Skip to main content
Esta página ainda não está disponível em português.

How to Protect Your Email List from Bots

We recently announced that we’re going to support single opt-in signups for Mailchimp lists right from our own signup forms. This generated a lot of great conversation about deliverability—some that we expected, and some that surprised us.

As the person who’s responsible for deliverability at Mailchimp, I love it when people understand why this stuff matters. Building an email list is a crucial first step in getting to the inbox, and we have a ton of experience helping our customers do both. We’ve put a lot of work into developing sophisticated and intelligent systems to reduce the risks once associated with single opt-in, but we haven’t talked much about it in the past. I’d like to dig into some of the ways we’re protecting your lists and helping you reach inboxes.

How we protect our sending reputation

One of the biggest concerns we’ve heard about our move to support single opt-in is that it could affect our sending reputation. Here’s a closer look at the steps Mailchimp has taken to protect that reputation:

Mailchimp operates a pool of more than 7,000 shared IPs, and it’s crucial that we monitor and maintain a high reputation on all of them. We’ve never believed in operating a subset of IPs with a bad reputation, and we remain committed to providing great deliverability across the board. Nothing about our rates, thresholds, or the way we help you improve the quality of your list has changed. However, it may help to know how we treat your best subscribers.

Highly engaged subscribers will always receive email from our top-tier IPs. These are IPs that we’ve set aside for 4- and 5-star subscribers from any list for any user. These IPs don’t generate significant numbers of abuse complaints or bounces, and their reputation is pristine. It doesn’t matter if you’ve imported a list or used our forms. It doesn’t matter if you use single or double opt-in. Emails to your most highly engaged subscribers will always go out over top-tier IPs.

Of course, we care about all of our IPs, so we tend to think of these IP tiers as good, better, and best. This corresponds roughly to 2-3-star, 4-star, and 5-star subscribers. Every subscriber starts off at 2 stars, and they gain additional stars as they open and click more of your emails over time. By design, our algorithm is fairly conservative. This ensures that 4- and 5-star subscribers are excellent, but it also means that 2- and 3-star subscribers still generate a lot of opens and clicks when taken as a group. That engagement is what keeps even our lowest tier IPs really strong.

On our delivery page, you can see how our IP reputation stacks up against some of our competitors in the Sender Score section. We also use that page to publish our bounce rates and delivery times to 5 of our largest ISPs. One of the ways we’re able to keep bounce rates so low is that we have an abuse prevention system that's watching and analyzing lists at all times.

Rise of the bots

Another concern we’ve heard relates to bots—after all, the internet is full of them. If you’ve managed a website or even an online form, I’m sure you know what I’m talking about. There are bots that will fill out a form with thousands of fake email addresses. There are other bots that fill out thousands of forms with a single, very real email address. You can find out more about this type of attack by searching for terms like “subscription bomb,” “signup bomb,” and “list bomb.”

Double opt-in forms offer some protection from bots, but they’re not perfect. Every time a double opt-in form is submitted, Mailchimp sends a confirmation email to the address in question. If that address was submitted to your form fraudulently, it’s highly unlikely that the recipient would confirm and end up on your list. Of course, it’s still bad for the recipient who gets bot-initiated confirmation emails in their inbox, so double opt-in isn’t foolproof this way.

To combat attacks across multiple lists, we’ve implemented a simple throttle rate that prevents a single address from getting added to multiple lists in a short period of time. We have a different type of throttle rate that kicks in when bots attack a single list. Both of these throttling methods work for single opt-in forms as well as double opt-in forms, but there’s a key difference. Before throttling kicks in, an attacked address will receive a welcome email and be added to any list that uses a single opt-in form. With double opt-in, the attacked address will receive a confirmation email, but it won’t be added to the list unless the confirmation button is clicked. While our throttle rates can limit the impact of bots, throttling doesn’t completely eliminate the problem.

This is why, if you’re operating a single opt-in list, we highly recommend that you implement reCAPTCHA, which is already enabled for you on all our hosted forms. If you use our embedded or pop-up forms, you can enable reCAPTCHA in your list’s settings. While our throttle rate kicks in after we’ve seen a few submissions, reCAPTCHA can stop bots from fraudulently submitting addresses in the first place.

It’s an evolution

10 years ago, I was vehemently against pop-up forms. I thought they were the most annoying thing on the internet after marquee text. Unlike moving marquee text, which no one could get right, pop-up forms have come a long way and can be extremely effective. Part of this is because marketers have simply gotten better at implementing pop-up forms that look good and hit you at the right moment. It’s also true that the internet has changed a lot in the past 10 years. This is how I think about single opt-in from a deliverability perspective.

Double opt-in is a great way to build a healthy list, but looking around, there are new and interesting tools to help marketers implement single opt-in safely without compromising the quality of their lists. At Mailchimp, we certainly have more ways to protect our email traffic now than we did 10 years ago.

Our goal at Mailchimp has always been to help small businesses grow, and single opt-in signup forms is a proven tool that can help small businesses reach their goals. When paired with modern, intelligent, and reliable deliverability options, this new feature will be a safe choice for businesses focused on growth. The Deliverability team here has been involved with the decision to support single opt-in forms from the beginning, and we’re happy that small businesses have more options to build healthy and engaged lists.

Share This Article