After hitting “publish” on my previous blog post, I had kinda hoped, not having to explain why the lazy-ass “just sent a confirmation mail” option is not a proper method for validating an email address, but apparently, a lot of people seem to hold a different opinion there. So here are my counter arguments:
- Typos happen. If you don’t bother catching them early, then you make the user wait for a confirmation email that will never arrive. The user is not aware of the problem and something else might come up in the meantime. Chances are that s/he won’t return to your form to fix the error.
- Typos happen. If you don’t bother catching them early, then unconfirmed email addresses will pile up in your database.
- You got a slight problem when your (web-)server somehow makes it on an anti-spam blacklist. Not being able to send your newsletter is already bad, not being able to accept new subscriptions is worse. Why should your server get blacklisted? Well, maybe because you have this open form on it, that validates by sending confirmation requests and some joker thinks it funny to subscribe ban_me@spamhaus.org over and over again.
- True, local validation doesn’t tell you if an address exists, but validation by confirmation request doesn’t (necessarily) either. For all you know, the user could have just given you a throw-away address (local validation and checking against a blacklist catches this).
- Think past newsletter subscriptions! Sending confirmation mails is not really an option if you need to clean up a database (of email addresses “validated” by a hack job regex). It is also not an option in data entry jobs (think: a clerk manually typing in dozens of records at a time, or your phone scanning in a vcard). Then there also is the most obvious example: the setup dialog of your email client (try sending a confirmation mail there)!
The job of a confirmation mail is to verify the user’s identity, it is not your first (and only) line of defense against the user submitting junk!
