Hehe, we've just had a big "fight" (discussion, but for an outsider our discussions often look like we're having a fight ;)) about it. We decided not to do so: most people (or at least, the people we're marketing to) will probably fill in their real address anyway.. And if they don't, they're smart enough to use a "dump"-address.

A great solution is to give them an incentive to give you their real email address, like you're going to send them an important report or something else that is of high value so the visitors have no problem giving up their email address.

Another one is to tell the user the email is used in order to send lost passwords.

Pros: You are able to send email updates to users.

Cons: Duplicate users. Misdemeanor: Imagine if someone uses the whitehouse or fbi email addresses. Then he keeps on clicking on "Retrieve password" and you would start spamming the whitehouse and fbi.

Well, this is an argument for requiring verification if you plan to use email for password resets. Alternatively, you can allow only a small number of password reset attempts per email address per day/hour/whatever. One thing that you shouldn't do is reset someone's password immediately when you send out the reset email. Instead, reset it only when they arrive back at the reset page, else you're opening a DOS attack for anyone whose email address is known.

The current trend is not requiring email to signup. Anyone, including bots, can verify an email address so email is not a reliable qualifier anyway.