Ask HN: Why don't email verifications ever let me DENY the verification?

2 points by NikolaNovak ↗ HN
I have a name that's apparently common in Europe. Every couple of weeks I get an email asking me to verify/confirm my email address.

They never ever seem to have a button that says "DENY VERIFICATION " or "Nope, that's not me"

Small shops I never heard of and big, international, well known businesses - they never have a "Do not approve / register / verify" button.

(Today I just got half a dozen emails from PayPal - apparently somebody is using my email address to register. Based on subsequent emails, even though this email was never verified, they continue to do their business and register. PayPal won't let me deny usage of my email, submit a ticket, or contact support for help without logging in, which obviously I cannot and do not want to do - I'm not to the one who got registered!).

So what is the point in email verification emails, if there's no way to deny it / indicate "Nope that's not me, don't do it"?

6 comments

[ 2.8 ms ] story [ 27.2 ms ] thread
The role of email verification is as a simple check for whether the email entered is controlled by the user entering it. A non-reponse by the owner of the email implies denial. So it's denial by default, and that only changes if specific action is taken (i.e. clicking on the confirmation link).

I suspect the reason for not having an explicit 'deny' button is based on cost-benefit analysis. The benefits might be limited to 1. Improved user satisfaction, and 2. Minimise the risk that a user might accidentally click the confirmation link. But I suspect these aren't enough to outweigh the extra (arguably unnecessary) effort of implementing it.

That works in principle.

It does not seem to work in practice. I get a huge amount of daily email from various registered accounts with "unverified email". I assume somewhere on an ignored dashboard user sees a "unverified email" note, but it certainly does not, on average, stop the business from continued use of unverified email - and again, I've experienced this for small and large businesses alike.

> The role of email verification is as a simple check for whether the email entered is controlled by the user entering it. A non-reponse by the owner of the email implies denial

It doesn't, though, because services often have a limited pending verification state, and no negative exit from that state. If it actually implied denial, then at some time in the pending state without confirmation, it would enter a failure state (which would probably curtail most access until a new email was provided.) Even then, it would be desirable to allow the actual mail account owner to trigger a fast-denial rather than relying on a implied denial by timeout.

Facebook has "That's not me" after a failed login. I think denying then triggers the original person/IP to be banned for a while.
Right, that's after a failed login for an existing account in steady state, when you get an email "Somebody tried to login, is that you?". Google etc do similar things.

I don't know if they have that on the initial signup and email verification though.

Marking the email as spam will report it to the company via a feedback loop mechanism and you should stop seeing emails within a day or two. Companies that have this set up correctly will take a spam complaint of a verification email as a deactivation of the account.