Confirmation Fails

Yesterday I talked about registration confirmations. Today I’m going to talk about a couple recent experiences with websites and their registration failures.
The first experience was with Yelp. One of my readers decided I needed a Yelp account and created one using my laura-questions email address. Yelp understands that people will be jerks and so sent me an email to confirm the account.

Hi Laura,
Thanks for joining Yelp.
To protect your privacy, please confirm your email address by clicking here:
https://www.yelp.com/ce?[REDACTED] We look forward to seeing you on Yelp.
— The Yelp Team
If you did not sign up for Yelp someone probably mis-typed their email address so just ignore this message.

I’m pretty sure it wasn’t a typo, but in the grand scheme of things if I don’t have to unsubscribe, I’m pretty happy. I continued to be happy with Yelp, until about a week later. At that point I started getting Yelp newsletters to laura-questions. It seems that “ignoring the message” doesn’t mean they won’t contact me, just that I don’t have access to the fake account that someone set up for me. Even worse, the unsubscribe link didn’t work because the account had not been confirmed.
Yelp doesn’t accept email, so eventually I had to open a case with their legal department to get them to stop sending me newsletters that I hadn’t asked for, nor confirmed. They seem to have fixed the problem at this point.
I understand this is a fairly rare situation, but there are a lot of things that Yelp could do to improve the experience of people who have fake accounts created by harassers.
Obviously, Yelp could trivially fix the problem by not sending newsletters to any unconfirmed address. But a lot of marketers will tell you that recipients are lazy and they won’t confirm but they will happily receive email. In some cases, the marketers even have data that shows definite revenue from mail sent to unconfirmed addresses. Not ever mailing those addresses seems to be a bad idea. At the same time, marketing to those addresses also seems like a poor idea.
There are some things I would suggest to clients in order to respect recipients who don’t confirm but not lose revenue due to recipients who don’t confirm but want the email.

  1. Limit what users can do on the website before they confirm their email address. Facebook, for instance, does not allow installation of games or internal messaging until an account is confirmed. This stops users from giving fake addresses but actually using the services provided by a website.
  2. Set up a limited marketing campaign to unconfirmed addresses. Instead of just adding those users to their normal marketing stream, they could send a confirmation reminder or two. Ideally these would be a small version of the newsletter: “here’s what you missed by not confirming your address. Confirm your address by <DATE> in order to get our newsletter and all the benefits of your account.
  3. Use website data to determine engagement. If someone creates an account, never confirms and never logs in, then it’s very likely this is a fake account and they shouldn’t be mailed at all.
  4. Make it easy to unsubscribe from mail, particularly when the address is unconfirmed. Even folks who run spamtraps will sometimes give senders the benefit of the doubt and try to unsubscribe. If that unsubscribe doesn’t take or is hard, that may result in a blocklisting.
  5. Have a link in the confirmation message that allows the recipient that says this registration is fraudulent, don’t ever email me again.

The second situation is with the New York Times. Apparently, I created an account on the NYTimes.com website at some point. A few weeks ago I got an email from them.

Dear NYTimes.com Registered User,
You previously registered your e-mail address on NYTimes.com. Our records indicate that
you did not confirm your email address.
Please note we have confirmed your email address so that you can now receive important
e-mail notifications and updates from NYTimes.com. To start getting all of the news you
want delivered right to your in-box, simply select your free newsletters now:

I know this is an account I created because it came to a tagged address. What I don’t know is how long ago I created the account. I have no trace of mail to that address from the NY Times in my mailbox which has archives back to mid-2010. That means the registration is at least 36 months old. With no communication from the NY Times in that 36 months, I bet that mailing had some pretty bad delivery.
Clearly, confirming addresses for your recipients is a very bad idea. However, there are things the NY Times could have done better.

