
I can no longer recommend MailChimp - svacko
https://www.grahamcluley.com/can-no-longer-recommend-mailchimp/
======
Nition
From MailChimp's second post[1]:

> More and more business owners are bringing up double opt-in. What they’ve
> been saying is that double opt-in is not an easy journey for their
> customers. Some go so far as to say that double opt-in is “broken.”

I would go so far as to say if customers cannot be bothered clicking one
confirmation link in an email, they didn't really care about your newsletters.

[1] [https://blog.mailchimp.com/why-single-opt-in-and-an-
update-f...](https://blog.mailchimp.com/why-single-opt-in-and-an-update-for-
our-eu-customers)

~~~
JohnTHaller
If it isn't confirmed opt-in, it's also possible your subscribers didn't even
sign themselves up.

Side note: Anyone who calls it double opt-in has a whiff of 'spammer' to them
even if they're not. Confirmed opt-in is a more accurate term as without that
confirmation click in the initial email, there's a chance the subscriber
didn't sign themself up. There are quite a few 'email bomb' services that will
sign a target email up for 1000s of 'single opt in' newsletters.

~~~
rconti
I even use the term "double opt-in" when ranting at companies that don't use
it. I guess I'll switch terms to confirmed opt in, but I'd never heard of it
until today, so I'd be careful with that brush.

~~~
JohnTHaller
If you were around and doing legit email newsletters 15 years ago or doing
antispam configurations, the term was 'confirmed opt in' or 'verified opt in'.
Email marketing firms schemed to use 'double opt in' to make it seem more
onerous and draw attention away from the fact that 'single opt in' meant
'unverified opt in' that was vulnerable to email bombing utilities. Sadly, as
the email marketing firms do most of the talking about it these days, many
people only know the term 'double opt in'. But for folks like me that were
both advising legit businesses on email newsletters and working with ISPs to
block spam, 'double opt in' always harkens back to the code spammers or
spammer-adjacent folks used.

~~~
hammock
I'm curious, how does the law, for example in Germany where it is required,
call double opt-in/confirmed opt-in?

~~~
JohnTHaller
Most pieces in English are using the terminology they use for other things.
So, email marketers call it 'double opt in' and privacy activists and anti-
spammers call it COI.

~~~
wink
Anecdata: Have handled sign up forms with double opt-in for many companies in
Germany for over 10 years and have never read "Confirmed opt-in", everyone
uses "Double Opt-in" to mean "input email, get confirmation mail, no further
emails sent until confirmation link clicked".

BTW, the German Wikipedia page lists the term, but the paragraph confuses me a
little as it has it exactly backwards as was just mentioned:

"Das „Double-Opt-In-Verfahren“ ist vom „Confirmed Opt-in“ zu unterscheiden.
Beim „Confirmed Opt-In“ wird an die eingetragene E-Mail eine Bestätigungs-Mail
ohne Bestätigungslink geschickt. Der Verbraucher müsste dieser Mail
widersprechen, um keine unerwünschte Werbung zu erhalten. Teilweise wird der
Begriff von Spammern missbraucht. So nehmen manche Spammer in Anspruch,
„Confirmed Opt-in“ zu betreiben, wenn ein neuer Empfänger eines Newsletter-
Abonnements nach der Eintragung eine E-Mail zugeschickt bekommt, in der er auf
das soeben getätigte Abonnement hingewiesen und davon in Kenntnis gesetzt
wird, wie er das Abonnement wieder beenden kann."

(feel free to google translate the blurb, translation's ok)

------
ungzd
That is not problem of Mailchimp, it's problem of culture and "best
practices". It's really annoying and it became annoying long before this
change.

I receive lots of such emails not only from Mailchimp. At least Mailchimp has
one-click unsubscribing, most custom-built mailing list systems don't have it,
requiring to log in or just not working.

The problem with Mailchimp is:

\- Spam filters work mediocre, despite AI hype. I think they are still based
on linear regression on bag of words or something like that. Instead Gmail
blocks your server if it sends mail for the first time instead of being large
company's server that already sent 1e100 emails.

\- Mailchimp exploits this. You can't send email on your own and have to buy
their service. It also spreads additional FUD that you must use it, otherwise
all your mail goes to spam.

\- Gmail treats Mailchimp as privileged sender so if I mark promotional emails
from hottest startups as spam, new similar emails are not sent to spam folder.

