Klaviyo double opt-in not working

---

title: "Klaviyo double opt-in not working" description: "Why a Klaviyo double opt-in confirmation email never arrives — DKIM on confirmation domain, list-level vs profile-level settings, custom domain misconfig, and inbox placement issues." slug: "klaviyo-double-opt-in-not-working" publishedAt: "2026-05-19" updatedAt: "2026-05-19" painCluster: 2 intent: 8 tier: 4 faq:

• q: "Why isn't my Klaviyo double opt-in confirmation email arriving?" a: "Five common causes: authentication failure on the sending domain (DKIM/SPF/DMARC not aligned), the confirmation message landing in spam, double opt-in not actually enabled on the list (the toggle was set incorrectly), the subscriber being on the suppression list, or the custom branded sending domain being misconfigured. Run through them in order — DNS first, then list setting, then suppression."
• q: "Where do I check if double opt-in is enabled in Klaviyo?" a: "Per-list, not account-wide. Open Lists & Segments → Lists → click the specific list → Settings → check the 'Single opt-in' or 'Double opt-in' setting. Klaviyo accounts have a default account-level preference, but per-list settings override it. A list created via API may have inherited a different setting than your manually-created lists."
• q: "Can DKIM failures break the confirmation email specifically?" a: "Yes. The confirmation email is the most likely to be filtered by an ISP because it's the first message the subscriber's mail provider has ever seen from your sending domain. Authentication failures (DKIM not aligned, SPF not authorizing, DMARC failing) hit hardest on first-contact messages. Verify authentication via Settings → Email → Sending → check status; check at MxToolbox if you want the external view."
• q: "Should I use single opt-in or double opt-in?" a: "Double opt-in for serious sender reputation, single opt-in for maximum list growth velocity. Double opt-in trades 20-40% of new subscribers (the people who never confirm) for materially stronger engagement and deliverability. Most established brands run double opt-in. Brands optimizing for top-of-funnel acquisition often run single opt-in and accept the engagement cost."
• q: "Why is my custom branded sending domain failing on confirmation emails?" a: "Custom branded domains require correct DNS configuration (CNAME records pointing back to Klaviyo, SPF includes, DKIM key published). A missing or wrong record will cause authentication to fail. Run a test through Mail-Tester or MxToolbox to see exactly which authentication step is failing — the diagnostic will tell you which DNS record is the problem."
• q: "Can the confirmation email be blocked by the subscriber's own spam filter?" a: "Yes, frequently. Even with perfect authentication on your end, a subscriber's enterprise spam filter or aggressive personal filter can hold the message. The first-contact message is most likely to be filtered. If you're getting consistent reports of missing confirmation emails from a specific corporate domain, the corporate filter is the issue, not your sending."
• q: "How do I unsubscribe a profile that's stuck in 'pending confirmation' state?" a: "Open the profile → check its subscription state. If it shows 'Pending double opt-in,' you can manually unsubscribe it via the profile UI or via API. Note that re-sending the confirmation isn't a built-in feature — if a subscriber didn't confirm and you suspect delivery, you'll need to either add them again (which restarts the flow) or contact them via another channel."
• q: "Will Playbook detect a broken double opt-in flow?" a: "Yes. We monitor confirmation-email delivery rate as part of the welcome-flow signal set. A list with double opt-in enabled and a confirmation rate below 50% (vs an expected 60-80%) raises a finding. The diagnostic deep link goes to the list's settings page and the relevant authentication status screen." related:
• klaviyo-welcome-flow-not-triggering
• klaviyo-dmarc-failure-fix
• klaviyo-branded-sending-domain-not-working
• klaviyo-bounce-rate-suddenly-high

---

Double opt-in is supposed to be a quality filter — only subscribers who confirm get added to your active list, which produces a higher-engagement list at the cost of fewer raw signups. When the confirmation email doesn't arrive, that filter becomes a black hole. Subscribers sign up, never confirm, never get any further communication, and either forget about your brand or eventually complain that they "signed up but never heard back."

