Universal email verification plugin (for DOI Double Opt-In and more)

Ekke Guembel 20/06/2025 13:35

Has your proposal been discussed on the Mautic Forums already?
https://mautic.slack.com/archives/CFYFTLK6K/p1748966042880959
and
https://forum.mautic.org/t/universal-email-verification-for-doi-double-opt-in-and-more/35906

Is your feature request related to a problem? Please describe.
Double Opt-In a.k.a. #DOI (or to be more general: a mechanism for proving the authenticity of a form submission) is an important feature these days.

Mautic has nothing like that built-in, so people have to build complex things manually and redundantly, struggling with all sorts of challenges from "email is not sent immediately" to "how can I prove xyz?"

There are 3rd party solutions and tutorials, but none even close to being universal and user-friendly.

Describe the solution you'd like
The following specs describe the solution that resulted from a lot of iterations and feedback from others.

It consists of 3 stages:

mvp
basic feature complete
future ideas

We intend to implement this as a high-quality 3rd-party plugin first, for Mautic 5. Maybe it can be part of Mautic 7 core.

The general concept is to see the DOI (email verification of a form submission) as integral part of the form - and simply have form actions that are only triggered once the DOI link has been clicked. No campaigns needed.

Stage 1: MVP

a) Mautic form backend view

Changes in the Mautic form backend view / “Actions” tab:
- Headline “Actions immediately after form submit” above existing dialogue
- Headline “Actions after successful email verification” underneath existing dialogue
- All form actions in “Actions immediately after form submit” automatically show up in “Actions after successful email verification” as well
- (NOTE: “actions after email verification timeout” is out of scope for Stage 1)
- (NOTE: “update contact conditionally” is out of scope for Stage 1)

New “Email Verification / DOI” tab in Mautic form backend view
- Headline “Email Verification (“Double Opt-In”) Details
- “Verification email to send” - standard dropdown to select from existing emails - MANDATORY
- “Follow-up email to send” - standard dropdown to select from existing emails - OPTIONAL
- “Thankyou page redirect URL (after successful email verification)” - URL input field - OPTIONAL
- “Verification error redirect URL (after unsuccessful email verification, e.g. timeout or invalid hash value)” - URL input field - OPTIONAL
- (NOTE: “Skipping the Email Verification” is out of scope for Stage 1)

DOI --- Form Tab - Email Verification - DOI

b) DOI Link

new email token {doi_link} can be used in emails, which is rendered as link to our doi endpoint
- obviously this will have to contain a hash value → generated as HMAC of (submission_id, email, timestamp). (That avoids exposing a predictable auto-increment ID in URLs and protects against rainbow-table lookups.)
- only the hash is stored (not the values in clear at this point.)
When {doi_link} is clicked and hash is recognized:
- Redirect browser to feedback page
  - if configured: “Thankyou page redirect URL (after successful email verification)”
  - else: To an unstyled HTML page that says “Email verification successful.”
- Timestamp is saved in form_submissions.doi_date_confirmed
- “Actions after successful email verification” are initiated
  - This should be the actions as they were defined when the form was submitted.
  - NOTE: If it is easier to use the actions as they are defined when the email is verified, please discuss with PM
If {doi_link} is clicked and something goes wrong, e.g. hash is not recognized:
- Redirect browser to feedback page
  - if configured: “Verification error redirect URL ”
  - else: To an unstyled HTML page that says “Something went wrong! Email verification unsuccessful.”

c) DOI Email and Follow-Up

Upon form submit: “Verification email to send” is sent to leads.email
After “Follow-up wait time” (as defined in plugin config) has expired and {doi_link} has not been clicked : “Follow-up email to send” is sent to leads.email
- This can be triggered by a console command (via cron)

d) Plugin configuration

plugin configuration allows setting
- “Follow-up wait time (hours)” - integer input
  - (?) text: When do you want the follow-up email to be sent for missing email verification? (Hint: You need a cron job to be set up for this!)
- (Out of scope: set global timeout)
- (Out of scope: activate housekeeping)

Stage 2: basic feature complete

Skipping the Email Verification
- e.g. based on form field values or contact field values
- or based on existing Mautic cookie and preexisting DOI for that cookie (i.e. we KNOW the owner of this cookie has already proven that tehy also own the email address given)
- including modified form submission feedback in case of skipping
“conditional actions” (outside of this plugin?)
- e.g. update contact (if <form field> <operator> then <contact field> <value | calculated value>)
- NOTE: This can currently be replaced by a campaign
  - Start campaign from form action
  - have condition on form field values MOI=1
  - then set contact field MOI=1 and something like MOI_confirmed concat (timestamp)
Persist form field status at time of submission (write forms.cached_html to form_submissions.doi_formstatus)
Token expiry setting
Handling of “leads.email empty / no form field maps to leads.email”

