Product Development July 5, 2020

Do you make users verify their email? If so, why?

Mick @Primer

I make everyone who signs up to SongBox verify their email. But... I have no real reason to. As of tonight I'm taking this step away.

If you do this, why do you do it? I've maybe missed something.

I mean, yeah reset password emails etc but even at that.... Hmm I dunno.

Thoughts?

  1. 13

    I think it's a serious security risk to remove it:

    (1) I've had a few cases now where people signed up with the emails of others. They didn't get further than sending the activation e-mail, but if they did, you had a fake email in your systems and newsletter. A lot of overhead to get those out again.

    (2) Mistyping emails is soo much more common than you might think. If you're unlucky, someone mistypes their email, pays, and then locks themselves out – more work for you.

  2. 8

    Due to privacy concerns, it‘s often necessary in the European Union to use a double opt-in procedure. The reason is to make sure that the user really gave his consent. Especially when you already enter some kind of contract. Even trials can be already a contract-based relationship.

    1. 1

      It just occurred to me that Reddit doesn't require a verified e-mail address. Are they really breaching EU regulations?

    2. 1

      Yes it's this, in the EU at least. The fines for not doing this are big, although unlikely to be enforced. Anyone interested should Google "GDPR email opt-in" or similar

      1. 1

        And it‘s very important to notice that it already applies to websites that are reachable within the EU.

  3. 5

    We've been discussing some ideas around this at GitLab. Ideally we'd want the user to be able to onboard into the product quickly without verification, but require a verified email once they start using features that will cost us in compute in order to reduce spam.

    1. 1

      Do some of the GitLab features that and expensive in compute available to free users?

      1. 2

        Not individually, but with enough scale it adds up.

  4. 3
    1. So people can reset their password.
    2. If you need to communicate with the user, (e.g. for a password reset or security breach notification) you need to verify the email can be received / there wasn't a typo when they signed-up.
    3. If you don't then sensitive information or spam can be sent to someone else's email. I have an old email account that regularly gets updates from auto dealerships, real estate, and other sites. It seems an old man has the same name as me and even though I've had that email address for 17 years, he accidentally gives out that my email address instead of whatever his is. I regularly receive updates on very private financial transactions because this old guy gave the wrong email address and nobody verified it. Spammers have also made use of unverified email addresses to make 3rd-party websites and make them send spam messages to people who never signed up for a site.
    4. It raises the bar for spammers. Requiring a verified email address stops a lot of automated spam crawlers.
  5. 2

    I am mainly doing it because if not, people are signing up using fake emails ID and temp mail generators.

    It is better to have their legit email when they sign up, to follow up later.

  6. 2

    We verify emails to confirm membership on a specific company email domain -- which we use to help ensure users are only accessing resources that belong to their company (easier to audit).

    Typically though, if you don't require email verification, you'll get hit eventually by an automated or semi-automated system that spams your product with fake account signups.

    It's a nice usability exercise to think about how you can help legitimate users get as much access to try out your product with as little effort as possible, without creating other vulnerabilities in your product.

  7. 2

    Mostly to ensure regulatory compliance. Especially in Europe, it is the preferred.

  8. 2

    Yes, pretty much always. Whenever I've decided to not include email verification, I've had to go back and plumb it in later.

    As people mentioned in this thread already, there are a plethora of issues. Ones I've personally seen have been stealing other peoples addresses and deterring spammers.

  9. 2

    I always confirm the email because otherwise my database is 50% of random typos in the email address and users requiring the password reset 😅

  10. 2

    The biggest reason for this step being a "normal" part of signup workflow is to help catch typos that would cause later (actually important) email notifications to bounce.

    Postmark has a tool to handle this directly in your app, basically wiring together a webhook when they detect a hard bounce and notifying your user in-app without any extra code.

    https://postmarkapp.com/rebound

  11. 2

    To me it's just a way of adding some basic lead qualification to the top of the funnel.

    If your app is B2C and you want as many people in the top of your funnel as possible, then I understand why you would want to remove any and all friction.

    If your app is B2B and trial usage can incur costs, or require support conversations etc then you might want to qualify people before they can do that. Different strokes for different folks.

    Also see; companies who require a credit card before even signing up. Nothing wrong with that, it's just adding friction to ensure that you get a certain level of qualified lead signing up because you don't want to deal with colder leads - for whatever reason.

