If the majority of your signups come from Single Sign-On (SSO), usually seen in websites as sign-on with Google or Facebook, then this might not be of immediate priority to you. However, if your web application requires prospects to signup and then verify their emails before experiencing your product, there is probably room to make that flow smoother and stress-free.
It has probably happened to you at some point (it occurred to me a few times). You signup for a new account on a website, and then you are prompted with a message like “an activation email has been sent to you.”, and then you wait, nothing, you refresh your inbox, nothing, ugh, not sure if that site is interesting anymore.
Thankfully that doesn’t happen often. Email delivery services are much more advanced than in the past; they provide retry mechanisms and private IP addresses to minimize delivery issues. But, why do we have to verify or activate our account in the first place? What can the engineering team do to allow good leads to skip the line?
Account verification and activation is a typical security best practice. Not to judge anyone by its email, but would you feel comfortable allowing hackerU@xxx.com and other sketchy emails (see below some examples of signups we have received) to have access to your product without an email verification? What if it is not a person but a computer (bot) trying to either crawl your site or to send an irresponsible number of requests to your site with the sole purpose of either bringing it down or slow it down, so other users get frustrated at you.
So, how can we know or guess whether a signup is malicious or not? Well, the good news is, there are plenty of email verification services out there. They check the DNS servers for emails without having to send an email to users. If that email gets a green light, that’s likely a V.I.P lead, and otherwise, if red flagged, it is better to force them to follow the regular email activation flow.
We have been using NeverBounce, but below are two screenshots of Verify-Email illustrating how it can find a “good” email and a “bad” email. Each service has its strengths and weaknesses, and you will choose one depending on your requirements, whether that being fast response times, competitive price, or advanced analytics, for example.
Great, we have covered the first use case. If an email is deemed “bad”, that account has to be activated through that email; otherwise, no access is granted. Now, what if it’s a “good” email, but they want to scam or harm people. Let’s pick a sensitive example. Let’s say someone signup to Ashley Madison (affairs website) with my email email@example.com and invites my boss to join that site, or even worse, sends a message to my wife or my kids, or asks me for money before doing that. Yeap, that would be quite concerning. So, are we back to the start? It seems like we need email verification regardless, don’t we? Yes and no.
We already know how to mitigate the risk of malicious signups, so we just need to minimize any risks that scammers could bring. Eventually, we will need all accounts to be verified to provide access to all features. Still, unless your application’s main features are data sensitive, such as sharing information, you can delay the email activation and restrict access to sensitive components. That’s what we call delayed email verification or V.I.P signup. Following is an example of what we did at ROSS.
Good leads have direct access to our app after signup. A banner is displayed right below the navigation menu informing that email verification is necessary. If a non-verified account wants to make restricted actions, then they are prompted with a full window popup notification, as follows:
In addition to the signup process’s smoothness, this feature also released the pressure and time sensitiveness from on-call engineers who had to be always attentive to any support ticket related to email verifications.
In terms of numbers, the percentage of unverified emails stayed pretty much the same, at around 10%, but we had a significant increase of 3.5% in trial to paid users. With V.I.P signups we could at least guarantee that all the money invested in acquisition channels would land a chance for good prospects to try our fantastic product and not get blocked waiting for an activation email.
Another technique to guide leads through the funnel is email cadences. In our case, it did not turn out to have a good conversion for email verification (less than 1% of those who did not verify their email right after signing up would verify it after a second or third email reminder). But that’s a topic for another day.
I hope you enjoyed this article! Have a great day!