i think validation should be done via sending an email to the email address on hand and then requiring the end user to click a link in the email to activate. for one, this validates that it's the actual user's account and then this also validates the address form without having to be pre-emptive at the start.
Yeah it is kind of like authentication vs authorization when managing users. Just because a user is correctly logged in, does not mean that they should have access to something in the system. Just because a valid email is entered, does not mean that the person entering it is the owner of said email. Though these two concerns are often conflated!
And this could be abused. I sign up to a popular service with someone else's email address. I could be a nuisance and block them from signing up as themselves, even it if it is temporary.
And all the companies ignoring that are really annoying me. I have a very common name and my email used to be firstname.lastname@gmail.com (not my primary anymore but I still forward the mail). Now the personal email I get is okay, I actually ask where the guy they sent the mail to is coming from. But newsletters without verification? Give me a break. I do report all of those as spam.
