I can no longer recommend MailChimp

Newsletter firm goes bananas.

Graham Cluley
Graham Cluley
@[email protected]


Do you have a problem with spam?

I do, but perhaps not the one that you imagine.

You see, the anti-spam system I have in place does do a pretty good job of siphoning away offers to purchase fake doctorates, malware posing as attached invoices, and emails in Cantonese or Russian that are trying to sell me… well, I don’t know what they’re trying to sell me as I don’t speak those languages.

Sign up to our free newsletter.
Security news, advice, and tips.

But what’s more difficult to filter out are the legitimate newsletters that bombard my inbox.

Newsletters that I never signed-up for.

When you’ve been doing what I do as long as I have there are inevitably some folks who end up not liking you. Some of them might be online criminals, others may be folks who are upset about something I said on Twitter.

And a small number of these people might think it’s worth their effort to sign up my publicly-available email addresses to hundreds, no… thousands of legitimate newsletters and mailing lists that I have no interest in.

I’m not the only one who has suffered from these kind of “email bomb” attacks – which are the equivalent of a denial-of-service attack on your inbox.

The only saving grace is that the better-managed newsletters ask you to confirm that you really really want to receive emails from them. They do this by sending a single email – normally with a clickable confirmation link – to the email address entered on their subscription form.

If you don’t respond to the confirmation email, you don’t get any follow-up emails. That’s how things are supposed to work. And it’s called double opt-in.

But when it comes to the benefits of double opt-in, don’t just take my word for it.

Here’s what MailChimp, a service that I and millions of others around the world use to send out email newsletters, was saying until quite recently:

Double opt in benefits

Double opt-in adds a layer of confirmation to your signup process before adding new subscribed contacts to your list, and it has three main benefits compared to single opt-in.

  • Protection against spambots, email scams, and fake subscribers, which could increase your monthly benefit rates.
  • Assurance of valid email addresses, confirmation that your subscribed contacts want to hear from you, and an archived record of the subscriber’s consent.
  • Higher campaign open rates, and lower bounce and unsubscribe rates.

All very sensible. And a good example of why, in the past, I have recommended MailChimp to organisations and individuals wishing to send out legitimate email newsletters.

Only problem is… after years of protecting internet users from unwanted newsletter subscriptions, MailChimp has had a change of heart.

Last week it quietly (I only found out by logging into my account, I never – ironically – received an email advisory from them) revealed that it would be switching its customers’ mailing lists to “single opt-in” rather than “double opt-in”.

Mailchimp change

What does that mean? It means that subscribers won’t have to confirm that they really really want to receive a newsletter. Which means that any toerag can enter your email address for a newsletter run on MailChimp’s systems that you don’t want and the onus will be on you to unsubscribe.

And MailChimp has, of course, removed the wording on its website about why double opt-in is a good thing that reduces unwanted emails and means that MailChimp users benefit from lower billing rates.

And how come MailChimp decided to change customers’ settings, and only gave them until October 31st to choose to stay with double opt-in going forward? Seven days notice is a ridiculously short amount of time, for a number of reasons – including that many of us have already got processes in place that tell subscribers to await a confirmation email, and explain how we require confirmed opt-in to avoid spam sign-ups.

You won’t be surprised to hear that many folks were less than impressed with MailChimp’s decision.

All of this adds up to one conclusion: MailChimp has gone bananas.

Evidence that MailChimp has simply not thought through this switch to the ghastly single opt-in model becomes ever more clear when you consider that double opt-in is necessary in the European Union as a proof of consent under GDPR, and expressly required in Germany.

As MailChimp acknowledges in their latest pronouncement on their issue, they were completely clueless about the implications of what they were doing.

Well, they don’t quite say that. But it does appear that they’ve realised that what they tried to do might have ummm.. some legal implications:

“We made this decision after receiving a lot of feedback from EU customers who told us that single opt-in does not align with their business needs in light of the upcoming GDPR and other local requirements. We heard you, and we’re sorry that we caused confusion. Customers located in the EU will receive an email from us today to let them know how we’ve changed the plan.”

“Please know we are committed to helping our customers get ready for the GDPR. Double opt-in provides additional proof of consent, and we suggest you continue using double opt-in if your business will be subject to the GDPR.”

(By the way MailChimp, I still haven’t received the first email – let alone the one you promise here)

So, MailChimp is turning around for lists run by European firms at least – we’ll stay as double opt-in by default.

Not that this necessarily avoids the GDPR issue however. As Marcus Bointon explained on Twitter:

That means that American businesses using MailChimp, for instance, need double opt-in if they wish to send newsletters to European citizens. Back to the drawing board MailChimp!