This page covers the common failure modes for a Klaviyo double opt-in flow. Most are authentication-related; a few are configuration-related; a small number are subscriber-side issues that you can't directly fix but should still recognize.

Quick diagnosis checklist

• Open Lists & Segments → click your main list → Settings. Confirm double opt-in is actually enabled. The default in Klaviyo accounts is set account-wide, but per-list settings override; a list created via API or migrated from another system may have a different setting than expected.
• Verify your sending domain authentication. Settings → Email → Sending domain → look at DKIM and SPF status. Both should show as Verified. If either is broken, your confirmation email is being filtered.
• Send a test signup to an address you control. Use Gmail, Yahoo, and Outlook addresses if possible — confirmation email behavior often differs between ISPs.
• Wait five minutes, then check spam folders. If the message is in spam, you have an authentication or content issue, not a delivery issue.
• Open the affected profile in Klaviyo. Check its subscription state. "Pending double opt-in" means the confirmation email was sent (or attempted) but never confirmed. "Subscribed" means they did confirm. "Not subscribed" means the signup never landed in the list at all (a list-assignment issue, not a confirmation issue).
• Check the suppression list. If the test address you used is suppressed (hard-bounced previously, complained previously), the confirmation email won't send.

If everything looks right but confirmations still aren't arriving, move into the failure-mode details below.

1. Authentication failure on the sending domain

The single most common cause. The confirmation email is the first message your sending domain has ever sent to a particular subscriber's mail provider, which means it gets scrutinized harder than any subsequent message. If DKIM, SPF, or DMARC alignment is broken, this message gets filtered first.

How to verify. Klaviyo: Settings → Email → Sending domain → check status. All three should show as Verified or Aligned. External check: send a test through Mail-Tester.com or use MxToolbox's SuperTool on your sending domain. The diagnostic will identify which specific authentication record is failing.

Common breakage patterns. A DNS provider migration broke the CNAME records that point your branded sending domain back to Klaviyo. A DMARC policy was changed from p=none to p=reject before all sending sources were verified. An SPF record was rewritten and Klaviyo's IPs were dropped. A CNAME was added with wrong subdomain casing or trailing dot.

How to fix. Re-publish whatever DNS record failed. Allow up to 24 hours for DNS propagation. Re-verify in Klaviyo. The system will retry sending pending confirmation emails once authentication is healthy.

2. Branded sending domain misconfigured

If you've set up a custom branded sending domain (e.g., mail.yourbrand.com instead of email.shopify.com-style default), the configuration involves several DNS records that all need to be correct. A misconfiguration here breaks every send including confirmation emails.

How to verify. Klaviyo: Settings → Email → Sending domain → look at the branded domain configuration. Each required DNS record (typically: CNAME for DKIM, CNAME for return path, optional SPF include) shows as Verified or Failed. Failed records identify which DNS entry is wrong.

How to fix. Re-publish the failed DNS record exactly as Klaviyo specifies. Pay attention to CNAME casing (case-sensitive at some DNS providers), trailing dots (some providers add them, some require them omitted), and TXT record formatting (quotes, escape characters).

Why this hits double opt-in specifically. Branded sending domains have less established sending reputation than the default shared infrastructure. First-contact messages from a branded domain are scrutinized harder than from a shared domain. The confirmation email is, definitionally, the first contact — so authentication mistakes manifest here first.

3. The confirmation message is landing in spam

Even with perfect authentication, confirmation emails can land in spam if the content triggers filters, the domain has low sending reputation (new domain), or the subscriber's mail provider runs aggressive filtering.

How to verify. Run a test signup with an address you control. Wait five minutes. Check both inbox and spam folder. If the message is in spam, the issue is filtering, not delivery.

Common triggers. Subject line that looks promotional ("CONFIRM YOUR DISCOUNT" with caps and percent sign). Aggressive call-to-action in plain HTML without enough plain text. New sending domain with no reputation history. Image-heavy template with minimal text.

