I'm working on form backend project, Jamform, and now I'm trying to setup email verification. I need this feature set up because I will be sending form submissions to the email on file, and if the email was accidentally (or maliciously) typed incorrectly, some other person could be receiving all these emails and potentially sensitive data. I know there are other benefits to email verification as well.
What I'm wondering is how to go about implementing that, and by that I mean what's the correct registration flow. I looked at two of my competitors FormSpree and Getform to see how they do it. Both of these services seem to create a legitimate account for you without verification, they just block you from using the features. The boilerplate I'm building off of works about the same. Registration creates an account that's unverified, you can block features based off that, and then you can verify and it just toggles the property on the user record.
However, I'm thinking I should not create the account at all until the verification email is clicked. This would prevent emails from being "locked" into an unusable verification state if someone registers with it but doesn't verify their email. This would mean rewriting a non-trivial part of the boilerplate (which is fine if necessary). So I'm wondering if this is worth it?