: Email validation tool to check someone works at an organisation I am setting up a tool that allows users to claim a company profile and am wondering if there is an automated way to validate

@Si4351233

What will you do if someone does work for a company that wants to claim their company page and uses gmail, yahoo, aol, or some other email address not on their company domain. What if their corporate domain is different than the company domain. yahoo-inc.com or variations are not uncommon. Or if the parent company has an entirely different name than the company they want to claim?

Like most other sites you just need to allow for people to re-claim listings. Unless you mail post cards to a company address you verified there's no full proof way of avoiding people registering others companies.

Building an email validation check to match a company name/domain is going to drop your conversion rates significantly.

You're thinking way to complex for your application and there are probably much more important features that your developers can be spending time one. Let people register and send a verification link in the email. On all business listings have a link to re-claim the listing or a link saying "Is this your company" linking to a FAQ on how to re-claim a listing that truly does belong to that person.

Vote Up Vote Down

@Ogunnowo487

If CA-signed SSL certificates worked the way they were originally intended to then it would be possible to just verify that the email domain has a CA-signed certificate issued to the company name you're verifying a link to.

When you get a CA-signed SSL certificate, the annual fee you pay is theoretically to cover the cost of the CA verifying your identity, thus a CA-signed certificate guarantees to visitors that you are who you (and the CA-issued certificate) say you are. The CA is supposed to recheck each year to make sure the certificate info is still valid.

However, the chain of trust has long since been broken, and it's now possible for criminals to get SSL certificates with false info, allowing them to impersonate another organization. It's just cheaper and more lucrative for CAs to issue signed certificates to anyone who applies without verifying their identity. Likewise, it's cheaper and more lucrative for a CA to issue certificates to other CAs without verifying that CA's verification practices.

Not all CAs are necessarily this bad, but there's been very little accountability in the certificate chain for a very long time. And all it takes is for one rogue CA to enter the system to break the entire chain of trust.

So now we have to purchase EV certificates to do what the original CA-signed certificates were supposed to do. But very few organizations purchase EV certificates, so you won't get much help there.

So your only options are to either:


trust regular CA-signed SSL certificates (and perhaps prune the root CAs down to only the small number whose certificate chains haven't been compromised by shady intermediate CAs) and manually verify the rest;
or you could purchase/subscribe to a business database from a company like Dun & Bradstreet or Jigsaw (now owned by Salesforce) or another credit check or datamining company;
or, possibly, use a public government database of registered businesses if email or website information is listed; though this option is unlikely to work in the near future.


Or you could just use the bank/credit network's verification system by requiring a small payment from the company account.

Vote Up Vote Down

@Ravi8258870

I can't see any easy or standard way to handle this, here are some suggestions:


keep within your application an up-to-date table in your database that will store the link between company and e-mail format
send a link to the user so that he will confirm his subscription (or whatever) so that you ensure (at least partially) that the e-mail is correct

Vote Up Vote Down