Should I verify an email address when a user registers on my website?

Question

I have a membership site in beta right now... At the moment, when a user registers, it marks the account as unverified and sends them an email with a link to verify their account.

The real reason for doing this is to make sure they entered their valid email address correctly.

So I was contemplating on removing the verification step to make it faster and easier to sign up. Just have it create an account that they can log into straight away.

The site uses PayPal for payment processing, so no sensitive data stored locally. It also only asks for a username, email address, and password when they register. So, really the most sensitive piece of info is the email address.

If I decide to do this, what sorts of problems could I be facing? Obviously, spam is one - but I'm developing ways to deal with that. Anything else?

Would you strongly recommend against this, and why? If it matters, I'm building it on the ASP.NET MVC platform.

Thanks in advance!

Answer 1

I'd say that the workflow of sign up, get e-mail, click on link in e-mail is now fairly ubiquitous and wouldn't put off the majority of users. I wouldn't go as far as saying that in general users expect this and would distrust a site that didn't do this, but it is getting that way.

It gives an added sense of security to users who now know that you're discouraging spammers in the first place rather than just dealing with them after the fact.

See also backslash17's answer about ensuring that the owner of the e-mail address is the one doing the signing up.

Answer 2

The idea behind verifying email addresses is to reduce the number of fake accounts being registered for spam. Most websites use this method already, so you certainly won't be out-of-step if you do it.

You could always make it an option and if you find that there are a lot of spam accounts being registered, you could re-enable the feature.

The other option would be to add reCAPTCHA as human verification rather than email verification.

Answer 3

One of the problems of removing the address verification is that the user can be registered by anyone, and you are not going to have any validation method about not only the e-mail but the user's intention to be registered in your site.

Answer 4

I always suggest verifying e-mail addresses to reduce fake accounts/spam.

If you were to use Drupal they make this really easy. You can manually approve users if you'd like...plus it sends an e-mail to the address they've used to continue with the authorization process.

After seeing so many people try to spam message boards - I highly recommend verifying and using a CAPTCHA

Answer 5

Even if you find other ways to deal with spam, there is another important consideration.

If you let user's enter any old e-mail address, they could be entering someone else's email address. Any email you send to your users will become unsolicited spam to someone who is not a member of your site.

If you are ever going to make use of your customers' email addresses, you have some responsibility to making sure they are correct.

Enjoy,

Robert C. Cartaino

Answer 6

It's certainly nice to know that the email address entered is valid. But, is it important for the core function of the site? Are you likely to need to contact the user again? If the email is only an ancillary attribute of the user, it's OK to have it "fudgeable". Another thing to consider - how often are people going to be visiting your site? If it's infrequently, and they've fudged the email address, offering a "forgot password" option becomes difficult :-)

If you don't force verification, I'd suggest doing something like CodeProject. If you haven't verified your email address in a while, they put a nice yellow banner informing you that your email address might be out of date. It's unobtrusive and effective. I'd also suggest sending a "Welcome to widgets inc" email with an invitation to click on the link and verify the email addy. That way anybody who signs up as billyg@microsoft will be out of luck :-)

I was going to include a link to an awesome .net rocks show about email verification and bringing servers to their knees and spam and lots of good goodness, but I can't find it! I think it was Ayende or Oren or one of those smart guys. Anybody remember the episode?

Answer 7

Other than spam, the main issue I can see is if someone forgets their password AND happened to give an invalid e-mail address. If you can come up with another solution to this (and have the spam under control), then I don't see offhand any other drawbacks to the instant sign-up.