How to prevent the same normalized email from signing up multiple times

Right now with email+password, it is possible to sign up multiple times using different variations of the same functional email address.

For example, you can create one user with, and another one with, and both emails will reference the same actual functional email address,

This opens up for a whole variety of exploits and phishing attacks.
So my question is, how can we prevent multiple signups with the same normalized email address?

Hi @leif.ross

I would be interested in hearing your exploits/attacks you have.

You can use a pre-registration action or hook to normalize and look up the email, disallowing it if it exists.


It becomes a problem when connected to other services that normalize the mail, for example services that handle invitations to share resources by specifying the email address of the share target. Then suddenly both, or wrong account gets access to the resource.