  12. 1

    I try to add email verification on websites like e-commerce because of the requirements. I try not to add this feature as a compulsion for the users in ordinary applications because it takes users' time for no reason. I just do not make verification as a compulsion but send an email as a notification to real owner of that email.

  13. 1

    Right now I send out an email with an email verification link when you register an account. However, I allow you to immediately start using your free trial even before you verify your email. I immediately start displaying a toast message though reminding you to verify your email. I think an additional step I may add in the future is requiring the email to have been verified after the first day of the trial in order to continue using the service.

    It's a balance to try to minimize friction during the initial onboarding but not open my service up to abuse.

  14. 1

    It's prolly hard for someone to convince you the con might be greater than the pro right now since the decision has been made. But clearly, people do them for rational reasons related to their businesses, not just because everyone else does.

    Just go with it for a few months and evaluate the decision again. Maybe it's great and validates your assumption.

  15. 1

    As a user, I hate having to verify my email. I wish their was a tool to do it for me automatically. Anyway, as a developer I realise it's a necessary annoyance.

  16. 1

    You need to make sure their is a one to one relationship between your product and user. Maybe it's IP or some client side fingerprint. But that is tiediois, hence least resistance is email. It's a flow that users are use to.

  17. 1

    People give you junk emails, disposable emails, and you need an email that let's you actually reach them. When there are problems with their account, when their free trial expires, etc., when you release something new and have a chance to maybe earn their business, in any case, you need to be able to contact them.

    FWIW, we offer https://ritekit.com/api-demo/disposable-email-detection along with solutions for catching typos in emails, so, for example, when they type @gamil.com, you can catch this and give them a "did you mean" message. This let's you get more signups that are truly useful.

  18. 1

    Just to throw this into the mix --

    I have a small extension that generates random emails addresses. I use it when signing up to dodgy websites and I'm not quite sure if the site is "trustworthy enough". I sign up with this fake (== temporary) email first, see how the experience is, and maybe later change to real email or sign up with my real email if it is a useful app.

    Most times I still get verifications, but it doesn't mean what I'm providing is a good email address. Facebook is the only site that does well in detecting these particular emails and won't let you sign up, but I can easily recycle and try another. About 1/5 will pass even with Facebook.

    Anyway, this is edge case I'm sure but verification does nothing to deter this type of behavior. The only thing that does is credit card requirement.

  19. 1

    My latest project, https://maildown.dev, couldn't function without it. I've always implemented it on my other projects, too, otherwise its open to abuse

  20. 1

    Something to do with sender IP reputation? This is a guess but if gmail or hotmail receives too many bounce emails ([email protected]) they might mark the sender IP as spam and blacklist.

    1. 1

      Won't you have a greater risk of destroying your email reputation if you always send verification emails to people that sign up?

      1. 1

        Depends on frequency you send emails. If you do a daily newsletter thats 365 emails for the year compared to 1 verification email, thats a considerable difference when multiplied by how many dodgy emails in your database.

  21. 1
    • Its important as to avoid spams as I could simply put my friend's email and start exploring features. My friend would probably start receiving typical SAAS email sequence.
    • One of the best option which I like and use is "Let the users explore everything but bind final hinge to the email verification". Example - In case of email marketing tool, ask for email verification when the campaign is being sent.
    • Another best option, give Login with Social (Google, Facebook, Twitter) - It won't require email verification as user is authenticated via Social profiles :)
  22. 1

    On one of my sites I implemented verifying emails in such a way that I'd tell the user that we'd email them once their payment was received. Since we're only accepting the Dutch iDeal, this would be instant, most of the time. However, I could see this not working out if you've got users signing up for trials of free tiers.

    1. 1

      Yeah I mean I guess that's true. I should be checking their email is correct for sending invoices etc.

      Maybe I'll implement enforcing the verification of emails when they take a paid account only. Lowering the bar for those signing up to the free tier.

      1. 1

        Yeah. I'd definitely opt for something where users are not forced to confirm before getting (complete) access, unless your process could be turned around (like described above). However, for some businesses it seems logical (like Paypal), for others it seems like some specific features require an email, so they'll block access to those specific parts. Kind of needs to feel natural, I guess.

  23. 1

    This comment was deleted a day ago.

  24. 2

    This comment was deleted 8 days ago.

    1. 3

      Users can "sign up" with unlimited fake email addresses if you have a free trial (and don't require a social media login).

    2. 2

      Yeah I guess decreasing the load on the user is always good and also lowering the number of emails I send and being able to get rid of big chunks of code is also a bonus.