Verify email by user emailing me?

Question

Most websites send a secret link to a user's email to verify they own the email address. But this has three main issues: (1) it often requires users to complete a CAPTCHA to prevent automated registration bots, (2) emails often go to spam, and (c) users can mistype their email address.What if users sent a secret code to a service instead of receiving one? I was told by my inbound email processing service that if DKIM is valid and/or SPF passes then I can trust that the email address wasn't spoofed. Can anyone verify that? Are there any other gotchas from a security perspective?I understand the UX would be a little unexpected and may drive people off. My question focuses on whether there are any security pitfalls compared to the traditional method of sending users a secret link.Thank you!

smt88 · Accepted Answer

Security is similar either way. The main difference is UX.This certainly will alienate more users than you'd lose due to spam filters or typos.

tarun_anand · Answer

Yes from a security perspective this is OK but not from a usability perspective.