Taking one step forward and two steps back with the spam problem

Just as it seems we’re getting a handle on soaring levels of spam emails a key tool is changed for the worse

By the end of Q3 this year, just under 60% of email was deemed spam. That’s almost two in every three emails being a nuisance, or potentially dangerous to global email users. Businesses really don’t want to contribute to the problem by creating “noise” in people’s inboxes, instead we want to focus on improving deliverability and ensuring our customers receive relevant communications from us.

Most companies, and in particular marketers, rely on bulk email services to manage the distribution of our email messages, and until now, we’ve had one provider in our corner, doing its best to reduce unnecessary emails flying about the internet.

Monkeying around with email

However, in October, MailChimp, had a change of heart about its opt-in settings for subscribing to emails, moving from a double opt-in process, to a single.

So what does this mean? By changing subscription settings to a default single opt-in, a person now only needs to enter an email address and click subscribe to join a MailChimp list. Compare this to the double opt-in method — where a subscriber had to verify they wanted to subscribe via responding to one-off email they received — and you can see why “spam” email volumes may quickly increase.

The omnipresent GDPR

Needless to say by removing this verification process, people weren’t happy. Double opt-in is a necessity to prove consent was actually obtained from an email address owner under the upcoming GDPR regulations. MailChimp’s change provides an array of possibilities for hackers and bots to easily access newsletter subscriber lists, meaning you could see hundreds of new emails in your inbox daily. Facing backlash in Europe specifically, the company decided that if the primary contact address was in the EU then existing forms would remain double opt-in. Great news for .co.uk email addresses, but what about users of Gmail where it’s difficult to determine location?

An e-mail u-turn

The incident brings to light the ever present dangers facing email security today, as well as the battle that so many brands face with email deliverability. MailChimp argued that double opt-in rates have slipped to 39% and that consumers no longer expect this step. While this may be true, the industry trend hurts privacy and security and goes against what the service had previously stated about the importance of authentication.

It wasn’t so long ago that MailChimp lauded double opt-in as a safeguard against bots, scammers and everything in between. This new default behavior does quite the opposite, and although opt-in will increase in the short term, longer term organisations using MailChimp will likely face an increased number of people unsubscribing from email lists. Furthermore, we’re likely to see spam rates soar as a consequence. Single opt-in enables spam bots to plug your email address into any number of sign-up lists and and in effect, DDoS your mailbox.

There’s very little that users and security advocates can do about this — taking a corporate stand and dropping the email provider is one option, but in an industry where double opt-in is a rare practice, how easy is this option? We’d love to hear your thoughts on the MailChimp saga, or indeed any spam-related news — team@ondmarc.com.

PUBLISHED BY

Clare Holmes

27 Nov. 2017

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Certificates

TLS certificates are changing: What you need to know

Red Sift

Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and…

Read more
DKIM

The hidden threat: How misconfigured DKIM enables replay attacks

Red Sift

Email authentication isn’t just an IT concern. It protects your brand and customers. A single misstep can let attackers spoof your domain, send phishing emails, and destroy customer trust. One of the most dangerous methods? The DKIM replay attack. In this post, we’ll break down how undersigned DKIM keys and related misconfigurations open your…

Read more
BIMI

Why DMARC and BIMI are a business priority

Jack Lilley

Email threats aren’t slowing down, and neither should your authentication strategy. In our recent joint webinar with Marigold, “From DMARC to BIMI: Navigating the New Email Authorization Landscape,” we broke down what today’s evolving standards mean for both security and marketing teams—and how to take action now with our free Red Sift Investigate tool.…

Read more
ASM

Zoom stops zooming: Why active monitoring is essential

Billy McDiarmid

​On April 16, 2025, Zoom experienced a significant global outage that disrupted video conferencing services and access to its website for thousands of users, as well as their corporate email for all their employees. It was quickly identified as a domain name registration status problem. Despite being a critical name for Zoom, somehow, the…

Read more