\- Hottest startups know this and subscribe you to all their mailing lists
each time they got your email.

~~~
makmanalp
> most custom-built mailing list systems don't have it, requiring to log in or
> just not working

Does this violate CAN-SPAM?

[https://www.ftc.gov/tips-advice/business-
center/guidance/can...](https://www.ftc.gov/tips-advice/business-
center/guidance/can-spam-act-compliance-guide-business)

> You can’t ... make the recipient take any step other than sending a reply
> email or visiting a single page on an Internet website as a condition for
> honoring an opt-out request

~~~
Andrenid
Facebook themselves require you to log in to unsubscribe from emails. If
you've disabled or deleted your account, you still get spammed daily, and
there's quite literally zero way to unsubscribe.

~~~
linkregister
If you’re on Gmail, you should mark it as spam, that’s what it is. You’ll also
end up blocking that address.

If you run your own email server, black hole the Facebook.com domain.

~~~
tyingq
I think most of Facebook's email comes from facebookmail.com.

------
Nerada
Is this going to affect MailChimp's deliverability? It seems like it would, my
understanding is the reason most relays and blacklists are so lenient with
MailChimp is exactly because of their double opt-in policy.

Looks like they're ultimately throwing their long-term business under the bus
for a short burst of extra cash.

~~~
jlgaddis
Absolutely it will.

If you use MailChimp and care about deliverability, I would recommend you
begin looking at alternatives (if you haven't already).

~~~
andyfleming
Don't most other providers already do single opt-in by default already anyway?
Really, MailChimp is just sinking to their level. It's not all of the sudden
worse than alternatives, right?

~~~
jlgaddis
> _Don 't most other providers already do single opt-in by default already
> anyway?_

Yes, most others have already switched to single opt-in.

> _It 's not all of the sudden worse than alternatives, right?_

No, they aren't all of a sudden worse than the alternatives. They were
_already_ worse and they're certainly not going to improve as a result of this
change.

I manage several e-mail servers and will be watching very closely -- even more
so than usual -- the amount of spam coming from MailChimp. I usually start out
by blacklisting individual IP addresses but if this becomes a big problem, I
will simply blacklist them entirely and be done with it.

I've had two "incidents" in the last week or so with MailChimp that they have
shown little interest in "fixing" (unrelated to this change) so I'm already
inclined to do exactly that.

------
mintplant
> And a small number of these people might think it's worth their effort to
> sign up my publicly-available email addresses to hundreds, no... thousands
> of legitimate newsletters and mailing lists that I have no interest in.

People do that to my email, too, but they call themselves "growth hackers".

------
shampster
"double opt-in" is a term I'm used to hearing in a pejorative way from the
pro-spam side. The anti-spam side calls it "confirmed opt-in" which I think is
a more accurate description.

~~~
JohnTHaller
Anyone calling it 'double opt-in' has the whiff of being a spammer even if
they aren't one. If you're not checking that the subscriber clicked the "yes I
want this" link in the email, anyone can subscribe anyone they want to your
mailing list. There are tons of 'email bomb' services that will 'subscribe' a
target to 100s or 1000s of newsletters that don't confirm opt-ins.

~~~
jlgaddis
> _Anyone calling it 'double opt-in' has the whiff of being a spammer even if
> they aren't one._

Wow, I'm kinda surprised to hear that because I manage several e-mail servers
(for thousands of users) and I am about as anti-spam as one can be. I'm
certainly way more aggressive in spam filtering than most others I know.

I run my own RBLs (shared across several different systems); I have spamtraps
and keep a handful of domains registered solely for that purpose; I do
tarpitting; I will blacklist domains and IP addresses -- or ranges of
addresses -- at the drop of a hat; and much more.

Until reading this thread today, I have never even heard the term "confirmed
opt-in". "Double opt-in" is what I've always heard it referred to as and so
that's what I've always called it. As I said, I'm about as opposite of a
spammer as one can be.

You should be careful about making such broad generalizations or accusations.

~~~
JohnTHaller
Years ago, email marketing companies schemed to use the phrase 'double opt-in'
to make the process seem more onerous ('ugh, double the work is so
unnecessary, right?') even though the original term was 'confirmed opt in' or
'verified opt in'. That original terminology was specifically chosen because
without it, there's no way to know if the email address typed into that online
form was someone legitimately signing up or not. Especially when email bombing
was much more popular 15 years ago. Sadly, many folks only know the 'double'
term these days. 'Double' is more commonly used today since email marketing
firms do most of the talking about it. For instance, "confirmed opt in" has
92k results in Google while "double opt in" has 438k. It's much the same as
the way the gambling industry rebranded themselves as the 'gaming' industry.
Although in the case of 'double opt in' it's been more successful.

