How email normalization catches repeat buyers on Shopify
The Same Inbox, a Thousand Different Emails
Gmail is the most popular email provider in the world. It's also the easiest to exploit when a Shopify store tries to limit a product to one purchase per customer.
Here's why: Gmail has two features that, when combined, give a single user access to thousands of email addresses that all deliver to the same inbox. To Gmail, they are all the same person. To your Shopify store, each one is a brand new customer.
Understanding these two features — and how email normalization neutralizes them — is the first step to protecting your new-customer-only products.
The Dot Trick
Gmail ignores periods in the local part of an email address. The "local part" is everything before the @ symbol.
That means these addresses all deliver to the same inbox:
For a six-letter username, there are dozens of possible dot combinations. For longer usernames, the number climbs into the hundreds or thousands. Every single variation looks like a unique email address to Shopify's order system.
When a customer places their first order with [email protected] and comes back a week later with [email protected] to buy the same intro-priced product, Shopify sees two different customers. The "limit one per customer" check passes. The product is sold at the introductory price again.
The customer didn't need to create a new email account. They didn't need a temporary email service. They used their own inbox with one extra period.
The Plus Alias Trick
Gmail also supports plus addressing. Anything between a "+" character and the "@" symbol is ignored during delivery.
These all go to the same inbox:
The text after the plus sign can be anything. There is no limit to how many aliases a single Gmail user can create, and none of them require any setup — they work instantly.
Combined with the dot trick, a single Gmail address generates a practically unlimited number of variations. [email protected], [email protected], and [email protected] all reach the same inbox, but Shopify records them as three separate customers.
The Domain Alias Trick
There's a third variation that fewer people know about: Gmail is also accessible through the domain googlemail.com. This is a legacy domain from Gmail's launch in certain countries, and it still works.
These are the same account. Gmail delivers mail to both domains interchangeably. But to any system doing exact string matching — including Shopify — they are different email addresses from different providers.
How Shopify Handles Email Comparison
Shopify's built-in "limit one per customer" performs an exact string match on the email address. If the string is identical character-for-character to a previous redemption, the limit is enforced. If even one character differs — an added dot, a plus alias, a different domain — the check passes.
This is not a bug. Shopify is doing what most email systems do: treating the email address as an opaque string identifier. The problem is that Gmail has made certain transformations of that string semantically equivalent, and Shopify has no built-in awareness of those equivalences.
The result is a gap between what the email provider considers "the same person" and what your store considers "the same person." Email normalization closes that gap.
What Email Normalization Does
Email normalization applies a set of deterministic transformations to an email address before comparing it against your order history. For Gmail addresses specifically, the transformations are:
Strip all dots from the local part. j.o.h.n.s.m.i.t.h becomes johnsmith. Every dot variation collapses to the same string.
Remove everything after the plus sign. johnsmith+deal becomes johnsmith. Every plus alias collapses to the base address.
Resolve domain aliases. googlemail.com becomes gmail.com. Both domains map to the same canonical domain.
After these transformations, [email protected] normalizes to [email protected]. So does [email protected]. So does every other variation. They all resolve to a single canonical form.
When OfferGuard evaluates a checkout, it normalizes the email the customer entered and compares it against the normalized emails from all previous orders containing the protected product. If there is a match, the checkout is blocked. The customer cannot complete the purchase.
This happens server-side, through Shopify's checkout extensibility APIs. There is no pop-up to dismiss and no client-side script to disable. The block is enforced on infrastructure the customer does not control.
Why This Catches the Majority of Casual Abuse
Most customers who exploit new-customer-only products are not sophisticated. They're not using VPNs, burner phones, or disposable email services. They're using the simplest trick available to them: adding a dot or a plus alias to their existing Gmail address.
They do this because it works. They've learned — through experience or through deal-hunting forums — that adding a period to their email is enough to appear as a new customer. And on most Shopify stores, they're right.
Email normalization removes this entire category of bypass. It requires no action from the customer, no additional checkout friction for legitimate buyers, and no manual review from you. It is a silent, automatic check that resolves the most common form of email manipulation before anything else needs to fire.
In OfferGuard's detection data, email normalization alone catches the largest share of repeat purchase attempts. It is the highest-confidence, lowest-false-positive signal in the detection chain, because the logic is mathematically precise — two normalized emails either match or they don't.
When Email Normalization Isn't Enough
Email normalization is the first layer, not the only layer. It has clear limits.
Completely different email providers. If a customer uses [email protected] for their first order and [email protected] for their second, email normalization has no way to connect them. These are genuinely different email accounts. No string transformation can prove they belong to the same person.
Disposable email services. A customer who uses a temporary email from a disposable email provider gets a fresh, unique email address each time. Normalization only works when the underlying address is the same — disposable emails are different addresses entirely.
Shared family emails. If one household member legitimately purchases a product and another family member wants the same intro offer, they will use different email addresses because they are, in fact, different people. Email normalization cannot and should not catch this case.
This is why OfferGuard doesn't rely on email normalization alone. It layers four additional signals on top: IP address matching, device fingerprinting, shipping address comparison, and phone number matching. When the email signal misses — because the customer used a truly different email — the device fingerprint or the shared IP address or the identical shipping address often catches what the email missed.
Each signal covers a different blind spot. Email normalization catches the casual tricks. Device fingerprinting catches incognito and cookie clearing. IP matching catches different accounts from the same network. Address matching catches different identities shipping to the same location.
Together, they close the gaps that any single signal leaves open.
Start With the Most Common Exploit
If you're evaluating how to protect new-customer-only products on your Shopify store, email normalization is where the analysis should begin. It addresses the most common bypass method, it produces zero false positives when implemented correctly, and it works transparently with no impact on the customer experience.
OfferGuard includes email normalization as part of its five-signal detection chain, along with device fingerprinting, IP matching, address comparison, and phone number matching. You can see the pricing and start a free trial to watch it work on your own checkout data.
Related reading:
More posts
Why IP validation matters for Shopify discount protection
A customer switches emails and clears cookies. But their IP address stays the same. Here's why IP validation is a critical layer in stopping repeat discount abuse.
The Complete Guide to Protecting New-Customer-Only Products on Shopify
Your intro offer, trial box, or new-customer product is being bought by the same people over and over. Here's why Shopify can't stop it — and how to fix it.