Reverse Email Verification

Question

Where instead of you receiving an email with a verification code during the signup flow, YOU are expected to send an email TO the site? Would this not circumvent the ever-present issue of email deliverability and ending up in spam? Of course, will probably hurt conversions and you'd have to drop non-SPF domains, but with a mailto: href you could make it a bit smoother?I'd be curious to know where the issues arise with such a theoretical solution. Has anyone encountered this in the wild?

LeonM · Accepted Answer

It's because anyone can send email from any email address.
SPF, DKIM and DMARC prevent impersonation on the domain level, but not the account level. Basically, if you can send using you@domain.com, you can also send as someone_else@domain.com.
Now, of course your sending SMTP service _should_ prevent this by means of authentication, but the receiver can't rely on this.

amadeuspagel · Answer

Some old mailing lists work that way.

tetris11 · Answer

Isn't email like regular post? I (a potential misuser) could scrub the "From" address of an email, impersonate you, and verify that I have setup an account in your name.