------
dharmon
They haven't "gone bananas". Removing double opt-in means more subscribers,
which means higher revenue for them. Their revenue is based on subscriber
counts, no matter how they were obtained.

I hope everyone else does what I do: any bulk emails I did not subscribe to
get marked as spam in gmail. Even a company the size of mailchimp can't cycle
and "warm" email servers fast enough if a critical mass of people are tagging
unsolicited emails.

~~~
chomp
It doesn't matter if they believe that it's higher revenue, GDPR requires
consent from the data subject [1] to process personal data. An email address
is personal data under GDPR. You can't guarantee consent with single opt-in.

[1] [https://gdpr-info.eu/art-7-gdpr/](https://gdpr-info.eu/art-7-gdpr/)

~~~
sgarman
Does this fall under mailchimps responsibility or the company using their
services?

~~~
munchbunny
The short answer is both.

There's a somewhat longer answer about how MailChimp would need to make the
company agree to a separate contract around liability issues, as per GDPR
requirements.

------
jlgaddis
For my fellow mail server administrators:

* 205.201.128.0/20

* 198.2.128.0/18

* 148.105.0.0/16

Those are the ranges you'll want to add to your blacklists.

~~~
DKnoll
Blacklisting would be pretty irresponsible, greylisting maybe.

~~~
jlgaddis
On my servers, they are already greylisted (almost everyone is, by default).
Greylisting works very well against most spammers, hijacked PCs, etc. (I use
"spamd" [0] from OpenBSD, which also makes blacklisting very easy, FWIW).

In MailChimp's case, the only thing that greylisting would accomplish is
delaying the amount of time I wait to get their spam^We-mails.

[0]: [https://man.openbsd.org/spamd.8](https://man.openbsd.org/spamd.8)

~~~
DKnoll
Wrong terminology, my bad. I meant adding a rule for MailChimp origin emails
that increases spam score but doesn't necessarily doom the message alone.
Dropping their mail altogether would definitely cause some legitimate messages
to be lost.

------
xster
Not a flippant response:

Curious why this isn't the default mode of operation:

    
    
      - Business sends spam
      - Gmail users mark spam as spam
      - Gmail starts putting all emails from business as spam for all Gmail users
      - Business fails
      - New businesses don't send spam
    

I can't imagine Gmail being in bed with spammers since Gmail gets paid when
spammers pay Gmail to put spam on top of all your emails, not when spam is in
your emails.

~~~
tyingq
New domains are cheap.

You don't spam from mybiz.com

You spam from mybizmail.com, mybizmarketing.com, mybizoffers.com, etc.

~~~
xster
Is that really the problem though? Most of the junk that makes it into my
mailbox are from real businesses that probably stands to go bankrupt if they
had to change their domain name. But they all have to spam because that's what
the market does now to win.

~~~
tyingq
Facebook notifications come from facebookmail.com, CarMax spams from email-
carmax.com. AT&T uses att-mail.com. And so on.

They don't all do it, but many do.

And if they burn their main domain, it's an easy option.

------
technion
There's another thing going on here.

Over the last 24 hours I've reported a half dozen accounts that have flooded
our domains with fake statements and links to Mailchimp hosted .js malware
downloads.

This has never been a problem before but right now it's out of control. Noone
signed up for, what I'm assuming is, hacked newsletters on hacked mailchimp
accounts, and suddenly anyone on any address list is now on the receiving end
of this garbage.

------
pavlov
This only affects signup forms hosted by MailChimp. If you build your own form
and use their API for signups, there has never been a requirement for double
opt-in.

So I don't know if this is such a dramatic change -- depends on how many
people use the default forms instead of an integrated signup experience.

~~~
notahacker
Yeah, don't understand some of the responses which seem to assume this change
will make MailChimp any more spammer-friendly. If you want to spam with
MailChimp (or for that matter most other list providers) you import the long
list of people you want to spam in csv form and disregard warnings about only
importing emails from people if they've previously expressed interest in
receiving notifications from you. Double opt in for new signups makes no
difference.

MailChimp's ability to be regarded as a non-spammy mailing list provider
depends mainly on them weeding out customers who import lists of people who
haven't expressed any interest to indiscriminately blast mailshots, not on
requiring an additional step after an individual actually visits a website,
types in an email and clicks a button sending a post request to the mailing
list.

~~~
alloyed
The concern here is revenge-spam: someone takes your email and submits it to
every mailchimp default form they can find automatically, and then your inbox
is flooded with ostensibly legitimate email that you have to manually
unsubscribe from, for each individual list.

