I apparently have an email address that people either mistype often or put in thinking it is funny/bogus. I'm for this idea of sending an activation email to verify it, but not just a simple activation email it needs to have a few features in it.<p>First, it needs to not contain any personal information because why would you send personal info to address that's not verified. Next, verification should be more than clicking the link or typing a code. I should have to click the link or enter the code on the browser that I've already logged in with. There's major sites that don't do this and I've been able to verify, then reset the password to someone's account. Basic security thought process needs to go in to this chain of events to verify an email that can reset passwords. Finally there needs to be a link to indicate that it's a wrong email. There's spam places that use this to capture emails, but when big names don't offer this feature it boggles the mind.
As I understand, the goal of validating e-mail syntactically, is a defense against various attacks based on injection of malicious data/code. One wants to restrict what might be entered by a user, to forbid something like "hello@example.com; sh -c sudo rm -rf /* &;". Or maybe strings which interfere with SMTP to send spam mail from site address.<p>Such a validation have to occur at some point before SMTP commands have been written into smtp-socket. If underlying code to send an email is safe against invalid email addresses, then there are no much reason to validate address before passing it to underlying code, but this safety could be reached only by validating address by underlying code.