Why would you do email verification for people who sign up?

20 Jan 2012 - 11:52am
4 years ago
9 replies
9363 reads

We're having a debate about this.

You could do email verification so that there's something of an audit trail back to a person, but since anyone can set up a new hotmail or gmail at the drop of a hat, does that count for much?

You can do it so that you know it's a working email address, for data quality, although you could just delete non-verified accounts after a period of time.

You can do it so that if the customer doesn't receive the request to verify, they might realise that they had made a mistake in typing in their email, although they are going to find out one or another eventually.

Any offers?

Nick Gassman
UX http://ba.com


20 Jan 2012 - 1:42pm

Whose needs are you more concerned about? Your account database or the user being locked out of his account?

20 Jan 2012 - 2:02pm
Mitchell Joe

For your second concern, I think it's more about engagement and retention than bad data quality. If someone mistypes their email address during sign up and the welcome email never arrives, they might just forget about you. But if they're told that they have to check their email and then click on a link to verify that it's a working/correct email address, then they're more likely to go to their email and look for that welcome/verification email; if they mistyped and it's not there, then they're likely to notice at that point--more likely to notice than if you just accept a mistyped email address and send a welcome email that they never receive. In this second case they have no reason to go check their email. They might just think they signed up correctly and you are being slow to send them a welcome email when actually you've already sent it but they never received it because they mistyped.


20 Jan 2012 - 4:09pm

It's more to do with security, IMO.

Your email account is personal and to a certain extent represents you.  No one wants someone else to use their email address to sign up for an account on their behalf.  By requiring verification, accounts are only associated with an email address if the owner of the email address in question allows it.

21 Jan 2012 - 4:19pm
Jochen Wolters

Along the same lines of what lukus said, requiring users to expressly confirm signing up to a site also makes sure that they won't receive unsolicited emails, etc., due to someone else signing up "for them".

22 Jan 2012 - 10:52am

Hi Nick, 

It's been a while!

So...  an email activation step is bad from a usability perspective (annoying extra step) but it verifies that the user does indeed own that email account. Among the other benefits as described above, this prevents your email server from getting a negative spam score. 

I'm told that various big webmail providers run honeypot email addresses that they leave "lying around" the web. If they find a service starts sending regular emails to that address, they will give that service a negative spam score (since the most likely reason you'd have that email address would be because you'd scraped it or bought a dodgy list). If a user mistakenly or maliciously enters a honeypot email address, you would avoid this risk by using an email activation step. 

Another benefit is that it keeps your list clean. So if a bot floods your email newsletter form with thousands of crappy email addresses, you get to lock them all out. (Also see http://kb.mailchimp.com/article/how-does-confirmed-optin-or-double-optin-work )

Some time ago, I worked on a platform that did not require an email activation step. We found this gave a big uplift to the email subscription rate, and to conversions coming from email clickthroughs. The benefits seemed to outweigh the risks so they decided to keep an eye on it and manually clean up the list on a regular basis. 

Hope that helps!



22 Jan 2012 - 11:13am
Your questions actually lead me to wonder what the whole point is as well because there are ways around every security issue in email. Like you said, anyone can set up an email address at any time.


Verifying email addresses seems to be a waste of time because in the end how do we really know who are are dealing with to control the sustainability and if they actually own that email.

22 Jan 2012 - 1:40pm
Christopher Grant

Hey, Nick.

By forcing users to confirm they are the owner of the email address, you are adding giving the email address the power to verify identity. This makes resetting passwords, sending important legal 
However, for this to work, you need to verify that the person who created the account has access to the email address they've used to sign-up. If you don't do this, you'll never be sure about who is really reading those emails. You also leave the door open to abuse.
As to how to do verification, this is a pretty straightforward pattern. Send an email (plain-text) with a link. Clicking verifies. Done.
Until the email is verified, show a message to users and restrict some of their permissions on the site (like publishing comments or having a public profile. This will protect the site from scripts designed to sign up phantom users and will give users a nice, subtle push to verify their accounts.
Hope this helps,

Christopher Grant 
Barcelona Design Lead :: Tuenti


23 Jan 2012 - 6:28am

Thanks all for your coments, very  useful. 

Ajalota, I'm concerned about the database and the user, but I don't get what point you're making.

Mitch, your comment that verification helps the user to not forget about you makes some sense, but Harry's experience that not having it increases sign-up argues that it can be more of a barrier.

Nick Gassman
UX http://ba.com

23 Jan 2012 - 1:05pm

Nick, you might find this commentary interesting, re' the contention that not requiring confirmation "increases signup" :

Syndicate content Get the feed