~~~
notahacker
I understand the concern on an individual level as expressed in the article,
but doubt "revenge spam" even moves the needle with mail providers' decisions
on MailChimp mails get through or not, which is the primary concern of people
worrying about its deliverability.

------
Taniwha
Time to shitcan mailchimp in my mail server I guess

------
synicalx
Honest question here, does anyone actually want to receive newsletters?

I don't think I've ever set foot in the 'Promotions' tab in my Gmail account,
other than to delete everything in it.

~~~
derefr
Some of my favourite "blogs" are only available in the form of e-mail
newsletters. patio11's post-BingoCardCreator blog, for example, only existed
as a newsletter (with non-indexed webpage alternates) for the longest
time—though I see that there's _now_ an index
([http://www.kalzumeus.com/archive/](http://www.kalzumeus.com/archive/)),
complete with RSS meta-tag.

In other cases, newsletters can serve as a sort of low-volume link aggregator.
I'm subscribed to the [http://elixirdose.com](http://elixirdose.com)
newsletter and end up with a few Elixir-related articles to read each month.

In other cases, it's just fun to follow regular company newsletters, because
those companies are essentially soap operas in progress. The
[http://zenmagnets.com](http://zenmagnets.com) newsletter is 90% about their
ongoing legal battle against the Consumer Product Safety Commission.

And, every once in a while, I appreciate getting informed that a
product/service I've built something on top of—but which I'm not actively
building on right now (i.e. I pay them money every month, but I never go to
their website)—has new features, which might inspire me to build something
else on them. I like getting announcement emails from {AWS, DigitalOcean,
Twilio, etc.} for this reason.

~~~
patio11
My blog and newsletter are ~separate, FWIW. As far as I am aware I do not have
an RSS or single page listing the newsletter archive.

------
seizeheures
What reliable service should one use then? MailChimp is still pretty much the
go-to option for me

~~~
Scorponok
SendGrid for transactional email, [https://myemma.com/](https://myemma.com/)
for newsletters (although I don't think Emma do double-opt-in by default).

~~~
inopinatus
We've seen problems from time to time with sendgrid and mailgun IPs getting
blacklisted. Moved to Postmark, who are super-strict about transactional email
only, and we've not had trouble since.

I've been recommending Postmark for transactional email and one of the others
for newsletters.

------
martin_a
We use Mailchimp for B2B newsletters and have several thousand subscribers in
our lists. This is the first time I hear anything about this. No mails
whatsoever although I am a German user.

~~~
jontro
I've received two mails in the past week.
[http://mailchi.mp/f3bc9acebf61/were-making-important-
changes...](http://mailchi.mp/f3bc9acebf61/were-making-important-changes-to-
the-signup-process)

[http://mailchi.mp/5fbac34cf976/were-making-important-
changes...](http://mailchi.mp/5fbac34cf976/were-making-important-changes-to-
the-signup-process-850741)

~~~
stefan69
Ditto.

------
hobarrera
So, MailChimp will make more money, as users get more unwanted emails, and
clients have to pay for it.

Wow.

------
BillinghamJ
You can actually get your entire domain blacklisted on Mailchimp if you want.
Absolutely nothing will be sent to any email on the domain.

[https://mailchimp.com/contact/](https://mailchimp.com/contact/)

Click “legal & privacy questions”, then “access our contact form”

------
wdr1
I wish MailChimp (and others) would stick with double opt-in.

However, if we've lost that battle, it would be nice if they gave a _user_ the
option to require double opt-in on their email before being added to a new
MailChimp list.

------
ynniv
Come on, this should be really easy to fix. If MailChimp is really sending you
so many emails that you are upset with their service, you should be able to
make your own MailChimp account and tell them that _your email address_
requires double opt in. Or you can make a rule for their MX to end up in a
special folder. Or they can detect a well above average number of lists for a
single email address and trigger double opt-in for that address. This is a
problem for a vast minority of users.

------
tomc1985
I wish there was a non-consentual way to force businesses to continue needed
products and services. The narrative lately (especially here on HN) has been
seemingly nothing but firms watering down --if not sunsetting-- valued
products and services for their own seemingly selfish ends.

"Business isn't charity" \-- maybe it should be. At the least we'd get more
service-oriented folks in charge, instead of the current crop of profiteering
assholes that infest these lands.

------
InternetOfStuff
Form a German perspective, that was a pretty close call.

As the article states, in places like Germany, double opt-in (or an
equivalent) is mandated by the application of German (or even EU?) law.

If they had really gone through, they would have put their German users into a
legally vulnerable position.

The rudeness of meddling with customers' settings notwithstanding, this kind
of lapse is inexcusable from a company specialising in mailinglist delivery.

