Same customer, multiple emails, same discount

The trick that costs you money every day

Here's something that probably happened on your store this week. A customer used your 15% welcome discount. Then they came back, typed [email protected] instead of [email protected], and the discount worked again.

Gmail ignores dots. Both addresses go to the same inbox. Shopify has no idea.

This is the single most common form of discount abuse on Shopify. It's easy, it's fast, and your customers figured it out a long time ago.

How many emails can one person have?

More than you'd think. A single Gmail account generates hundreds of valid variations:

• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]
• [email protected]

Every one of those delivers to the same inbox. Every one of those looks like a different customer to Shopify.

Then there are throwaway email services. Tempmail, Guerrillamail, Mailinator. No signup, works for a few minutes, discount redeemed, email gone. Over 3,000 of these services exist.

Why Shopify doesn't catch this

Shopify's "limit one use per customer" checks the email address on the customer account. That's it.

If someone checks out as a guest, there's no account. If someone creates a new account with a different email, it's a new customer. Shopify doesn't normalize emails. It doesn't strip dots. It doesn't remove plus aliases.

[email protected] and [email protected] are two completely different people in Shopify's eyes. Same inbox, same person, two discounts.

What email normalization does

Email normalization is the process of reducing an email address to its canonical form before comparing it against your order history.

For Gmail addresses, that means:

• Remove all dots from the local part (j.o.h.n becomes john)
• Remove everything after a plus sign (john+deal becomes john)
• Resolve domain aliases (googlemail.com becomes gmail.com)
• Lowercase everything

After normalization, [email protected], [email protected], and [email protected] all resolve to the same address: [email protected].

Now you can check whether that person has used your discount before. And get an honest answer.

Email alone isn't enough

Normalization catches Gmail tricks, but it doesn't catch someone who uses a completely different email provider. [email protected] and [email protected] could be the same person, but email normalization can't tell.

That's where other signals help.

Phone numbers are hard to fake. Most people have one, maybe two real phone numbers. If the phone on a new checkout matches a phone on a previous order, that's a strong signal.

Shipping addresses are even harder to change. People move, but not between orders placed a week apart. Fuzzy matching catches "123 Main Street Apt 4B" and "123 Main St #4B" as the same place. More on how that works on our features page.

IP addresses and device fingerprints round it out. Different email, same laptop? That's probably the same person.

What this looks like in practice

A customer checks out with [email protected] using your welcome discount.

With email normalization running at checkout:

1. The email gets normalized to [email protected]
2. That normalized email gets checked against previous orders
3. Order #1009 was placed by [email protected] two weeks ago
4. Checkout is blocked. Customer sees a message that the offer is for new customers only.

The customer can still buy at full price. They just can't use the discount again.

Getting started

If you want to see how much of this is happening on your store, OfferGuard's free Watchdog plan includes email normalization. It runs at checkout and shows you exactly which checks flagged each attempt in your Shopify admin.

The Sentinel plan at $29/month adds phone, address, IP, and device detection for stores that need the full picture. Pricing details here.

Most stores are surprised by what they find. The abuse is there. You just can't see it until you normalize the emails.