1. 40
  1.  

  2. 25

    You cannot imagine the number of times where I have successfully signed up for a website with an email address that looks like me@example.email. Yes, .email is a completely valid domain name, and yes, I own one (don’t ask why). I use the site just fine. Then, the site decides to reset my password due to a data breach (don’t fault them for that), but then my email is marked as “invalid” by the forgotten password form.

    When I have a valid account on their site with that email.

    If you can’t tell, I’m bitter.

    1. 12

      I have had this happen with plus addressing (user+sitename@example.com) as well. Account creation works, but then some other component (login, password reset, etc) just refuses to accept it.
      That always makes me super happy /s.

    2. 14

      Here’s an alternative that I never see:

      Stop demanding my email address.

      Most of the time, I don’t want emails from you. I especially don’t want emails from services I no longer use–I don’t care that your privacy policy was updated, or that you rolled out some new feature, or anything! Make the email field optional, I’ll enter it in if I truly want to hear from you.

      1. 7

        Password reset schemes become a lot harder without a confirmed email address though. Of course, you could take a phone number instead, which I seem to recall was common in Hong Kong when I lived there.

        1. 4

          I want to give you my phone number far, far less than I want to give you my email address. It’s trivial to create throwaway email addresses, easy to filter, easy to block, and emails don’t actively interrupt me; none of those are true of phone numbers/calls.

          1. 3

            Phone numbers are more frequently recycled too, I’d imagine. I just shared my experience: I didn’t advocate for it :-)

          2. 2

            Were it not for the necessity of ensuring that users have a way back into their account when they lose their password, and the fact that text messages cost money to send while email is basically free, I’d get rid of the email input.

            I also use email addresses as a login name whenever it’d be silly to make people come up with a username unique on that site (i.e. whenever there’s no public URLs or containing user names or form fields where other users have to enter them).

            1. 1

              You don’t have to make it mandatory though, you could make it an optional field, and if they don’t have one and they lose their password, then though luck. People always make these “problems” out as way more complicated than they really are.

              1. 5

                It is true that you could do that, but for any significant service (say, one that has your credit card information on file), saying “tough luck” is an unacceptably terrible user experience from the perspective of most product owners.

                1. 1

                  Then they could provide actual forms of identification to support in the form of passports or national IDs that could be verified.

                  1. 1

                    People always make these “problems” out as way more complicated than they really are.

                    Is what you are proposing - ID document verification - not enormously more complicated than simply asking for an email address?

                    1. 1

                      The point is that if you don’t actually need my email there is no reason to ask for it when there are alternative ways to prove your identity for the very few times I’d ever need to reset my password, and if I thought that I might not remember the password due to not using the site often, I’d put in a damned email (which you better not reject based on your broken validation schemes).

                      And especially when it comes to things that have my credit card info I’d really rather they required some actually mostly secure form of verification when resetting my password, like ID checking, rather than using email, which… yeah.

          3. 4

            Or maybe don’t require me to validate it? I enter an address, you don’t email it.

            1. 4

              Often times the validate step is to prevent spam accounts.

            2. 3

              Yeah, I’ve never required an email address in my applications so I could spam people. it’s so they have a way to get back into their account if they forget their password.

            3. 8

              This article made my day. It was very enjoyable to read and I love the writing style!

              The points given are true. The best way really is just sending a confirmation mail.

              1. 7

                Why can’t you just accept arbitrary string for email and then validate it by having the user click on the link sent?

                1. 6

                  That’s what the article actually advocates:

                  The 100% correct way

                  Send your users an activation email. (That’s a bold full-stop for effect.)

                2. 7

                  I’d just like to point out that <input type="email" /> lets you effectively outsource any client-side validation work to the browser itself. It is very well supported, and makes things nicer for mobile users by bringing up an email-specific keyboard with a prominent @ key.