Ask HN: Devs, can we please verify Gmail email addresses when users sign up?

2 points by Severian 1 year ago | 6 comments
Basically, I am asking my fellow developers who allow users to use a "guest checkout" or when signing up to a site or service to please, please verify the email address used when it points to gmail.com with an email, supplying a link that is basically "This not you?" to remove it.

Please also add logic to remove the dot from the email address when matching against your DB.

Gmail does not honor the dot in the name portion of the email address. Both of these point to someuser@gmail.com: some.user s.omeuser someu.ser ..etc.

https://support.google.com/mail/answer/7436150?hl=en

This means that when a user signs up, you really need to match against the dotless name and not what they supplied verbatim.

Some background on why I am posting this:

I recently had to send a regular _physical postal letter_ to someone halfway across the country to tell them to stop using my email address when signing up (I've gotten their address from past order receipts). I've also had to contact organizations directly when trying to delete accounts because they also lock the account behind a phone number text verification or some other pseudo 2FA. This user is a constant thorn in my side, especially when I automatically get signed up to loads of marketing emails.

As an example: This idiot decided to sign up to Shop.com using their App. I was able to log in to the account, but I cannot remove it, nor change any settings because it sends a text to the user as a "security" measure. I guess it works, but this is a HUGE problem when they didn't verify the email as the user to begin with. I have just now contacted them to hopefully rectify this situation.

Anyway, I hope everyone understands just how frustrating this can be when you have someone who is technologically inept decides to use your email address when they don't have their own, and you do not verify the email address.

  • stephenr 1 year ago
    > Please also add logic to remove the dot from the email address when matching against your DB.

    This is the wrong approach. It's not like this isn't a solved problem.

    1. Ask for email.

    2. Send confirmation email with a one-time link

    3. Do nothing but show a "not yet confirmed, resend?" message until confirmation link has been followed.

    • Severian 1 year ago
      I have to disagree, for most other email providers, this would work, however gmail this is a unique issue. Since gmail doesn't consider a dot, then by all accounts it shouldn't be considered on the application/site side as well.

      Checking would short-circuit this, and simply not allow a signup at all.

      • stephenr 1 year ago
        If the app/site requires a user to click a verification link before using an email address, how the mail provider handles the local part is irrelevant.

        The user can either access the email because they used an address they "own" or they can't.

        It also solves a whole bunch of other issues all at once (typos, unsolicited signups, etc).

    • orionblastar 1 year ago
      This happens to me. I have a common real name so my gmail is used by all sorts of people. I am married and get signed up to dating sites that don't verify email. It is embarrassing.
      • Severian 1 year ago
        I can see how this would be.

        I've been in the unfortunate position of receiving very confidential financial documents, which I could have done a lot of damage with.

        Most times I have sent a friendly "this is not the person you think it is" type reply, but with automated systems, this is impossible.

        • Kon-Peki 1 year ago
          Even if you get that cleaned up, Google will still advertise to you as if you were interested in dating sites.