Ask HN: Devs, can we please verify Gmail email addresses when users sign up?
Please also add logic to remove the dot from the email address when matching against your DB.
Gmail does not honor the dot in the name portion of the email address. Both of these point to someuser@gmail.com: some.user s.omeuser someu.ser ..etc.
https://support.google.com/mail/answer/7436150?hl=en
This means that when a user signs up, you really need to match against the dotless name and not what they supplied verbatim.
Some background on why I am posting this:
I recently had to send a regular _physical postal letter_ to someone halfway across the country to tell them to stop using my email address when signing up (I've gotten their address from past order receipts). I've also had to contact organizations directly when trying to delete accounts because they also lock the account behind a phone number text verification or some other pseudo 2FA. This user is a constant thorn in my side, especially when I automatically get signed up to loads of marketing emails.
As an example: This idiot decided to sign up to Shop.com using their App. I was able to log in to the account, but I cannot remove it, nor change any settings because it sends a text to the user as a "security" measure. I guess it works, but this is a HUGE problem when they didn't verify the email as the user to begin with. I have just now contacted them to hopefully rectify this situation.
Anyway, I hope everyone understands just how frustrating this can be when you have someone who is technologically inept decides to use your email address when they don't have their own, and you do not verify the email address.
6 comments
[ 5.0 ms ] story [ 46.9 ms ] threadThis is the wrong approach. It's not like this isn't a solved problem.
1. Ask for email.
2. Send confirmation email with a one-time link
3. Do nothing but show a "not yet confirmed, resend?" message until confirmation link has been followed.
Checking would short-circuit this, and simply not allow a signup at all.
The user can either access the email because they used an address they "own" or they can't.
It also solves a whole bunch of other issues all at once (typos, unsolicited signups, etc).
I've been in the unfortunate position of receiving very confidential financial documents, which I could have done a lot of damage with.
Most times I have sent a friendly "this is not the person you think it is" type reply, but with automated systems, this is impossible.