How should I handle the problem of people entering others' e-mail addresses without annoying them with "verification" e-mails?

Question

I have forms on my in-development website which require the person to enter an e-mail address.

I don't want to have to send them a "verification" e-mail with a URL containing a code, or instructions such as "please reply to this e-mail to verify that you sent it". This is extremely likely to cause problems such as them not receiving it, or not seeing it, or forgetting about it, or don't want to click on URLs for whatever reason. I know that it's "best practice" according to numerous online guides for e-mail, but in reality, it's a major chore for everyone involved.

And having a text such as:

If you wish, you can click this link to verify that you sent this: blablabla

feels pointless since most will not bother unless they have to.

If somebody enters a nasty message into the form and states their enemy's e-mail address, my system will therefore assume that the person owning that e-mail address submitted the form, and perhaps I will add him to my "blackhole list" without considering that it may not be them. And then, when they later actually want to use the service, they can't, because I added them to my list of e-mail addresses to silently ignore, because some entirely different person "framed" them.

Maybe this doesn't happen often in practice, but I've had it happen to me personally, so I know that it does happen, at least sometimes. I've received angry e-mails from people replying to me after somebody wrote something mean and used my e-mail address.

Answer 1

At its root, this is a problem about verifying ownership of an email address, and as far as I know there are only two ways to practically verify ownership of an email address:

1. Send a verification email, as you mentioned.

2. Complete an authentication flow with the email provider, OAuth-style.

Option 2 works great if your user has an email provider that supports 3rd-party auth, such as Gmail/Google. But the only solution guaranteed compatible with most email providers is 1.

In essence, the answer to your question:

How should I handle the problem of people entering others' e-mail addresses without annoying them with “verification” e-mails?

Is that it is impossible in such a way that is fully compatible across all email providers. There is no practical way to verify that someone owns a specific email address besides sending a verification email.

Answer 2

There is not much you can do to avoid verification mails (in case you actually need to store and verify mails at all, of course): if you display it to users or sent mails to that address, you better make sure the owner has consented.

Besides verifying the email, it also somewhat is used to verify idendity (when more intrusive methods like Government eID, postal challenge, video proof or SMS are not acceptable).

Like mentioned in other answers (and For a particular nerdy audience) you can use OIC/OAUTH or similar social login providers - login with Facebook, GitHub, Google, Live.com, or Apple ID... This has the advantage that it usually also gives you a verified email address.

However, if you need to stick to the ubiquitous email, when you verify them, at least make sure to minimize the annoyance and compliance risks:

• rate limit the mails by receiver and web client ip
• optionally lower the chances for automated submissions with captchas (maybe coupled to „this ip range tried more than one access per hour“)
• make sure to make the verification mails short and unobtrusive, especially refrain from any advertising or passing along user controlled text (there are some google form invitations which sent you the survey title as spam)
• make sure the verification emails correctly identify your business (reason: besides the general courtesy to identify your business it is also a good idea to not send messages which allow „annoyed“ receivers to sue you on the grounds of formalities like missing business identification and tax number) and have a contact information for a human responder (so they can ask you if harassed via your service)
• make it clear that it is safe to ignored the challenge, but also provide a opt-out link so people can block their Email from beeing challenged (for 6 month or so)
• deny link in the email is actually safer than accepting a „deny me“ form on your web site since only the (annoyed) recipient can use it
• this is also EU GDPR relevant, so make sure to log all transactions around opt-in for proofing due diligence (and make sure to expire those records and not keep the ip addresses indefinite)
• you might want to maintain a deny list for high profile addresses and domains like whitehouse.gov (but this is a losing battle)

BTW some of those points are especially relevant for markets like Germany and EU where lots of legal battles happening around spam, unsolicited mails, data protection and business formalities. You did not specify which area you target, but in a global village it is not a bad idea to target the strictest regulatory framework.