Some suggestions for registration confirmation emails
As a practical matter, I think that registration confirmation email should have at least three characteristics:
- it should always be initiated by that user; there should be none of
the invite-your-friends features that are beloved by marketers.
- it should not have any user-entered text whatsoever. Any user
entered text will be exploited by spammers,
and you don't have any need for it anyways.
- it should be devoid of marketing material in general. No 'thank you and welcome to <X>, the best place in the world for <Y>' or the like. Imagine that you are the most paranoid anti-spam person in the world getting this email, and try to make it so that it is not even possibly marketing anything. You can put all of that stuff in the email that they get after they confirm their address.
Hopefully it goes without saying that you should rate-limit the amount of registration confirmations that you'll send to any one email address. Since people's anti-spam systems do eat email, I think that you should allow a couple of repeats more or less immediately but then start backing off. Do tell the user about it, because if you've done your job well most of the people running into the rate limit should be real users having email problems.
(More sophisticated systems are possible and probably friendlier. For example, you might notice when messages bounce and allow faster retries for that.)
Per AutosendExcludeAddresses, putting the IP address that submitted the request into the confirmation email does nothing to make people feel better about you, and may even make you look more spammy. The real cure is to take steps to block abuse to start with.