Hacker News new | past | comments | ask | show | jobs | submit login

One workaround might be to request that the user send an initial email to your servers from their address before attempting the authentication. You'd want to validate that the email arrived and is valid according to SPF/DKIM/DMARC. You might consider allowing only messages that are positively authenticated by one of those technologies (not e.g. vacuously valid for lack of SPF records). Admittedly this will require a more complex user interaction, but it will avoid the abuse problem you're describing. You could make sending this email easy by supplying an appropriately filled out mailto: link; it should be enough to click it and send. You'd then follow this up with your current authentication step.

I've been thinking about this space for a while (e.g. https://news.ycombinator.com/item?id=12411204 ) and would be happy to chat or brainstorm.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact