· Arbab Khan · order-limits  · 8 min read

Email, phone, or address: which customer identifier works best for purchase limits?

Every method for identifying repeat customers has trade-offs. Email is easy to duplicate. Phone numbers are harder to fake but not impossible. Addresses can be varied in dozens of ways. Here is what Shopify merchants need to know in 2026.

Every method for identifying repeat customers has trade-offs. Email is easy to duplicate. Phone numbers are harder to fake but not impossible. Addresses can be varied in dozens of ways. Here is what Shopify merchants need to know in 2026.

You set up a purchase limit of one per customer. A reseller creates five email addresses and buys five units. Your limit worked exactly as designed, and you still lost.

This is the fundamental challenge with customer purchase limits: you need to identify who a customer actually is, not just what email address they used at checkout.

Shopify gives you three main ways to identify customers: email, phone number, and physical address. Each has strengths and weaknesses that affect how well your limits actually work.

How Shopify identifies customers

Shopify’s customer system is built around email as the primary identifier. Orders are permanently tied to email addresses and cannot be moved between customer accounts. Phone numbers are secondary and optional.

This means when a customer places an order, Shopify looks them up by email first. If they use a different email, Shopify sees them as a different customer, even if everything else matches.

For purchase limits, this creates a simple problem: anyone who wants to bypass your limit just needs another email address.

June 2026 update: Shopify now defaults to email-only contact for non-Plus merchants, with phone number visible but optional. If you use guest checkout with purchase limits, phone numbers may not be collected unless you explicitly require them. See our follow-up on the checkout field changes.

Email: easy to get, easy to bypass

Email is the weakest identifier for preventing repeat purchases. Here’s why.

Gmail plus addressing. Add a + sign and any text to a Gmail address (john+shop1@gmail.com, john+shop2@gmail.com). All variations deliver to the same inbox. One study found that 46,000 Gmail addresses collected from a single service reduced to just 291 unique base accounts after normalization.

Gmail dot variations. Gmail ignores dots in usernames. john.doe@gmail.com, jo.hn.doe@gmail.com, and johndoe@gmail.com are all the same account.

Disposable email services. Services provide temporary emails that self-destruct. Detection databases track over 3,000 disposable providers with 124,000+ known temporary domains, but new services emerge constantly.

Multiple accounts. Anyone can create a new Gmail, Outlook, or Yahoo account in minutes.

Research shows that nearly 19% of signups at some platforms use disposable email addresses. For limited drops, that number is likely higher.

What you can do about email

If you must use email as your identifier:

  • Normalize before comparing. Strip plus tags (john+alias@gmail.com becomes john@gmail.com) and dots from Gmail addresses.
  • Block disposable domains. Email validation APIs claim 99.5% accuracy at detecting temporary email services.
  • Require account creation. Logged-in customers are easier to track than guest checkouts, though it adds friction.

But even with all these measures, email remains easy to bypass for anyone willing to create multiple accounts.

Phone number: harder to fake, but not impossible

Phone numbers are more reliable than email for one simple reason: they’re harder to get multiples of. But “harder” doesn’t mean “impossible.”

VoIP and virtual numbers. Google Voice provides free virtual numbers and accounts for 60% of all scams reported to the Identity Theft Resource Center. Services like Bandwidth, TextNow, and various apps provide virtual numbers for pennies per SMS received.

Burner apps. Apps like Hushed and Burner provide temporary numbers. Some accept cryptocurrency payments for extra anonymity.

Dual SIM and eSIM. Modern phones support multiple phone numbers. iPhone 11 and later support multiple eSIMs, allowing users to activate virtual numbers via QR code.

Temporary SMS services. Websites provide shared public phone numbers to receive verification codes for free.

What you can do about phone

Phone validation APIs can detect:

  • VoIP and non-fixed voice over IP numbers
  • Google Voice numbers specifically (flagged in 50% of fraud complaints)
  • Line type classification showing whether a number is mobile, landline, or virtual

For high-value products, requiring a non-VoIP mobile number significantly raises the bar for repeat purchasers. Most casual limit-bypassers won’t go through the effort of obtaining multiple legitimate phone numbers.

The trade-off: requiring phone verification adds friction at checkout and may not be worth it for lower-value products.

Address: the middle ground

Physical addresses are interesting because they have to be real if someone wants to receive a package. You can’t ship to a fake address. This makes address-based limits potentially useful, but address manipulation is its own art form.

Common variation techniques:

  • Unit designators: Apartment, Apt, APT, Unit, Ste, Suite, #
  • Directional variations: West/W, North/N, Street/St
  • Character insertion: “123 Main Street” becomes “123 Mainn Street” or “123 Main Streeet”
  • Adding fake units: “123 Main St Unit B” at a single-family home

A Southeast Asian fraud ring was estimated to target $3.3 billion in products in a single month using address manipulation, placing more than one fraudulent order per minute at a major retailer.

