally in your path to success.

Now, how you collect this email is also extremely important. The best way to
collect emails is through double-opt-in. User first requests to receive
messages from you (a checkmark during the signup is sufficient) and then they
confirm the subscription when they receive the email. Why is this important?
It prevents people from claiming that you're a spammer. If you follow this
procedure and if you keep these records (i.e. dates, IPs etc), you can defend
your email when you get spam complaints from other postmasters. It is CRITICAL
that you followup on these spam reports since you can easily get blacklisted
on all of the email services and your emails will never be delivered. If you
use email list services (like Aweber etc),they require you use double opt-in
and won't allow you to add an email without it. I like these various email
contact services since they deliver emails to inboxes of pretty much all of
the email service providers and they fight every spam report on your behalf.

So yeah, I understand the need to have an easy signup but you should also
think ahead. My suggestion is to start with no double opt-in and add it later
on as your site grows and you start receiving spam complaints.

------
Perry
In my opinion the more hurdles you present the more users you drive away.

There are legitimate reasons for introducing hurdles like requiring
registration, requiring activation e-mails, etc. Ask yourself whether the
benefits of activating outweigh the potential downsides. If you're requiring
activation e-mails to prevent bots from signing up, how significant of an
impact will those bots have on other users? On a forum it may be pretty
significant, as the site can be flooded with unwanted posts. There are other
cases where a bot signing up would really have no substantive impact on a
user, because they wouldn't be inconvenienced by the bot.

That's a rather roundabout answer, but it effectively boils down to this: you
should remove every unnecessary barrier between your user and your site. I
consider an unnecessary barrier something that doesn't improve the quality of
the site and/or the user experience.

~~~
swombat
Agreed. There are a number of cases where a valid, authenticated email is a
requirement to use the system (for instance, when other users will be using
that email to find and link to you). In those cases, an activation email is
unavoidable.

Daniel

------
jhrobert
If activation mails were to get me back to where I was when I was REQUIRED to
register, then I would find them less annoying.

Instead, they get me to some new windows, on some profile page. And when I get
back to the original window, guess what? I have to "login"!

Dude, I just registered and now you want me to "login"?

Conclusion: Activation emails suck. At least the way they are implemented
today.

BTW: When I enter my email address and password in a "login" form, please
don't blame me "You are not registered", register me instead!

"login" + "register" = "login" -- There is no need for two actions.

~~~
shiranaihito
> BTW: When I enter my email address and password in a "login" form, please
> don't blame me "You are not registered", register me instead!

I had the exact same idea, but maybe registration should require a captcha
too, so..

------
pg
Every additional step loses you users, even adding one more field to a form.

------
jdg
I've moved to using soft email confirmation, meaning that it doesn't prevent
the user from doing anything, it just removes a message on their dashboard or
whatever reminding them to confirm their email address.

Context is everything, but 99% of the time soft confirmation or no
confirmation at all is fine.

~~~
wanorris
I'm curious: what does this buy you over not sending one at all?

~~~
e1ven
I think that the idea of a soft confirmation is a very good one, and we'll be
switching over to that for Chron X.

The biggest reason we want an email address at all is for password resets. We
have a decently large list of customers, some paying, others playing for
free.. But if you've invested months, weeks or years into the game, and you
lose your password, we want to have a way to help.

Currently, if this happens, we go into the database and manually verify your
billing address, time you signed up, recent activity and the like, but it's a
very manual and potentially error-prone process. Giving them a way to reset it
automatically would help quite a bit.

The second thing we use it for is notifications. Since Chron X is an
interactive game, some users request to have us send them a note when it's
their turn. We wouldn't want to start sending out turn notifications without a
confirmation, to avoid having users inconvenience others. ("Yeah! Send all my
turns to billg@microsoft.com, and my second email, sjobs@corp.apple.com")..

We've been debating this internally for a while, arguing between easier signup
(no conf), and better security, and lower customer service time (conf).

Soft-conf is a good tradeoff for us.

------
parker
We've used a hard activation process previously, and only around 40% - 50% of
people who signed up actually activated. Think about that ... over half of our
users who spent the time getting to know the product enough to sign up didn't
even get to use the site properly.

Now that I think about it, I think it's crazy... and I'm not using any
activation on my new site. If they got their email wrong during sign-up (an
occurence a lot more rare than 50%), they can just change it or sign up again.

~~~
attack
..Or half realized that a fake one wouldn't cut it and signed back up with
their real email.

A while ago I put more rigorous user tracking on a site of mine and found that
a very large percentage of the dead accounts where just duplicates from active
users.

------
walterk
While in most cases you probably don't want to prevent users from signing up,
there are cases where a few hurdles can be a good thing. If you have a site
that depends heavily on user-generated content and registration is pretty much
exclusively for posting privileges, the registration process can be one means
by which you filter for higher quality, more committed users (assuming your
site is in any danger of having lots of users who will submit low-quality
content).

------
mixmax
Look at it from a business perspective:

What do you gain from having an e-mail:

\- usually nothing, unless you send your users spam.

What do you lose from having an e-mail:

\- around 10% of your potential customers. (the number probably varies wildly
from site to site)

\- People who lose their password can't get into their account, unless they
choose to provide an optional e-mail adress.

To me that is a pretty clear choice.

~~~
ivankirigin
Confirmation emails might be useless, but notifications of new features are
not spam.

~~~
nilobject
I generally get annoyed at sites that keep emailing me about new features. I
always unsubscribe or opt-out at sign in, but some people don't offer that
feature.

