Guest checkout makes your discount codes worthless
No account, no protection
Shopify's "limit to one use per customer" works by checking the customer account. If the email on the account has used the code before, the code is rejected.
Guest checkout has no account.
There's nothing to check against. A customer enters any email address, the discount gets applied, and Shopify has no record connecting this checkout to any previous one. The "one per customer" setting is irrelevant.
This isn't a bug. It's just how it works. And it's been this way for years. There are Shopify community threads going back to 2018 asking about this exact problem with no native solution.
You can't just turn off guest checkout
The obvious fix is to require accounts. But that comes with a real cost.
Guest checkout exists because it converts better. Forcing account creation adds friction. For some stores, requiring an account before purchase drops conversion rates by 20-30%. That's a lot of revenue to give up just to protect a discount code.
Most merchants accept guest checkout as a necessary part of doing business. The question is how to protect your offers without removing it.
How easy is the abuse?
Extremely. Here's the flow:
- Customer visits your store, adds a product, enters your welcome code at checkout
- Checks out as a guest with [email protected]. Code works. Order placed.
- Next day, same customer, same browser. Adds same product.
- Enters [email protected] at guest checkout. Code works again.
- Repeat with [email protected], [email protected], a throwaway email.
Shopify confirmed in their own documentation that they do not use IP address validation for discount limits. A customer can use different email addresses from the exact same device and Shopify treats each one as a separate customer.
The real cost
Say your welcome offer is 15% off, and your average order is $80. That's $12 per abusive redemption.
If 10 people do this twice a month, that's $240 in unnecessary discounts. Some of those people will do it five or six times. Across a year, it adds up to thousands.
And you never see it happening because each checkout looks like a legitimate new customer.
What actually stops guest checkout abuse
Since there's no account to check, you need other signals to identify repeat buyers. The 5-signal detection chain approach works like this:
Email normalization catches the Gmail tricks. [email protected] resolves to [email protected] before anything else runs.
Phone numbers are hard to fake. The shipping phone on a guest checkout gets compared against phones on previous orders.
Addresses get fuzzy-matched. Same street, different apartment format? Still a match.
IP addresses track how many different emails have checked out from the same network.
Device fingerprints identify the same browser across sessions. New email, same laptop. Caught.
All of this runs at checkout, before the order is placed. If a match is found, the discount is blocked. The customer can still buy at full price.
Start with email, add signals as needed
If you're not sure how much guest checkout abuse your store has, start with email normalization. It's the simplest signal and catches the most abuse.
OfferGuard's free Watchdog plan runs email normalization on up to 50 checkouts per month. Enough to see the pattern. The Sentinel plan at $29/month turns on all five signals for full guest checkout protection.
The abuse is already happening. The question is whether you can see it.
More posts
Same customer, multiple emails, same discount
A single customer can use your discount code five times with five Gmail variations. Shopify counts each one as a new person.
How to prevent discount code abuse on Shopify
Your welcome discount is probably being used more than once. Here's how it happens and what you can do about it.