Hacker News new | past | comments | ask | show | jobs | submit login
Activation emails
42 points by piers on March 28, 2008 | hide | past | favorite | 47 comments
I recently read something on A List Apart going against sign up forms, but what about activation emails? Are they a big no no, or a useful tool in the fight against bots? Is there any proof that an activation email actually drives away users?



Having a user's email can be extremely useful and many times necessary. When you make changes to your TOS/privacy policy, you can send them notifications. When they receive an internal private message, you can send them a notification. You can also send them updates about your service. Also, email is probably still the most powerful marketing vehicle. If you ignore it, you've just lost a very powerful ally in your path to success.

Now, how you collect this email is also extremely important. The best way to collect emails is through double-opt-in. User first requests to receive messages from you (a checkmark during the signup is sufficient) and then they confirm the subscription when they receive the email. Why is this important? It prevents people from claiming that you're a spammer. If you follow this procedure and if you keep these records (i.e. dates, IPs etc), you can defend your email when you get spam complaints from other postmasters. It is CRITICAL that you followup on these spam reports since you can easily get blacklisted on all of the email services and your emails will never be delivered. If you use email list services (like Aweber etc),they require you use double opt-in and won't allow you to add an email without it. I like these various email contact services since they deliver emails to inboxes of pretty much all of the email service providers and they fight every spam report on your behalf.

So yeah, I understand the need to have an easy signup but you should also think ahead. My suggestion is to start with no double opt-in and add it later on as your site grows and you start receiving spam complaints.


In my opinion the more hurdles you present the more users you drive away.

There are legitimate reasons for introducing hurdles like requiring registration, requiring activation e-mails, etc. Ask yourself whether the benefits of activating outweigh the potential downsides. If you're requiring activation e-mails to prevent bots from signing up, how significant of an impact will those bots have on other users? On a forum it may be pretty significant, as the site can be flooded with unwanted posts. There are other cases where a bot signing up would really have no substantive impact on a user, because they wouldn't be inconvenienced by the bot.

That's a rather roundabout answer, but it effectively boils down to this: you should remove every unnecessary barrier between your user and your site. I consider an unnecessary barrier something that doesn't improve the quality of the site and/or the user experience.


Agreed. There are a number of cases where a valid, authenticated email is a requirement to use the system (for instance, when other users will be using that email to find and link to you). In those cases, an activation email is unavoidable.

Daniel


If activation mails were to get me back to where I was when I was REQUIRED to register, then I would find them less annoying.

Instead, they get me to some new windows, on some profile page. And when I get back to the original window, guess what? I have to "login"!

Dude, I just registered and now you want me to "login"?

Conclusion: Activation emails suck. At least the way they are implemented today.

BTW: When I enter my email address and password in a "login" form, please don't blame me "You are not registered", register me instead!

"login" + "register" = "login" -- There is no need for two actions.


> BTW: When I enter my email address and password in a "login" form, please don't blame me "You are not registered", register me instead!

I had the exact same idea, but maybe registration should require a captcha too, so..


Every additional step loses you users, even adding one more field to a form.


I've moved to using soft email confirmation, meaning that it doesn't prevent the user from doing anything, it just removes a message on their dashboard or whatever reminding them to confirm their email address.

Context is everything, but 99% of the time soft confirmation or no confirmation at all is fine.


I'm curious: what does this buy you over not sending one at all?


I think that the idea of a soft confirmation is a very good one, and we'll be switching over to that for Chron X.

The biggest reason we want an email address at all is for password resets. We have a decently large list of customers, some paying, others playing for free.. But if you've invested months, weeks or years into the game, and you lose your password, we want to have a way to help.

Currently, if this happens, we go into the database and manually verify your billing address, time you signed up, recent activity and the like, but it's a very manual and potentially error-prone process. Giving them a way to reset it automatically would help quite a bit.

The second thing we use it for is notifications. Since Chron X is an interactive game, some users request to have us send them a note when it's their turn. We wouldn't want to start sending out turn notifications without a confirmation, to avoid having users inconvenience others. ("Yeah! Send all my turns to billg@microsoft.com, and my second email, sjobs@corp.apple.com")..