And you know what? MailChimp’s change of heart about switching my mailing list to single opt-in (as I’m based in Europe) doesn’t actually resolve my problem. Most MailChimp mailing lists are being switched to single opt-in, which means they will be used for email bombs, and their owners will end up paying MailChimp more money each month for all of those extra unapproved subscribers.

I complained publicly and privately, and was disappointed with MailChimp’s response.

As someone who has used and recommended MailChimp for *years* I feel massively let down by them.

Changing the settings for my own mailing list (which of course, I did) isn’t actually a solution. Sure, it stops toerags using my newsletter as an email bomb but it doesn’t stop many more MailChimp-run mailing lists switching to a system that will increase the amount of unwanted emails flying around the internet.

I can no longer recommend MailChimp. And with no other options available to me, and a company that seems unprepared to listen to its aggrieved users, the only thing I can do is switch mailing list provider and close my account.

They’ve got a few weeks to see the light and then I’ll be off.

To hear more about the MailChimp debacle, be sure to check out this edition of the “Smashing Security” podcast:

Smashing Security #050: 'MailChimp, Piers Morgan, and The Dark Overlord'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

24 comments on “I can no longer recommend MailChimp”

  1. Chiny

    Ah, that explains why I have started getting extra spam. I've looked at the headers and can see
    several MailChimp X-headers. Tricky to filter on those headers, if real mailing lists still use MailChimp.

    I did try:
    X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=etcetc
    but that URL was useless; surprise, surprise.

  2. Andy

    They also have a pretty bad security problem at the moment with accounts getting hacked and used to send phishing emails. They're refusing to acknowledge or address the issue.

  3. Marcus

    The way to solve this is to set up a filter that bounces all that junk from Mailchimp right onto their CEO's inbox. I guarantee all mailing lists will default back to double opt-in within a day or two.

  4. Dave Lane (@lightweight)

    We've moved to Mautic. It's open source, so you can either use a commercially hosted version at mautic.net, or if you prefer (we do) host your own. Here's how we do it: oer.nz/mautichowto

  5. SG

    Thanks for this interesting post.
    I moved away from MailChimp a while ago when they discontinued their transactional email service (mandrill) and add it as a MailChimp add-on
    I didn't like it so I looked around and been using Sendy since then. It's a self hosted newsletter app based on Amazon ses, it's been great so far
    Maybe it'll suit you

  6. David L

    How to reach financial ruin in one easy step,…..
    Cause harm to your user base! It's a sinking ship, their desperate move cry's "Money Troubles" and most people will flee the "Sinking Ship".

    Many of these tech start-ups try to grow way too fast, lack the proper management skills, and experience, hence, failure after the investment capital is gone.

    1. eric · in reply to David L

      Puzzling thing here is that prior to this Mailchimp were the poster-children for sensible growth.

  7. Mailchimp CS/L

    Actually, GDPR applies to any company that handles data regarding persons who are in the European Union, regardless of citizenship, regardless of where the company is incorporated, etc.

    Please don't spread fake news.

    See article 3 below:

    Article 3

    Territorial scope

    1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
    2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
    the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
    the monitoring of their behaviour as far as their behaviour takes place within the Union.
    3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

    1. eric · in reply to Mailchimp CS/L

      Bointon's tweet says this: " #GDPR applies to subscriber location, not account owners"

      Which appears to be consistent with what you're saying.

  8. Stuart Rock

    Very interesting article, Graham. Thank you.

    Of course it begs the simple question: which mailing list provider will you be moving to?

    1. Graham CluleyGraham Cluley · in reply to Stuart Rock

      Well, if you sign-up for my newsletter you'll find out soon enough. ;)

      But bear in mind that my requirements may be quite different from those of a business regularly using email to keep in touch with its customers. It's not going to be a "one size fits all" solution would be my guess.

  9. KL

    Let's sign up mailchimp for some newsletters!

  10. Jason

    I have switched over to AWeber a few months ago from MC and seeing this just solidifies why I won't go back. Plus I like the one on one attention I get from AWeber's support reps.

    Drew on the AWeber team is super helpful. If anyone else is looking to switch I would definitely recommend working with him!

  11. The Shark

    Mail Chimp bros are the most self righteous dudes in Atlanta.

  12. Andy

    Hi Graham,

    Mail Chimp sent our company a notification of the change and then they back-peddled a couple of days later with this…

    Last week, we sent you an email announcing that MailChimp is adding single opt-in as an option and making it the default setting in new and existing lists.

    However, because your primary contact address is in the EU, your existing forms will remain double opt-in. You can change your lists to single opt-in on the Signup Preferences page at any time. After November 3, you'll also be able to make that change in each list's settings.