Stage 3: Future ideas

new form action: "update Marketing Opt-In" (= extra convenience!)
- fixed custom fields “moi” (bool and audit) - or rather dedicated table?
- select form field that decides Opt-in given or not
- select contact's MOI bool field (sets to true or false depending on form field value)
- select contact’s MOI audit field (adds timestamp/action/form submission to field value)
- campaign condition and segment filter to check “moi” bool status
allow multiple moi flavors (e.g. per brand)
- define available moi flavors in plugin config, and optional default)
  - plugin comes with one generic moi flavor
  - user cannot delete all flavors
- user can choose applicable moi flavor in form action
Direct support for Mautic Landing Pages as feedback pages (“Thankyou page redirect URL” / “Verification error redirect URL”) after DOI link click (those can of course be given as URL)
Set generic feedback pages (“Thankyou page redirect URL” / “Verification error redirect URL”) in plugin configuration
- → Use those as preset in new forms
Multi-language features (normally not required as forms are currently single-language, too)
- translated doi emails
- language-aware redirects
- language-aware generic feedback pages
multi-brand (i.e. URL aware) generic feedback pages
per-form “Follow-up wait time”
housekeeping, i.e. cleanup of non-confirmed DOIs
- global or per-form cleanup timeout definition
NHI honeypot awareness / support
Offer only emails in “Email Verification (“Double Opt-In”) Details that contain the {doi_link} token
MAYBE LATER, MAYBE NEVER: Generic Audit trail

Describe alternatives or workarounds you've considered
Can't recall. A ton.

Additional context
I think I covered it all :)

Does this issue could impact on users private data?
yes

Funded by
Leuchtfeuer Digital Marketing

#Mautic

Comment

Filter results for category: Mautic 7 [breaking changes allowed]

Amend

0 comments

Best rated

Recent

Older

Most discussed

Loading comments ...

Reference: MAUTIC-PROP-2025-06-178
Version number 3 (of 3) see other versions

Fingerprint

The piece of text below is a shortened, hashed representation of this content. It is useful to ensure the content has not been tampered with, as a single modification would result in a totally different value.

Value: 858a0173df1f239c884e04c022ed6e9eb694d06a41bf31ffb73237e8493beda9

Source:

