Sending email to activate account?


(Erick Guan) #1

Email providers may fail to send an email. Confirmation email may lost on the way. In some conditions, polling a mailbox may much reliable rather than sending an email.

Can we have an option to let user sending an email to Discourse if polling enables. Says:

If you still encounter a problem, send a email to ‘poll+{key}@discourse.org’ to activate your account. You may have to wait for several minutes for activation.

The setting generate a token for incoming activation of email and should be set to invalid after activation.

When user sends an email to that address, Discourse can confirm the validaity of email.

There’s a bunch more instruction for reading, thus:

  • setting is off by default
  • have to set polling

(Jeff Atwood) #2

I can’t say I’ve seen any other website do this? Feels mighty weird to me.

One thing that has been suggested which I do want to add, is the ability to change the email address at this stage if you typed it in wrong or just used the wrong email account.


(Erick Guan) #3

No. You can’t find a fairly good example of this. It’s just a thought to provides another way to help activation process. Subscription to some mailing list has a similar process. But it is not aligned with account registration/activation.

It’s an edge case but might be a way to mitigate email being rejected by email services. In this scenario, Gmail filters the spam but not rejected email. But for few email services, they rejected the emails if you send email over a certain limit (the limit is credential). Those services don’t care about whether the mail comes from MailGun and etc.

For instance, mail.qq.com rejects emails from a IP if it sends email over a limit per hour/day. Unfortunately, they do have 300m+ users. FYI, companies want to make sure their email arrived, they will build a email server on their own and ask Tencent to whitelist this server.

Basically, this way is not elegant at all and it’s not Discourse’s fault. Anyway, I will put this thought here. Even if it’s not a core feature, it can be a plugin.

This feature request is irrelevant to change email address though. The key matches exactly the same email provided. If this feature is going to be implemented, when a user change the email address in that stage, a new key will be assigned to confirm new email.


(Michael Downey) #4

Similar behavior is seen in old-school LISTSERV implementations. i.e., “Reply to this email or click this link to confirm your subscription.”


(Dean Taylor) #5

I can understand replying to an email as a method of confirming because:

  1. You have received the email which includes some unique element.
  2. The reply will reply to a unique email address for that user / or include a “key” in the email headers / message.

To just accept an email without any “key” (currently a unique URL) generated by the server does not confirm email address ownership.

Emails are still very easily forged!

The outlined method by OP is not one I would back.


(Michael Downey) #6

Actually OP does specifically mention using a reply key in the recipient address. :slight_smile:

The OP approach would only be authoritative if those instructions arrived by email.


(Kane York) #7

Yes, but that just proves:

  • you saw the registration page
  • you can send as that email address (aka basically everyone)

but it does not prove

  • you can receive at that email address

(Erick Guan) #8

Thanks for replies! I also found this:

Basically, if only receives an email can prove the authenticity.

This topic can be closed :slight_smile:


(Erlend Sogge Heggen) #9