Background
In the past, Discourse has shipped with e-mail normalization off. As a result of this, users can create multiple accounts using the same canonical e-mail, through the use of plus addressing. For example, a user with an account tied to bob@discourse.org is able to create another account tied to bob+again@discourse.org.
Discourse comes with the normalize_emails site setting which can be flipped to either allow or disallow this. When turned on, it considers both e-mails above to be the same for purposes of unique account validation, and Bob won’t be able to create the second account.
Why are we changing it?
We have seen a big increase in spam sign-ups lately, with some sites receiving hundreds or even thousands of sign-ups from a single e-mail through the use of plus addressing. Needless to say, this is a rather nasty surprise when it does happen.
On the flip side, the reasons for allowing plus address sign-ups are mostly for facilitating staff testing, i.e. setting up test users without having to register new e-mails.
After considering this, we think it’s a much healthier default to have e-mail normalization enabled, and let admins disable it if and when it’s needed.
What about SSO?
Since users have less control over the exact e-mail being used when using single sign-on (using either discourse-connect or OAuth), this setting is ignored when using those authentication methods.
But I liked/wanted this turned off
If you actively changed this setting in the past, we won’t do anything to it. It will remain set to whatever you configured.
Even if you didn’t, don’t fret. The setting is still there. Just head over to /admin/site_settings and turn it right back off. 