~~~
kirubakaran
Yup. If they don't let up, I mark those emails as "spam" in my Gmail. I guess
that counts against them.

They should have a "Don't mail me bro" checkbox. I don't always agree with
their definition of "spam".

------
xirium
Ativation emails are an outdated idea. It only takes one service to freely
give away email addresses to make an activation email quite moot. The theory
is that a genuine user can confirm sign-up using an out-of-band channel. So,
if you want an account on a website then you confirm this action via an email.
Some web based email systems get you to confirm via SMS. However, there's two
problems with this practice. Web surfer != email user. Secondly, the out-of-
band channel is open to abuse. For example, email or SMS details being sold to
spammers.

A better approach is assume abuse and counter it with transparent levels of
trust. This forum is close to ideal. Some counter that the existance of
accounts themselves invites a futile game of whack-a-mole with people abusing
trust. Others argue that it is a concise method to undo damage.

Regardless, you should allow users to do as much as possible without creating
an account or giving an email address. If you don't then someone else will.

------
kirubakaran
People use Mailinator anyway so it is just one more airport TSA type annoyance
that accomplishes nothing.

~~~
huhtenberg
True. But if you ever run an online forum, you notice that junk comments are
typically posted anonymously. Adding even a small hurdle cuts down the amount
of junk by as much as 80-90%.

It is similar to the "crime of opportunity" in real life .. or a "heat of the
moment" if you will. Make people pause or engage before posting and most of
them change their minds about posting crap.

------
antirez
Every day we loose something like 30% of users just because of activation
emails. We can't change this since we have a partnership that it is currently
forcing us to take the verification email but I'll not include any kind of a
priori verification email in my next applications.

A decent way to handle the problem is to add the field in the profile and tell
the user to fill the field in order to get notifications and to recover the
password. It may be a good idea to display a warning in the profile if there
is no verified email address for the account. The best way to make sure the
users will actually enter their email addresses is to do something very useful
with notifications and/or reports.

------
kajecounterhack
With the advent of services like mailinator (<http://www.mailinator.com>), it
is getting easier to bypass these precautions, but at least it can be useful
in ensuring the registrant is a human?

------
jam
Two huge reasons that activation emails are worthwhile:

\- validation (to a reasonable extent) that a user is who they say they are

\- enhanced security for users

The whole war on sign up forms and the like is far overblown imo. If your
users are going to have even a moderate level of ongoing interaction with your
site (especially if your site has social aspects to it) it is necessary to
include some form of identity verification.

I, for one, would think quite poorly of a company that allowed someone else to
sign up for an account using my email address.

~~~
jam
I mean, it's one thing if your site has very little interaction with its
users. If you want to have any sort of meaningful long-term relationship,
though, go ahead and verify them.

------
enki
the way we're handling this:

1) require no registration

2) allow registration for convenience or features that obviously require it.

3) send out an activation email, but don't bug or even inform the user on the
website about it.

4) don't enforce activation.

since for many users activation is an automatism already, you'll still be able
to verify a lot of email addresses, but without having to wait/check-spam for
the email.

------
khangtoh
We stopped using activation email since the beginning. For simplebucket we
took a different approach. By directing the site's usage strongly tied to a
user's valid email address, we don't have to have activation email.

To upload their photos and later to admin those photos, our users have to go
to this "secret url" that they will receive when they first upload their
photos.

------
inovica
The problem I've found is sometimes they are spam-trapped (at least in my
experience) and so you can lose people who you would want

------
piers
I really like the idea of the soft activation, but for this site a working
email address is pretty important (I think at the moment - of course that
might change).

I also like the suggestion of the "you're not registered - here's the form
with bits already filled in" style login.

Thanks for all the suggestions, and keep 'em coming!

------
webframp
I think the point of the A List Apart article was to get your visitors
involved before requiring a full sign up. Show them your app is actual
valuable and useful to them before you require any commitment on their part.
Once they're engaged a small sign-up form or an activation email is no longer
a hassle.

------
eibrahim
I say don't use them at all. If your users are giving you fake emails then
they don't really care too much about your service and are just testing it
out, so why not let them test and play around and minimize resistance, maybe
they will like it and end up adding a real email address or even subscribing.

------
drm237
What about in the situation where you're actually contacting other users on
behalf of the registered user (think event planning)? In those cases,
shouldn't you at least try to verify that the user is who they say they are?
What are the alternatives?

------
jasonlbaptiste
Integrate clickpass :-)

~~~
brlewis
Did that. Not all their email addresses are verified. At some point they'll
have a secure way of passing on the information that a certain address is
verified, but for now I have to verify them myself before sending other mail.

------
noodle
activation emails are trivial nowadays. too many bots beat the system. it used
to add a level of security, but it doesn't anymore.

and you may be able to say the same for CAPICHAs later once someone devises a
way to break them consistently.

------
tandaraho
why not use authentication APIs from yahoo/gmail/hotmail etc for the
login/account creation process. It will accomplish not only validating email
address, but also creating an account in one step.

------
jsteele
One site to rule them all: bugmenot.com

Fuck compulsory registration.

------
thomasswift
I am going to stop using them.

------
giles_bowkett
Personally I think activation e-mails are dumb. People do way too much user
security bullshit. Simple is better in many many cases. (All imho.)

