Currently, Confluence allows you to disable signups entirely, have completely unrestricted signups (from any domain), or specify a list of email domains that are allowed to sign up - in which case an email with a token is sent to the user to verify they own the email address.

As an open source project, we need to have unrestricted public signups to Confluence (and JIRA) - we want people to get involved, and we can't know what email domains they are going to use (it could be a personal email address, or one associated with their employment).

These unrestricted sign ups are also completely unverified - as a result, and even with the (poor) captcha implementation in place, we are getting hit by automated signups to our public Confluence (and JIRA), and getting spam content and comments getting added to the sites.

If the email addresses were verified to be real by sending an email with a verification token before login was allowed, then this would greatly assist in reducing spam.

I would like to see the existing email account verification that is present when restricting to a domain to be available as an option for the "unrestricted signups" - so that people can register using any email domain, but they can not affect the content until they verify their email address.

This should apply to possible signups through JIRA as well as Confluence.