How to fix. Subject line: keep it clean, sentence case, no urgency markers — "Confirm your subscription" is the canonical pattern. Content: enough plain text relative to images. Authentication: verified per above. If your domain is new, expect spam-folder issues for the first few weeks until reputation builds; pre-warming with low-volume sends to engaged addresses helps.

4. Double opt-in not actually enabled at the list level

A surprisingly common misconfiguration. Double opt-in in Klaviyo is set per-list, not account-wide. If your account default is double opt-in but a specific list was created with single opt-in, that list's new signups don't get a confirmation email at all.

How to verify. Lists & Segments → Lists → click each list → Settings → check the opt-in setting. Lists created via API often inherit different defaults than manually-created lists.

How to fix. Toggle the setting to double opt-in for any list where you want confirmation. Note: this only affects new signups; profiles already on the list aren't re-sent confirmations.

5. The subscriber is on the suppression list

If a profile has been suppressed previously (bounced, complained, or manually suppressed), the confirmation email won't send. They re-sign-up, nothing happens, and they wait for an email that won't arrive.

How to verify. Search for the profile in Klaviyo. If it appears with a suppression flag, that's the issue. If it doesn't appear at all, the signup never landed (different problem).

How to fix. Suppressed profiles need to be unsuppressed manually if you want to re-engage them. This requires judgment — they were suppressed for a reason (bounced, complained, requested removal). Don't bulk-unsuppress without a real reason; you risk reputation damage.

6. The signup never landed in Klaviyo at all

Less common than the previous causes but worth checking. If the profile doesn't exist in Klaviyo after signup, the issue is upstream — the form, the integration, or whatever sent the profile to Klaviyo.

How to verify. Search the profile by email. If it doesn't exist, the signup never registered. Check your form's settings (Klaviyo form, Shopify customer-account opt-in, a third-party tool feeding Klaviyo via API).

Common causes. Klaviyo.js not loading on the page (ad blockers, JS conflicts, page-builder app interference). Form configuration sending to the wrong list. API integration failing silently on a third-party tool. Shopify customer-account opt-in checkbox set to opt-out by default and customer not opting in.

How to fix. Depends on the form source. For Klaviyo forms, audit the form's targeting and load order. For Shopify accounts, audit the opt-in checkbox state. For third-party tools, check their API logs.

How to verify the fix

After making any change, here's how to confirm double opt-in is working again.

1. Run a test signup. Use an address at a major ISP you control (Gmail recommended, since it's where most consumer subscribers are).
2. Wait three to five minutes. Confirmation emails usually arrive in under a minute, but allow for processing.
3. Check inbox and spam. Both. If in spam, you have a content or reputation issue; if missing entirely, you have an auth or delivery issue.
4. Click the confirmation link. Confirm in the destination ISP. The profile should now show "Subscribed" in Klaviyo.
5. Verify the welcome flow fires. Confirmed subscribers should enter your welcome flow. Check Latest Entries on the welcome flow to confirm.

If all five checks pass, double opt-in is working. Worth re-running this test from each of the major ISPs (Gmail, Yahoo, Outlook, Apple) periodically — behavior often differs between them.

Why this fails so often

Double opt-in is structurally fragile because it depends on a first-contact message succeeding to a subscriber's mail provider that has no relationship with your sending domain. Every other email you send is to a profile that's already confirmed, opened previous messages, and built some reputation with the ISP. The confirmation email is the only message where you have zero engagement history with the recipient.

This is why authentication matters so much. ISPs use authentication and reputation in roughly that order to decide whether a first-contact message lands in inbox or spam. Without authentication, the message is going to spam by default. Without good content (clean subject, balanced content, no urgency markers), it goes to spam more often. Without reputation built up over time, it goes to spam more often still.

The operational answer is to monitor confirmation rate continuously. If your list normally confirms 60-80% of signups and that rate drops to 30%, something just broke — either authentication, content, or delivery. The drop signals before the long-tail revenue impact (engaged-list size shrinking, new-customer acquisition slowing) shows up in your dashboards.