Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiaqkox2iu7ezwf5zdsxhpz7bs3zswhztcateigwdcw3oe7ocldgha",
    "uri": "at://did:plc:anldby4lwneunjl777bq6ih7/app.bsky.feed.post/3mfgdyna52c52"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreiejfawmcmhdq3pyiaoireybewnkrhxnwxxa6vappuquagr5npazle"
    },
    "mimeType": "image/png",
    "size": 1084766
  },
  "description": "[In Depth #38] You can't trust an email address you haven't verified, so why are you storing them in your database? ",
  "path": "/in-depth-email-verification-isnt-as-simple-as-you-think/",
  "publishedAt": "2026-02-22T04:57:12.000Z",
  "site": "https://securinglaravel.com",
  "tags": [
    "**MFA**",
    "_rely on checking for`@company.com`_",
    "As per the docs",
    "Subscribe now"
  ],
  "textContent": "A friend of mine sent through the following:\n\n> I was examining an app we've been maintaining for a bajillion years, and noticing that our process for allowing someone to update their email address was perhaps lacking, securitywise. Yes, we were reissuing a verification email and resetting their verification status, but it occurred to me, what if they typed their email address wrong? Did we just overwrite their current email with a bogus email? And when I started thinking through a solution it got less straightforward - do I store the pending email address as a separate field? Or embed it in the verification link somehow? Do I need to send an email to the original email address as well, as an extra security measure? Should I have the user confirm their password when they are updating their email address?\n\nThis poses a bunch of great questions, so we'll work through each and see how they fit into the bigger picture of email verification.\n\nHowever, before we do that, there are two questions we need to answer:\n\n## Do We Need to Verify Email Addresses?\n\nIt depends on what your app does, and the sort of data it processes.\n\nIf your app doesn't process any sensitive or personal data, and the email address is basically just a username - used for the purposes of authentication ~~and account recovery~~ , then there isn't much need to verify email addresses. You don't need to care about it being a legitimate email if you don't send users ~~important~~ emails, and if a user loses their password, they can just create a new account.\n\nHowever, you should verify email address any time you care about:\n\n  1. **Account recovery** - _if a user typos their email, they can't recover their account._\n  2. **Contacting your users** - _you can't email them if you don't have their real email._\n  3. **Identifying users** - _legal and compliance often requires you to know your users, and to do that, you need legitimate email addresses._\n  4. **Reducing spam and abuse** - _You don't want spam/abuse victims being signed up to your app without their knowledge._\n  5. **Delivery Reputation -**_your email sending reputation could be damaged if you're sending emails to fake or non-user addresses._\n  6. **Multi-Factor Authentication (****MFA****)** - _email OTPs are a simple and useful MFA option for non-technical folks_\n  7. **Security Alerts** -_you need a way to notify users of suspicious activity on their account._\n  8. **Prevent Impersonation / Privilege Escalation -**_many apps_ _rely on checking for`@company.com`_ _in the user's email address to unlock admin features, without verification this can be trivial to exploit. Even with manual account verification - if a staff sees the account email and is tricked into thinking it's a staff account._\n\n\n\nGranted, a bunch of these could be considered the user's ~~fault~~ responsibility, and if they get their own email address wrong, then that's their problem. If this is the case for you and your app, then you might not _need_ email verification.\n\nHowever, if you're serious about your apps and looking after your users, then Email Verification is important. You cannot trust or safely use an email address until it has been verified by the user.\n\n## How Does Laravel Do It?\n\nOk, before we work through their questions, let's see what the default behaviour in Laravel is. To test this, I set up a fresh Laravel app (with `laravel new`) using the Livewire Starter Kit. This will give us basic user account scaffolding to test.\n\n### Laravel's Default\n\nDefault Laravel profile details\n\nIt shouldn't be a surprise that by default there is no email verification enabled.\n\nAs per the docs, enabling email verification is trivial, add the `Illuminate\\Contracts\\Auth\\MustVerifyEmail` interface to your `User` model, and the `verified` middleware to your routes.\n\nOnce it's enabled, you'll be presented with the verification challenge:\n\nLaravel email verification challenge\n\nChanging your email address immediately saves the new email, and resets verification:\n\nUser Profile with unverified message.\n\nFairly basic and standard approach, which is to be expected.\n\nHowever, this implementation leaves a bunch of our questions unanswered, and raises some concerns when you consider what happens if the user doesn't immediately complete the verification.\n\nIf we consider our list of reasons for having email verification, I have the following concerns immediately:\n\n### This post is for subscribers only\n\nBecome a member to get access to all content\n\nSubscribe now",
  "title": "In Depth: Email Verification Isn't as Simple as You Think",
  "updatedAt": "2026-02-22T04:57:12.000Z"
}