We've been debating this internally for a while, arguing between easier signup (no conf), and better security, and lower customer service time (conf).

Soft-conf is a good tradeoff for us.


We've used a hard activation process previously, and only around 40% - 50% of people who signed up actually activated. Think about that ... over half of our users who spent the time getting to know the product enough to sign up didn't even get to use the site properly.

Now that I think about it, I think it's crazy... and I'm not using any activation on my new site. If they got their email wrong during sign-up (an occurence a lot more rare than 50%), they can just change it or sign up again.


..Or half realized that a fake one wouldn't cut it and signed back up with their real email.

A while ago I put more rigorous user tracking on a site of mine and found that a very large percentage of the dead accounts where just duplicates from active users.


While in most cases you probably don't want to prevent users from signing up, there are cases where a few hurdles can be a good thing. If you have a site that depends heavily on user-generated content and registration is pretty much exclusively for posting privileges, the registration process can be one means by which you filter for higher quality, more committed users (assuming your site is in any danger of having lots of users who will submit low-quality content).


Ativation emails are an outdated idea. It only takes one service to freely give away email addresses to make an activation email quite moot. The theory is that a genuine user can confirm sign-up using an out-of-band channel. So, if you want an account on a website then you confirm this action via an email. Some web based email systems get you to confirm via SMS. However, there's two problems with this practice. Web surfer != email user. Secondly, the out-of-band channel is open to abuse. For example, email or SMS details being sold to spammers.

A better approach is assume abuse and counter it with transparent levels of trust. This forum is close to ideal. Some counter that the existance of accounts themselves invites a futile game of whack-a-mole with people abusing trust. Others argue that it is a concise method to undo damage.

Regardless, you should allow users to do as much as possible without creating an account or giving an email address. If you don't then someone else will.


Look at it from a business perspective:

What do you gain from having an e-mail:

- usually nothing, unless you send your users spam.

What do you lose from having an e-mail:

- around 10% of your potential customers. (the number probably varies wildly from site to site)

- People who lose their password can't get into their account, unless they choose to provide an optional e-mail adress.

To me that is a pretty clear choice.


Confirmation emails might be useless, but notifications of new features are not spam.


I generally get annoyed at sites that keep emailing me about new features. I always unsubscribe or opt-out at sign in, but some people don't offer that feature.


Yup. If they don't let up, I mark those emails as "spam" in my Gmail. I guess that counts against them.

They should have a "Don't mail me bro" checkbox. I don't always agree with their definition of "spam".


Yes you're right - this was just off the top of my head...

There might of course also be other valid reasons for wanting an e-mail adresse.


Yeah, for example uniquely identifying users.


You can do that with a username....


True however then users have to think followed by get frustrated dreaming up a name. They already know their email address. And unless they already signed up its probably not taken.


I think the frustration of entering your email, checking you inbox and following a confirmation link is a lot more than the frustration of dreaming up a name - which you have to do anyway unless you use your email as a login.

I think that the metrics support this view as well.


An ability of directly communicating with your users has a very positive effect on a valuation of the company. One thing is when you have N million User IDs, and another - N millions emails.

Also if you are running a service with termed licensing, an email communication is how you drive the license renewal process. This sort of communication does not qualify as spam, because it is more of a service reminder rather than an unsolicited commercial offering.


I see your point, and of course you are right that it drives your valuation upwards if you can engage in a genuine conversation with your customers.

I was referring more to the sign-up stage though, where you tend to lose a lot of potential customers with obligatory confirmation e-mails.

But if you can get the conversation going after the critical sign-up step, you should by all means do so.


The other legitimate use of email is for actual features that use email-- internal messaging, invitations, notifications, reminders, etc.

All your users have it-- have you thought about when your users might like to be notified about new activity relating to them? (opt-in, of course)


You're absolutely right - this is a good reason for having a users e-mail. There are probably many others as well.

