
Ask HN: Verify email by user emailing me? - dougk16
Most websites send a secret link to a user&#x27;s email to verify they own the email address. But this has three main issues: (1) it often requires users to complete a CAPTCHA to prevent automated registration bots, (2) emails often go to spam, and (c) users can mistype their email address.<p>What if users <i>sent</i> a secret code to a service instead of receiving one? I was told by my inbound email processing service that if DKIM is valid and&#x2F;or SPF passes then I can trust that the email address wasn&#x27;t spoofed. Can anyone verify that? Are there any other gotchas from a security perspective?<p>I understand the UX would be a little unexpected and may drive people off. My question focuses on whether there are any security pitfalls compared to the traditional method of sending users a secret link.<p>Thank you!
======
smt88
Security is similar either way. The main difference is UX.

This certainly will alienate more users than you'd lose due to spam filters or
typos.

~~~
dougk16
Thanks for the response. :)

My guess is that more users will be alienated simply because it's, well,
alien. They're not used to it. I've never heard of a service doing this. But
if you think about it it's not that onerous. After a user submits their email
address I have a page with <a
href="mailto:proof@example.com?subject=SecretCode">Click Here To Prove You Own
This Address</a> which hopefully will work on a good percentage of people's
machines and smart phones. I don't know how many people have mail clients
installed.

If they don't have a mail client, I'll still have a nicely rendered example
email so they know they just have to put the secret code in the subject line
and click send.

This is of course harder than clicking a link, but then again people are used
to _receiving_ secret codes and having to copy/paste them into the website.

And again there are CAPTCHAs to consider when sending people emails, which are
hard to solve and give up privacy and effectively lock you into Google. For
some small services I've set up over the years I also have had _a lot_ of
people complaining about not receiving emails despite using very reputable
services like Postmark and Sendgrid. It's hard to say percentages though.

I agree I'll lose more users, but I think it's more a matter of people not
being used to it then it being a technically inferior solution from a UX
perspective. Anyway thanks again!

------
tarun_anand
Yes from a security perspective this is OK but not from a usability
perspective.

~~~
dougk16
Thank you. :) See reply to smt88 if interested in a counter.

