How does double opt-in work?
Double opt-in has two steps. First, the person submits their address through a form. Second, the platform emails that address a unique confirmation link, and the contact stays unmailable — pending — until they click it. Only the click moves them to confirmed. A single click does three things at once: it proves the address exists, proves the person controls the inbox, and timestamps a deliberate action you can store as part of the consent record. Addresses that never confirm are quietly dropped.
Single opt-in vs double opt-in: what is the trade-off?
Single opt-in makes the address mailable the moment the form is submitted — one step, maximum signups, no waiting. The cost is that whatever gets typed goes onto your list: typos, throwaway addresses, bots filling forms, and people who mistype someone else's address. Double opt-in filters all of that before the first real message, at the price of the contacts who sign up but never click the confirmation. Fewer names, but the names are real — which keeps bounces and spam complaints down and your suppression list short.
Does the GDPR require double opt-in?
No — no clause in the GDPR names double opt-in, and single opt-in can be lawful if consent is freely given, specific, and informed. What the GDPR does require is that you can demonstrate consent (Article 7). Double opt-in is simply the cleanest way to produce that evidence: the confirmation click ties consent to an address the person provably controls. Several EU regulators, including German data-protection authorities and the CNIL in practice, treat it as best practice for exactly this reason. The practical setup lives in GDPR and self-hosting; this entry only defines the term.
Why it matters for a two-person team
A small sender has no reputation buffer. A batch of fake or mistyped addresses turns into hard bounces and spam complaints on your first campaign, and mailbox providers punish that fast — the smaller the list, the more each bad address moves your rates. Double opt-in keeps those addresses off the list before they ever cost you, which is why it is one of the cheapest protections in email deliverability for startups. The confirmation email itself is transactional, so it sends whether or not the person is on any marketing list.