------
kadfak
I recently set up a mail server with DKIM, SPF, DMARC configured correctly.
After spending a day fighting with major email services to not mark my emails
as spam, I really saw the value of email service providers. But the damn
prices...

Are there any alternatives to traditional email that could potentially replace
it in the near future?

~~~
snowwrestler
If you are starting a new bulk mail service, you have to be very careful about
the IP address. It can't be from a known suspicious IP range (e.g. any part of
Amazon EC2). It can't be an IP that already has a bad reputation from a
previous service running on it. It can't be an IP that is currently running a
bunch of other services and sites.

Even then, you have to "warm up" the IP by slowly increasing the send volume
from it, over about a month, while maintaining low spam scores.

It's a pain in the ass, which is why email service provider is a business
model.

There are alternatives to email, like targeting and boosting social media
posts. But generally speaking, they are all more expensive than email, even
taking into account service provider fees.

------
pedalpete
I believe this benefits MailChimp's business model. They charge based on how
many subscribers are in your lists, so a single opt-in increases how many
people sign up and therefore how many people they charge for.

I'll be leaving MailChimp because the cost outstrips the value as our list has
grown.

------
makeramen
Would be nice to have some sort of do-not-call list equivalent for email
mailing lists, or at least something that forces double-opt-in on the
receiving end. Too bad we're not MailChimp's customers so they could care less
really.

~~~
BillinghamJ
Couldn’t care less?

~~~
makeramen
Oh ok. Thanks.

------
conductr
Not a user but does single opt-in "by default" imply there is a setting to
flip it back to double opt-in? If so, flip the switch

~~~
stefan69
Correct - they state you can still use double opt-in if you want to.

------
andrewdubinsky
Lots of competitors only use single opt-in & have more favorable policies for
list owners. I'm not sure they have a choice.

------
xster
I imagine it can't be the most profitable market to write spams in Cantonese.

[subtitle: it's like sending spam in Glaswegian]

------
proactivesvcs
I had no idea MailChimp ever used any sort of opt-in. More than half the
MailChimp-delivered email I get is spam.

------
NoPiece
They are just changing the setting, and creating a new default. Not sure why a
user of MailChimp would feel the need to switch, or complain they "only" have
7 days to switch the setting to what they want. That's not an unreasonable
burden.

~~~
caf
This is explained near the end of the article:

 _Changing the settings for my own mailing list (which of course, I did) isn
't actually a solution. Sure, it stops toerags using my newsletter as an email
bomb but it doesn't stop many more MailChimp-run mailing lists switching to a
system that will increase the amount of unwanted emails flying around the
internet._

------
stefan69
As a marketer, one of the issues I run into is to subscribe someone, who
filled a contact form on my website, to an email automation series (usually to
nudge them towards taking an extra action while we scramble to get back to
them). Problem is, once the user filled up the contact form to make an
enquiry, he is unlikely to go to his/her inbox to confirm... a subscription
link.

I do think double opt-in is the way forward (as outlaid in the article), but
having that single opt-in option for some special cases is necessary from a
business point-of-view.

Overall, pretty good compromise by Mailchimp.

~~~
jlgaddis
> _Problem is, once the user filled up the contact form to make an enquiry, he
> is unlikely to go to his /her inbox to confirm... a subscription link._

Or, worded another way: the user really doesn't give a damn about your
subscription.

If they can't be bothered enough to take a few seconds to open one e-mail
message and click on a single link, then whatever you're offering obviously
isn't something that they actually want.

As a non-marketer, it seems to me that marketers would _want_ something like
double opt-in -- just so that you can ensure that those on your list are
people actually interested in $product. Or is it more about the _quantity_ of
users on your list and not the _quality_ of those users?

~~~
snowwrestler
As a non-marketer, you presumably have not had the experience of customers
being mad at you because they thought they signed up for something but never
got it.

Email marketing has got to be one of the top "HN readers are not like most
people" subjects that get discussed here. Most people do not go through life
in a defensive crouch about their email inbox. They sign up for things on a
whim and then unsubscribe if they don't like it.

Double opt-in works well for some audiences but definitely not for all. And
BTW it's been possible to operate Mailchimp as single opt-in via API calls for
a while now.

~~~
pixl97
> customers being mad at you because they thought they signed up for something
> but never got it.

Yea, the customers never got it because 10 other people on your domain
reported it as spam and the whole thing gets black flagged on the server and
dropped at the SMTP connector.

This entire thread says one thing.

"Marketing emails are dead, Mailchimp is trying to boost their numbers so they
can sell before everyone else realizes it"