  1. Instead of sending me an email saying they were confirming my address, they could have sent me an email asking me to confirm my address.
  2. Limit the addresses emailed for confirmation to those accounts that are currently active. Not only do I not remember signing up, I don’t have any trace of the login data for my account. That means I’ve not logged into NYTimes.com with that account. Using website data is a great way to interact with users outside of email. The NY Times could identify active users who’ve not confirmed and send them confirmation emails.
  3. Limit the website functionality for NY Times for users who’ve not confirmed. The NY Times has been desperate to find some way to monetize their website, and that means they are doing a lot with interstitial ads and restricting article reads. They have the ability to stop users from logging in if the email addresses are not confirmed. That wouldn’t affect people like me who create an account and then forget they have it and never use it. What it would do is convince people who were actively logging into the NY Times to confirm. No confirmation, no logins at the paper, no commenting on articles, no access to archives, whatever the NY Times wants to restrict from non-registered and non-confirmed users.
  4. Allow an opt-out! The message was tagged as a “service message.” The footer said I could unsubscribe from promotional emails, but did not allow me to opt-out from more service messages. This is a bad idea, particularly when the NY Times is confirming my address for me.

Confirming registrations at websites is a good step for many commercial sites. It gives so many benefits to both the recipient and the website. But confirmations can be handled poorly, as the above two examples show. But there were simple, small things that both companies could have done that would have changed their spam to legitimate email.

Related Posts

Some thoughts on permission

A lot of email marketing best practices center around getting permission to send email to recipients. A lot of anti-spammers argue that the issue is consent not content. Both groups seem to agree that permission is important, but more often than not they disagree about what constitutes permission.
For some the only acceptable permission is round trip confirmation, also known as confirmed opt-in or double opt-in.
For others making a purchase constitutes permission to send mail.
For still others checking or unchecking a box on a signup page is sufficient permission.
I don’t think there is a global, over arching, single form of permission. I think context and agreement matters. I think permission is really about both sides of the transaction knowing what the transaction is. Double opt-in, single opt-in, check the box to opt-out area all valid ways to collect permission. Dishonest marketers can, and do, use all of these ways to collect email addresses.
But while dishonest marketers may adhere to all of the letters of the best practice recommendations, they purposely make the wording and explanation of check boxes and what happens when confusing. I do believe some people make the choices deliberately confusing to increase the number of addresses that have opted in. Does everyone? Of course not. But there are certainly marketers who deliberately set out to make their opt-ins as confusing as possible.
This is why I think permission is meaningless without the context of the transaction. What did the address collector tell the recipient would happen with their email address? What did the address giver understand would happen with their email address? Do these two things match? If the two perceptions agree then I am satisfied there is permission. If the expectations don’t match, then I’m not sure there is permission involved.
What are your thoughts on permission?

Read More

Evil weasels and random monkeys

I’m doing testing on a new release of Abacus at the moment, so I’m in a software QA (Quality Assurance) frame of mind.
One of the tenets of software QA is “Assume users are malicious”. That’s also one of the tenets of security engineering, but in a completely different way.
A security engineer treats users as malicious, as the users he or she is most concerned about are crackers trying to compromise their system, so they really are malicious. A QA engineer knows that if you have enough users in the field, making enough different mistakes or trying to do enough unusual things, they’ll find all the buggy little corners of your application eventually – and crash it or corrupt data more reliably than a genuinely malicious user.
As a QA engineer it’s easier to personify the forces of chaos you’re defending against as a single evil weasel than a million random monkeys.
In the bulk email world the main points where you interact with your users are signup, confirmation, unsubscription and click-throughs. Always think about what the evil weasel will do at that point.
Signup

Read More

Confirmed opt-in

I spent the morning in multiple venues correcting mis-understandings of confirmed opt-in. The misunderstandings weren’t so much that people didn’t understand how COI works, but more they didn’t understand all the implications.
In one venue, the conversation centered around how small a portion of deliverability the initial subscription process affects. Sure, sending unwanted, unexpected email can and does cause reputation problems, but merely using COI as a subscription methodolgy doesn’t automatically give a sender a good reputation or good delivery. Senders using COI as a subscription practice need to also need to send relevant and engaging mail that their recipients expect to receive. They need to handle their bounces well and purge or re-engage inactive subscribers. They need to keep their complaints low and their responses high.
How you manage subscriptions is only one factor in reputation schemes, and even if the subscription method is COI other factors can negate any bonus involved.
The second conversation involved Ken challenging me on the comment I left on his quiz yesterday. I said COI wasn’t foolproof and he challenged me to explain how. I did, and he’ll be following up next week.

Read More