Best Practices for Email Verification, Balancing Gowth and Security

(Justin Gordon) #1

I noticed, first hand, that Nextdoor does not do email verification.

On the Nextdoor about us page:

Every neighbor has to verify their address.

But why not verify emails? Does that slow down growth too much?

I’ve also noticed that also did not verify email addresses.

For sites that pride themselves on security, this seems improper. However, I’m quite sure that Nextdoor debated this issue heavily.

@andrewchen Have you come across this sort of debate?

I also posted this to Quora.


Hey Justin, it’s best practices to emails validate an email address, for multiple reasons.

  1. Authenticity; did the person who owns that email actually sign up for your service. So a malicious user couldn’t sign other people up

  2. Email Deliverability; if someone enters a bad (or not their own) email address, and you send email to it (either a welcome series, automatically add them to a newsletter, or even product updates), this will negatively impact your deliverability. So a validate, “Confirm your account”, or whatever email actually serves to ensure you’re emailing real people

  3. Improves activated users; If someone is willing to click on your “Welcome” email and confirm their account, it shows a much higher investment (on their side) than someone who wouldn’t. Thus you can qualify “verified” users as being somewhat more engaged.

Regarding growth, it’s very common for a Welcome email, post account creation/signup, to contain a verify link specific to each user. You don’t have to word it as “confirm your email”, it can be “Welcome to XYZ, so excited to have you on board”, with a specific CTA to activate their account. As well, you can provide a “non verified” user experience that let’s someone get a feel for your product w/o verifying their account email. Kinda like taking your product for a test drive.

Hope that’s helpful.

(Justin Gordon) #3

@mch I totally agree with you. However, it’s clear that Nextdoor chose not to do this in the fear it would slow down growth, especially among the non-tech savvy. Based on my experiences consulting, I think this non-best-practice is extremely common with consumer apps. It would be great to know what sort of data and thoughts went into Nextdoor decision “not to follow best practices”.

(Tarik Kurspahic) #4

Hi guys.

We’ve looked at this issue thoroughly at given that we deal with sensitive data. We wound up verifying emails, but with a few caveats:

  1. If the user signs up from the main page (without context) we will ask them to verify their email address as it uniquely identifies them in the system and allows others to securely share data with them - we can’t let you claim someone else’s inbox…

  2. If the user signs up as a result of someone sharing something with them or an invite, then we have some context and the sign up link itself is a confirmation link so we can hide that part of the sign up process.

This roughly 2x-ed our conversions for users in bucket #2,

(Stephen Willis) #5

This is basically automatic sign-up and verification which I think helps propel growth because it speeds up the on-boarding process. One could debate the issue of privacy, but as long as terms are specified and their is an opt out for the user (ex. email unsubscribe or sms “stop”) then it is ok. The key in the on-boarding process is to verify the account in the invitation.

This is what I decided to do with my online greeting company.

  1. Sender sends greeting to receiver. Basically, sender is signing receiver up while sending greeting.
  2. In email, if not member, CTA when clicked signs user up for free trial, verifies user(finish on-boarding) and then takes user to greeting message. If member, then same email with same CTA with different link that takes member to greeting.
  3. During transition from prospect to customer, receiver is sent a few emails to upgrade during trial.

To me, the automatic on-boarding process is simpler and easier on user then having invitation email, sign-up email, and verification email. You can kill three birds with one stone, hence only one email template for invited user…

Please let me know if this process has any hidden cracks or if it has worded for others. I am not a complete expert at product design and UX design, but common sense is the simpler the better.

(Justin Gordon) #6

What makes nextdoor’s behavior really troubling is that I could not figure out to how to unsubscribe. When I clicked on the unsubscribe button, I get to my nextdoor account with a different email. I want to be subscribed on that one. So it seems I’d have logout and reset the other Justin Gordon’s password in order to turn email notification off.

(Justin Gordon) #7

A new article on this topic was published a few days ago on Medium:

How to make email confirmation a little easier for your users

When users sign up for your product you probably want them to confirm their email address. It’s an easy way to verify their identity in the future in case they lock themselves out of their account and it makes sure you have permission to send emails to that address.

For your users it can be a bit of a hassle though, if all they want to do is sign up and start using your service. Here’s what we do at BetaList to make it a little easier:

(Andrew Chen) #8