[rajvosa07]

You shouldn't do this UNTIL you need to.

You NEED to before allowing any operations that rely on this information being accurate. Let's say you are allowing users to chat with each other, or share information. In that case it is super helpful to verify the initiating user's email as proof of identity, so I can't just enter your email and phish someone...

[jrprince]

I would agree with this assessment, but also add confirmation before you were ever to dispatch any email sent to the address.

I work for an ISP/services company and we require confirmation for everything.

Personally though, I abhor companies that allow account creation without confirmation. I have a gmail address that is my id, minus the first r in it. Over the years, I've received oil change notifications from people's cars, trip/hotel/dinner reservations with click-through ability to alter without supplying anything, rental agreements, billing, dating profiles, etc. that I have total control over because people are idiots. There has to be some kind of railing in place to keep lemming from leaping off the precipice.

[hellohellojello]

How do you handle duplicate, non-verifiers email? Would you create two non-verified records?

If the first user created the record, but the second one legitimately owns it, then the second user will not be able to use their email address - that doesn't seem right to me