Confirm To Unsubscribe

Question comes in this morning:

Hey Mick? Requiring the confirmation of an email address in an unsubscription is not CAN-SPAM compliant, right?

That is absolutely correct. The current implementing rules for CAN-SPAM state:

Neither a sender nor any person acting on behalf of a sender may require that any recipient pay any fee, provide any information other than the recipient’s electronic mail address and opt-out preferences, or take any other steps except sending a reply electronic mail message or visiting a single Internet Web page, in order to:

(a) Use a return electronic mail address or other Internet-based mechanism, required by 15 U.S.C. 7704(a)(3), to submit a request not to receive future commercial electronic mail messages from a sender; or

(b) Have such a request honored as required by 15 U.S.C. 7704(a)(3)(B) and (a)(4).
(emphasis added)

My assumption in answering this question is that the issue here is that the sender wants to use a confirmed, or double, opt-out approach. This would be a violation of CAN-SPAM because requiring that confirmation step is requiring take steps other than sending a reply electronic mail message or visiting a single Internet Web page to effect the opt-out.

The technology exists to encode the recipient’s address into the URL or the reply-to field so that unsubscription shouldn’t take more than a single blank email or a visit to a single page. And since that’s what the law currently requires, that’s what you should be doing.

About the Author

Mickey is a Consultant & Attorney with over 28 years of experience in Email Deliverability & Privacy Law. He has a strong background in email authentication infrastructure (SPF, DKIM, DMARC), ISP and mailbox provider relations, anti-spam policy and compliance, CAN-SPAM and state anti-spam law gained through overseeing the Abuse & Compliance team at Salesforce Marketing Cloud, originating the ISP relations role at Informz (now part of Higher Logic), and working in the fight against spam since 1997. He holds a B.A. in Government, a B.S. in Computer Information Systems, and a J.D. from the University of Houston Law Center. He is a certified CIPP/US professional and a certified CIPM professional.

DKIM Failing at One Domain Is Not a Key Issue

14 April 2026

Your DMARC aggregate reports are the first place you will see DKIM failing at one domain while it passes everywhere

The President’s App Can Be Worse Than Yours

31 March 2026

The federal government has substantial sovereign immunity. That means that the government can’t be sued without its permission. Private companies

shattered glass on red carpet dramatic still life

Spammers Ruin Everything

17 March 2026

Most of the time, email landing in the spam folder is a business problem. Campaigns don’t convert, revenue gets left

Basic Operations

These cookies are necessary for the website to function and cannot be switched off. They are usually set in response to actions made by you such as setting your privacy preferences, logging in, or filling in forms.

Always active

7 cookies in this category

Name	Owner	Duration	Purpose
`comment_author_*`	WordPress	347 days	Saves your name, email address, and website URL when you post a comment so you do not have to re-enter them next time.
`wcc_consent`	WP Cookie Consent	30 days	Stores your cookie consent preferences so you are not asked again on every page visit. Contains only a random identifier — no personal information.
`wordpress_*`	WordPress	Session	Used by WordPress to authenticate logged-in visitors, remember authentication details, and to provide other essential security features.
`wordpress_logged_in_*`	WordPress	Session	Tells WordPress whether you are logged in to the site. WordPress uses this to show you the correct version of the site.
`wordpress_test_cookie`	WordPress	Session	Tests whether cookies are enabled in your browser. Deleted immediately after the test.
`wp-settings-*`	WordPress	1 year	Stores your personal WordPress dashboard and administration interface settings.
`wp_lang`	WordPress	1 year	Remembers your preferred language for the WordPress admin interface.

Content Personalization

These cookies allow the website to remember choices you make and provide enhanced, more personal features. They may also be used to provide services you have asked for.

2 cookies in this category

Name	Owner	Duration	Purpose
`aw_*`	AWeber	1 year	Set by AWeber when you sign up for an email list. Records your subscription status and preferences.
`jetpack*`	Jetpack by Automattic	1 year	Used by Jetpack to provide site statistics, security features, and related functionality.

Site Optimization

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. All information these cookies collect is aggregated and therefore anonymous.

6 cookies in this category

Name	Owner	Duration	Purpose
`_ga`	Google Analytics	2 years	The main Google Analytics cookie. Used to distinguish unique visitors by assigning a randomly generated number as a client identifier.
`_ga_*`	Google Analytics	2 years	Used by Google Analytics 4 to persist session state and measure site usage.
`_gac_*`	Google Analytics / Google Ads	90 days	Contains campaign-related information. Shared between Google Analytics and Google Ads.
`_gat`	Google Analytics	1 minute	Used by Google Analytics to throttle request rate. Expires after 1 minute.
`_gid`	Google Analytics	24 hours	Used by Google Analytics to identify a user session. A new value is assigned each day.
`metricool_visit_*`	Metricool	1 year	Used by Metricool to track page visits and measure website traffic statistics.

Ad Personalization

These cookies may be set through our site by our advertising partners. They may be used to build a profile of your interests and show you relevant adverts on other sites.

1 cookie in this category

Name	Owner	Duration	Purpose
`_gcl_*`	Google Ads	90 days	Used by Google Ads to measure the effectiveness of advertising campaigns and to track conversions.

Confirm To Unsubscribe

About the Author

DKIM Failing at One Domain Is Not a Key Issue

The President’s App Can Be Worse Than Yours

Spammers Ruin Everything

Links

Brands

Connect