{"body":{"en":"<p><strong>Has your proposal been discussed on the Mautic Forums already?</strong><br><a target=\"_blank\" href=\"https://mautic.slack.com/archives/CFYFTLK6K/p1748966042880959\">https://mautic.slack.com/archives/CFYFTLK6K/p1748966042880959</a><br>and<br><a target=\"_blank\" href=\"https://forum.mautic.org/t/universal-email-verification-for-doi-double-opt-in-and-more/35906\">https://forum.mautic.org/t/universal-email-verification-for-doi-double-opt-in-and-more/35906</a><br></p><p><strong>Is your feature request related to a problem? Please describe.</strong><br>Double Opt-In a.k.a. #DOI (or to be more general: a mechanism for proving the authenticity of a form submission) is an important feature these days.</p><p>Mautic has nothing like that built-in, so people have to build complex things manually and redundantly, struggling with all sorts of challenges from \"email is not sent immediately\" to \"how can I prove xyz?\"</p><p>There are 3rd party solutions and tutorials, but none even close to being universal and user-friendly.</p><p><strong>Describe the solution you'd like</strong><br>The following specs describe the solution that resulted from a lot of iterations and feedback from others.</p><p>It consists of 3 stages:</p><ul>\n<li><p>mvp</p></li>\n<li><p>basic feature complete</p></li>\n<li><p>future ideas</p></li>\n</ul><p>We intend to implement this as a high-quality 3rd-party plugin first, for Mautic 5. Maybe it can be part of Mautic 7 core.</p><p><strong>The general concept is to see the DOI (email verification of a form submission) as integral part of the form - and simply have form actions that are only triggered once the DOI link has been clicked. </strong>No campaigns needed.</p><p><strong><u>Stage 1: MVP</u></strong></p><p><em><strong>a) Mautic form backend view</strong></em></p><ul><li>\n<p>Changes in the Mautic form backend view / “Actions” tab:</p>\n<ul>\n<li><p>Headline “Actions immediately after form submit” above existing dialogue</p></li>\n<li><p>Headline “Actions after successful email verification” underneath existing dialogue</p></li>\n<li><p>All form actions in “Actions immediately after form submit” automatically show up in “Actions after successful email verification” as well</p></li>\n<li><p>(NOTE: “actions after email verification timeout” is out of scope for Stage 1)</p></li>\n<li><p>(NOTE: “update contact conditionally” is out of scope for Stage 1)</p></li>\n</ul>\n</li></ul><div class=\"editor-content-image\" data-image=\"\"><img src=\"gid://app/ActiveStorage::Blob/2042%20---%20Form%20Tab%20-%20actions.png\" alt=\"DOI --- Form Tab - actions\"></div><ul><li>\n<p>New “Email Verification / DOI” tab in Mautic form backend view</p>\n<ul>\n<li><p>Headline “Email Verification (“Double Opt-In”) Details</p></li>\n<li><p>“Verification email to send” - standard dropdown to select from existing emails - MANDATORY</p></li>\n<li><p>“Follow-up email to send” - standard dropdown to select from existing emails - OPTIONAL</p></li>\n<li><p>“Thankyou page redirect URL (after successful email verification)” - URL input field - OPTIONAL</p></li>\n<li><p>“Verification error redirect URL (after unsuccessful email verification, e.g. timeout or invalid hash value)” - URL input field - OPTIONAL</p></li>\n<li><p>(NOTE: “Skipping the Email Verification” is out of scope for Stage 1)</p></li>\n</ul>\n</li></ul><p></p><div class=\"editor-content-image\" data-image=\"\"><img src=\"gid://app/ActiveStorage::Blob/2043%20---%20Form%20Tab%20-%20Email%20Verification%20-%20DOI.png\" alt=\"DOI --- Form Tab - Email Verification - DOI\"></div><p><em><strong>b) DOI Link</strong></em></p><ul>\n<li>\n<p>new email token {doi_link} can be used in emails, which is rendered as link to our doi endpoint</p>\n<ul>\n<li><p>obviously this will have to contain a hash value → generated as <strong>HMAC of (submission_id, email, timestamp)</strong>. (That avoids exposing a predictable auto-increment ID in URLs and protects against rainbow-table lookups.)</p></li>\n<li><p>only the hash is stored (not the values in clear at this point.)</p></li>\n</ul>\n</li>\n<li>\n<p>When {doi_link} is clicked and hash is recognized:</p>\n<ul>\n<li>\n<p>Redirect browser to feedback page</p>\n<ul>\n<li><p>if configured: “Thankyou page redirect URL (after successful email verification)”</p></li>\n<li><p>else: To an unstyled HTML page that says “Email verification successful.”</p></li>\n</ul>\n</li>\n<li><p>Timestamp is saved in form_submissions.doi_date_confirmed</p></li>\n<li>\n<p>“Actions after successful email verification” are initiated</p>\n<ul>\n<li><p>This should be the actions as they were defined <strong>when the form was submitted</strong>.</p></li>\n<li><p>NOTE: If it is easier to use the actions as they are defined <strong>when the email is verified</strong>, please discuss with PM</p></li>\n</ul>\n</li>\n</ul>\n</li>\n<li>\n<p>If {doi_link} is clicked and something goes wrong, e.g. hash is not recognized:</p>\n<ul><li>\n<p>Redirect browser to feedback page</p>\n<ul>\n<li><p>if configured: “Verification error redirect URL ”</p></li>\n<li><p>else: To an unstyled HTML page that says “Something went wrong! Email verification unsuccessful.”