You just shouldn't request an obligatory email adress, or even worse a confirmation by email, unless you really have to. It tends to scare a lot of users away.


Exactly. The business metric of email lists will keep them from going extinct.


People use Mailinator anyway so it is just one more airport TSA type annoyance that accomplishes nothing.


True. But if you ever run an online forum, you notice that junk comments are typically posted anonymously. Adding even a small hurdle cuts down the amount of junk by as much as 80-90%.

It is similar to the "crime of opportunity" in real life .. or a "heat of the moment" if you will. Make people pause or engage before posting and most of them change their minds about posting crap.


Every day we loose something like 30% of users just because of activation emails. We can't change this since we have a partnership that it is currently forcing us to take the verification email but I'll not include any kind of a priori verification email in my next applications.

A decent way to handle the problem is to add the field in the profile and tell the user to fill the field in order to get notifications and to recover the password. It may be a good idea to display a warning in the profile if there is no verified email address for the account. The best way to make sure the users will actually enter their email addresses is to do something very useful with notifications and/or reports.


With the advent of services like mailinator (http://www.mailinator.com), it is getting easier to bypass these precautions, but at least it can be useful in ensuring the registrant is a human?


Two huge reasons that activation emails are worthwhile:

- validation (to a reasonable extent) that a user is who they say they are

- enhanced security for users

The whole war on sign up forms and the like is far overblown imo. If your users are going to have even a moderate level of ongoing interaction with your site (especially if your site has social aspects to it) it is necessary to include some form of identity verification.

I, for one, would think quite poorly of a company that allowed someone else to sign up for an account using my email address.


I mean, it's one thing if your site has very little interaction with its users. If you want to have any sort of meaningful long-term relationship, though, go ahead and verify them.


We stopped using activation email since the beginning. For simplebucket we took a different approach. By directing the site's usage strongly tied to a user's valid email address, we don't have to have activation email.

To upload their photos and later to admin those photos, our users have to go to this "secret url" that they will receive when they first upload their photos.


The problem I've found is sometimes they are spam-trapped (at least in my experience) and so you can lose people who you would want


the way we're handling this:

1) require no registration

2) allow registration for convenience or features that obviously require it.

3) send out an activation email, but don't bug or even inform the user on the website about it.

4) don't enforce activation.

since for many users activation is an automatism already, you'll still be able to verify a lot of email addresses, but without having to wait/check-spam for the email.


I think the point of the A List Apart article was to get your visitors involved before requiring a full sign up. Show them your app is actual valuable and useful to them before you require any commitment on their part. Once they're engaged a small sign-up form or an activation email is no longer a hassle.


I say don't use them at all. If your users are giving you fake emails then they don't really care too much about your service and are just testing it out, so why not let them test and play around and minimize resistance, maybe they will like it and end up adding a real email address or even subscribing.


I really like the idea of the soft activation, but for this site a working email address is pretty important (I think at the moment - of course that might change).

I also like the suggestion of the "you're not registered - here's the form with bits already filled in" style login.

Thanks for all the suggestions, and keep 'em coming!


What about in the situation where you're actually contacting other users on behalf of the registered user (think event planning)? In those cases, shouldn't you at least try to verify that the user is who they say they are? What are the alternatives?


Integrate clickpass :-)


Did that. Not all their email addresses are verified. At some point they'll have a secure way of passing on the information that a certain address is verified, but for now I have to verify them myself before sending other mail.


activation emails are trivial nowadays. too many bots beat the system. it used to add a level of security, but it doesn't anymore.

and you may be able to say the same for CAPICHAs later once someone devises a way to break them consistently.


why not use authentication APIs from yahoo/gmail/hotmail etc for the login/account creation process. It will accomplish not only validating email address, but also creating an account in one step.


One site to rule them all: bugmenot.com

Fuck compulsory registration.


I am going to stop using them.


Personally I think activation e-mails are dumb. People do way too much user security bullshit. Simple is better in many many cases. (All imho.)




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: