Here's a question we get fairly often: someone enters their email to sign up for your newsletter, but never clicks the confirmation link. That means they never actually become a subscriber. Can you at least see who those people were, so you can follow up or add them yourself?
The short answer is no, Ghost won't show you those addresses. The longer answer is more interesting, because the reason isn't a missing feature. It's a deliberate choice Ghost – and many other platforms – have made.
So let's look into why Ghost uses double opt-in, and why, even though it's annoying, it's actually protecting you.
What "double opt-in" means
When someone enters their email on your Ghost site, Ghost sends them a confirmation email. Only when they click the confirmation link in it, they become a member of your site.
That's double opt-in: enter an email address, confirm that the address belongs to you.
Until that second step happens, the person doesn't exist in your members list. It's not possible to see a list of unconfirmed addresses, and it's definitely not possible to email them. From Ghost's point of view, an unconfirmed signup is a person who started subscribing and didn't finish. Not a subscriber you're allowed to chase.
Why entering an email isn't the same as consent
Typing an email address into an newsletter subscribe box doesn't prove the email address belongs to the person typing. We could enter your address into a hundred newsletters this afternoon. You never agreed to any of them, but without a confirmation step, all hundred would now have you on their list and be free to email you. That's not a hypothetical, but a well-known abuse pattern. It's exactly why confirmation click exists. The click is the part where the actual owner of the inbox says "yes, this was me, I do want this."
So, while double opt-in might be annoying, it's also the mechanism that turns "an email address was entered" into "the person who owns this inbox asked to hear from me".
Privacy-respecting newsletters aren't built around collecting addresses, they are built around permission.
It's also just good email hygiene
Even if you set the consent question aside entirely, double opt-in is a good practice.
Confirmed lists are cleaner lists. You filter out typos and fake addresses. It's widely treated as a best practice precisely because it improves deliverability: inbox providers like Gmail and Outlook watch how people interact with the newsletters you send. And a list full of addresses that never asked to be there teaches those providers to route all your newsletters to the junk folder. Including the newsletters your real subscribers actually want.
A smaller confirmed list almost always outperforms a bigger unconfirmed one.
"But Substack just subscribes me automatically?"
Some platforms do subscribe people the instant an address is entered, no confirmation needed. The way to read that isn't "they found a clever workaround Ghost is missing." It's that they've made a different bet about what counts as consent and are carrying the risk that comes with it.
The relevant rules don't actually mandate a specific mechanism called double opt-in. What the GDPR requires, for example, is that consent be "freely given, specific, informed and unambiguous", given by a clear affirmative action.
A confirmation click is the cleanest possible way to demonstrate that. Treating a typed address as sufficient is a much looser interpretation of "unambiguous". Different platforms, especially those operating primarily under US rules like CAN-SPAM, which is more concerned with how you let people unsubscribe than how they opted in, simply land in a different place on that spectrum.
The short version
Ghost won't show you unconfirmed signups because, as far as it's concerned, those people haven't subscribed. They've only started the process. The confirmation click is the difference between an address being entered and a person consenting, and that distinction is the whole foundation of privacy-respecting email.
It protects the people signing up, it protects your deliverability, and it protects you from building an audience on permission you can't actually proof.
It's friction, yes. But it's the kind that means everyone on your list genuinely wants to be there.