    We made this decision after receiving a lot of feedback from EU customers who told us that single opt-in does not align with their business needs in light of the upcoming GDPR and other local requirements. We heard you, and we’re sorry that we caused confusion.

    Please know that we’re committed to helping our customers get ready for the GDPR. Double opt-in provides additional proof of consent, and we suggest you continue using double opt-in if your business will be subject to the GDPR.

    For more information on why MailChimp is making changes to our opt-in choices, read our blog post.

    Please reply to this email if you have any questions.

    1. Graham CluleyGraham Cluley · in reply to Andy

      That is, sadly, evidence of another fail by MailChimp.

      GDPR cares little about where your company is based in the world, but rather where your users/customers are located

      In this case, the relevant information will be where email subscribers are located – not where companies creating MailChimp accounts are located.

      This is likely to bite both MailChimp and MailChimp customers in the bottom (as well as us poor email users, of course)

      1. James Manfield · in reply to Graham Cluley

        But how enforceable is GDRP, really, against companies with no nexus in the EU other than having customers there?

  13. Antoine

    That's a great article, and a shame for MailChimp. I'm in Canada, so I use Cyberimpact, which is built to follow the C-28 law (Anti-Spam Legislation). I don't know if it follows the GDPR exactly, but it probably does a good part of that.

  14. Tony Sagar

    Don’t be fooled this is a rant masquerading as a legitimate article.

    I have no problem with mail champ‘s new policy. As long as every single email has an opt out for the end-user it takes more not more than a few seconds.

    Let me give you a perfect example and this has nothing to do with MailChimp. Many times I’ve made purchases from many websites but have not signed up for their newsletter or flyers. Just the simple fact making a purchase …I get these promotional flyers. I have the option to opt out at any time. I’m not offended… since I already showed interest in that particular company or product it’s legitimate that I might interested in additional offers or information despite the fact I did not opt in.

    What really offends me is any spam email where I do not have this opt out feature.

    1. Graham CluleyGraham Cluley · in reply to Tony Sagar

      You've clearly never been mail-bombed.

      What you describe doesn't scale to the scenario I describe: when you've suddenly been added to 10,000+ mailing lists which only had single opt-in.

    2. Matt King · in reply to Tony Sagar

      The problem with this is that a lot of spam emails use the unsubscribe option to confirm that your email is in fact legit and active. Your email is now more valuable and added to even more lists.

  15. Beth

    Double opt-in isn't a requirement but automatically updating everyone's preferences to single opt-in doesn't seem fair. We've informed all our current and new clients of the double opt-in options and give them the choice of what they want to do – though we do highly recommend it as best practice at mmunic mail. An extra level of consent is recorded and it ensures the data going into the lists is good quality. I wonder if they'll release further reasoning for this decision?

  16. Lonster

    GDPR will have an impact on the number of emails that companies send. Many companies will have sent an email prior to the GDPR coming into affect asking their subscribers to re-consent if they wish to continue receiving marketing emails.

    Now consider this…let's say a company has 10,000 subscribers on its email marketing list. It sends an email prior to GDPR (25.05.2018) asking for re-consent. Let's say only 50% (optimistic) of recipients actually open it and of those only 50% click on the re-consent option.

    So from 10,000 subscribers only 5,000 actually opened the email. Of those 5,000 only 2,500 re-consented. So from an original email marketing list of 10,000 this example company is now down to just 2,500 re-consenting subscribers, a loss of 75%. So this company will now be sending 75% less emails through Mailchimp and that is why Mailchimp decided on single opt-in. Their revenues will no doubt be hit by this.

    We are now seeing the effects of GDPR coming into play, resulting in less emails, less display ads, etc. It's a hardship for any company with an EU user/subscriber base.

  17. Jason Michael

    What strikes me most about Mailchimp is how 'unprepared' they are for GDPR. Chaos has reigned for my account. 90% drop-off for subscribers? That's no Mailchimp's fault, but just getting the software to function correctly is a nightmare. Entire lists of new subscribers are deemed 'stale addresses', the segmentation of people who opted in and didn't is incredibly sloppy and Mailchimp's attempt at managing the whole process is one long article that simply does not stack up. I've been in contact with support who have been bordering on useless, and when probed to give simple answers to how Mailchimp now functions fall back on 'Contact a lawyer'. The only explanation I can think of for a company as large and tightly focussed as Mailchimp to be so 'caught with their pants down' about this issue and utterly useless in helping adjust to it is the fact it has instantly chopped their revenue stream (subscribers), so they're playing dumb in the hope people will just stick with the old (higher subscriber) ways for as long as possible.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.