Why is it important to do email verification upon sign up and is it “mandatory”?

StackOverflow https://stackoverflow.com/questions/1931769

  •  20-09-2019
  •  | 
  •  

Question

More than a handful of websites don't require registrants to verify their email and they seem to work fine without obliging you to go through this (minor) ordeal.

It seems logical this mechanism would assure email validity and would deter a robot non grata, but is it pertinent for a low user functionality website, for example, only for writing comments or anything relatively harmless like that, to enforce it?

Was it helpful?

Solution

Before you can answer whether you should validate the users email, you need to have a good understanding of why are you collecting it and what do you want to do with it.

  • If you are just collecting emails to sell to bulk mailers, there's no reason to validate it.
  • If you want to send the occasional email, you might validate it but you don't have to do it right away.
  • If you want to have an established communication channel with the user before you let them use advanced functionality, you need to validate it, but you don't need to block their access until that happens.
  • if you plan on using the email as identity representation (you shouldn't, but that's a separate topic), you need to validate the email and hold on the account establishing until that happens.

OTHER TIPS

It's crucial for the "forgotten password" scenario. For example:

  1. User signs up
  2. Accidentally makes a typo in their email address
  3. Three months later, forgets password
  4. Uses the "forgot password feature"
  5. You're screwed

If you had checked the email in the first place, you'd be able to do the "best practice" at this point, namely, send a password reset link to their email address. (You're not actually going to send them their password. This would imply that you had stored their password. This would be a most severe security flaw, but that is not the topic at hand).

Email verification insures that you have an email path to reach the user in this situation (at least, until they close that account...)

Before sending any other email to the address you collected you should always verify that the owner of the email address is the same entity who provided it to you. This is not only helpful to the registrant (as in the "forgot password" scenario described in another answer) and collector (improving the quality of the collection) but also the owner of the email address (especially if this is not the same person as the registrant).

As someone who has a simple, short gmail email address I get 10 to 20 unsolicited "Thanks (someone else's name) for signing up for our program!" emails each year that are sent from legitimate/non-spam organizations. It doesn't sound like a big deal, but often it takes about 30 minutes of effort to correct this (typically because of having to make a phone call and explain the situation two or three times to different people). Thankfully I believe this usually happens as the result of an honest mistake. However, what if someone thought it'd be funny to sign me up for a bunch of email lists that I'd surely not want? If the senders don't verify the address first then I'd have a lot of unsubscribing to do later :(

Some pros to skipping verification:

  1. a bigger list, of course
  2. genuinely-interested people don't find themselves off your list because they weren't aware of needing to confirm

Some cons:

  1. a lower-quality list: people make typos.
  2. a lower-quality list: people weren't aware or forgot they signed up and don't want to be getting these.
  3. a more "spammy" vibe, hard to quantify and depends on the circumstances.

I've stayed with the confirmation (double opt-in). If I dropped the confirmation step, could this lead to more people hitting the 'This is spam' button in their online accounts? What happens if you hit gmail's threshold here and they blacklist you? Yes, all speculation but you need to make a risk assessment here.

Some great reasons are already covered: Let me try some more...

1) If you're going to use the email addresses, email verification can help you stay clear of being labeled a spammer. How? If too many of your emails bounce (I guess more than 2%), the sender and receiver email systems think you're a spammer.

2) If you continue emailing to email addresses where a lot of people don't open your emails you're spending money in (a) storing the email addresses, and (b) sending emails.

3) Your metrics won't come out right if an unusually large number of email addresses are incorrect. A blog I quote often explains the benefits more succinctly -

here's the link to the blog.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top