</p></li>\n</ul>\n</li></ul>\n</li>\n</ul><p><em><strong>c) DOI Email and Follow-Up</strong></em></p><ul>\n<li><p>Upon form submit: “Verification email to send” is sent to leads.email</p></li>\n<li>\n<p>After “Follow-up wait time” (as defined in plugin config) has expired and {doi_link} has <strong>not</strong> been clicked : “Follow-up email to send” is sent to leads.email</p>\n<ul><li><p>This can be triggered by a console command (via cron)</p></li></ul>\n</li>\n</ul><p><em><strong>d) Plugin configuration</strong></em></p><ul><li>\n<p>plugin configuration allows setting</p>\n<ul>\n<li>\n<p>“Follow-up wait time (hours)” - integer input</p>\n<ul><li><p>(?) text: When do you want the follow-up email to be sent for missing email verification? (Hint: You need a cron job to be set up for this!)</p></li></ul>\n</li>\n<li><p>(Out of scope: set global timeout)</p></li>\n<li><p>(Out of scope: activate housekeeping)</p></li>\n</ul>\n</li></ul><p></p><p><u>Stage 2: basic feature complete</u></p><ul>\n<li>\n<p>Skipping the Email Verification</p>\n<ul>\n<li><p>e.g. based on form field values or contact field values</p></li>\n<li><p>or based on existing Mautic cookie and preexisting DOI for that cookie (i.e. we KNOW the owner of this cookie has already proven that tehy also own the email address given)</p></li>\n<li><p>including modified form submission feedback in case of skipping</p></li>\n</ul>\n</li>\n<li>\n<p>“conditional actions” (outside of this plugin?)</p>\n<ul>\n<li><p>e.g. update contact (if &lt;form field&gt; &lt;operator&gt; then &lt;contact field&gt; &lt;value | calculated value&gt;)</p></li>\n<li>\n<p>NOTE: This can currently be replaced by a campaign</p>\n<ul>\n<li><p>Start campaign from form action</p></li>\n<li><p>have condition on <strong>form</strong> field values MOI=1</p></li>\n<li><p>then set <strong>contact</strong> field MOI=1 and something like MOI_confirmed concat (timestamp)</p></li>\n</ul>\n</li>\n</ul>\n</li>\n<li><p>Persist form field status at time of submission (write forms.cached_html to form_submissions.doi_formstatus)</p></li>\n<li><p>Token expiry setting</p></li>\n<li><p>Handling of “leads.email empty / no form field maps to leads.email”</p></li>\n</ul><p><u>Stage 3: Future ideas</u></p><ul>\n<li>\n<p>new form action: \"update Marketing Opt-In\" (= extra convenience!)</p>\n<ul>\n<li><p>fixed custom fields “moi” (bool and audit) - or rather dedicated table?</p></li>\n<li><p>select form field that decides Opt-in given or not</p></li>\n<li><p>select contact's MOI bool field (sets to true or false depending on form field value)</p></li>\n<li><p>select contact’s MOI audit field (adds timestamp/action/form submission to field value)</p></li>\n<li><p>campaign condition and segment filter to check “moi” bool status</p></li>\n</ul>\n</li>\n<li>\n<p>allow multiple moi flavors (e.g. per brand)</p>\n<ul>\n<li>\n<p>define available moi flavors in plugin config, and optional default)</p>\n<ul>\n<li><p>plugin comes with one generic moi flavor</p></li>\n<li><p>user cannot delete all flavors</p></li>\n</ul>\n</li>\n<li><p>user can choose applicable moi flavor in form action</p></li>\n</ul>\n</li>\n<li><p>Direct support for Mautic Landing Pages as feedback pages (“Thankyou page redirect URL” / “Verification error redirect URL”) after DOI link click (those can of course be given as URL)</p></li>\n<li>\n<p>Set generic feedback pages (“Thankyou page redirect URL” / “Verification error redirect URL”) in plugin configuration</p>\n<ul><li><p>→ Use those as preset in new forms</p></li></ul>\n</li>\n<li>\n<p>Multi-language features (normally not required as forms are currently single-language, too)</p>\n<ul>\n<li><p>translated doi emails</p></li>\n<li><p>language-aware redirects</p></li>\n<li><p>language-aware generic feedback pages</p></li>\n</ul>\n</li>\n<li><p>multi-brand (i.e. URL aware) <strong>generic</strong> feedback pages</p></li>\n<li><p>per-form “Follow-up wait time”</p></li>\n<li>\n<p>housekeeping, i.e. cleanup of non-confirmed DOIs</p>\n<ul><li><p>global or per-form cleanup timeout definition</p></li></ul>\n</li>\n<li><p>NHI honeypot awareness / support</p></li>\n<li><p>Offer only emails in “Email Verification (“Double Opt-In”) Details that contain the {doi_link} token</p></li>\n<li><p>MAYBE LATER, MAYBE NEVER: Generic Audit trail</p></li>\n</ul><p><strong>Describe alternatives or workarounds you've considered</strong><br>Can't recall. A ton.</p><p><strong>Additional context</strong><br>I think I covered it all :)</p><p><strong>Does this issue could impact on users private data?</strong><br>yes</p><p><strong>Funded by</strong><br>Leuchtfeuer Digital Marketing</p><p>gid://app/Decidim::Hashtag/2/Mautic</p><p>gid://app/Decidim::Hashtag/2/Mautic</p>\n\ngid://app/Decidim::Hashtag/2/_Mautic"},"title":{"en":"Universal email verification plugin (for DOI Double Opt-In and more)"}}

This fingerprint is calculated using a SHA256 hashing algorithm. In order to replicate it yourself, you can use an MD5 calculator online and copy-paste the source data.

Essential

Preferences

Analytics and statistics

Marketing

Universal email verification plugin (for DOI Double Opt-In and more)

Please log in

Cookie settings

Essential

Preferences

Analytics and statistics

Marketing

Universal email verification plugin (for DOI Double Opt-In and more)

Confirm

Please log in

Share