What you can do about address

Address standardization is essential:

  1. Parse addresses into components (street number, street name, city, state, ZIP, unit)
  2. Convert to uppercase
  3. Replace abbreviations with standards (“Street” to “ST”, “Apartment” to “APT”)
  4. Standardize directionals (“West” to “W”)
  5. Validate against postal databases (USPS CASS certification)

After standardization, “123 Main Street, Apartment 4B” and “123 main st apt 4b” become the same address.

The limitation: different units in the same building are legitimately different addresses. You can’t assume everyone at 123 Main Street is the same customer, because they might genuinely be different households. For apartment buildings and multi-unit properties, address-based limits have significant false positive risk.

What about location-based identification?

You might wonder about using latitude/longitude coordinates to identify customers. In practice, this doesn’t work well.

Geocoding services return approximate locations, typically at the building or street level. Different units in the same apartment building have the same coordinates. Different houses on the same street may have very similar coordinates.

Using location data, you’d either block everyone in an apartment building (many false positives) or set the threshold so wide that it’s easy to bypass by using a neighbor’s address.

IP address and device fingerprinting have similar problems. VPNs and proxies defeat IP-based detection. Shared household devices create false positives when family members shop from the same tablet.

These methods work better as supplementary signals for fraud detection than as primary customer identifiers.

What actually works: layering multiple signals

No single identifier is sufficient. Effective purchase limits combine multiple methods:

For standard purchase limits:

  • Email (normalized) as the primary identifier
  • Require login to track purchase history across sessions
  • Accept that determined buyers can bypass limits with new accounts

For high-value limited drops:

  • Phone number verification (non-VoIP required)
  • Device fingerprinting as a secondary signal
  • Shipping address clustering to detect variations
  • Lower limits per customer to minimize damage from bypasses

For maximum protection (Shopify Plus):

  • Bot protection during drop events
  • Checkout validation functions
  • Virtual waiting rooms with randomized queues
  • Post-purchase review for suspicious patterns

Research from fraud prevention providers suggests that layering “email + phone + shipping address clustering + device fingerprinting” and applying machine learning to identify patterns catches up to 95% of repeat purchasers.

But catching the remaining 5% requires increasingly aggressive measures that affect legitimate customers.

The merchant’s dilemma

Every verification step you add reduces bypass attempts but also reduces conversions. Mobile checkout already has an 85% cart abandonment rate. Adding friction makes it worse.

The question isn’t “how do I stop all repeat purchases?” It’s “how much friction is acceptable for this product at this price point?”

Strict verification makes sense when:

  • Products have high resale value (sneakers, collectibles, limited editions)
  • Distributor contracts require fair allocation
  • Your brand reputation depends on fans getting products, not resellers

Looser verification makes sense when:

  • Products have moderate value
  • Occasional bypasses don’t materially affect your business
  • Conversion rate matters more than perfect enforcement

Most merchants land somewhere in the middle: strict enough to stop casual abuse, loose enough to not annoy legitimate customers.

Practical recommendations for 2026

1. Accept that perfect enforcement is impossible. Design promotions that remain profitable even when some customers find workarounds.

2. Normalize email addresses. Strip Gmail plus tags and dots before storing. Block known disposable email domains.

3. Consider phone verification for high-value limits. VoIP detection is good enough to catch most fake numbers. The friction cost is worth it for products that attract resellers.

4. Use address standardization. Run addresses through USPS validation before comparing. This catches the obvious variations without complex fraud detection infrastructure.

5. Require login for limited products. Guest checkout is convenient but impossible to track. Logged-in customers at least provide a consistent identifier across orders.

6. Set your limits low enough to matter. If someone bypasses your limit with two accounts instead of one, did you lose that much? A limit of 1 or 2 per customer still distributes inventory more fairly than no limit at all.

7. Use post-purchase detection. It’s often easier to identify and cancel suspicious orders after the fact than to prevent them at checkout. Watch for patterns: multiple orders to the same address, sequential email addresses, rapid account creation.

What DC Order Limits does

DC Order Limits tracks customer purchase history by customer account, enforcing lifetime limits across all orders. For guest checkouts, limits are enforced at email entry.

We normalize email addresses and can require login for limited products. Combined with Shopify Flow, you can automatically tag customers after purchase, reset limits on schedules, and flag suspicious patterns for manual review.

Perfect enforcement isn’t possible with any tool. But tracking actual purchase history across orders, rather than just limiting the current cart, stops the casual bypasses that account for most limit violations.

For merchants running limited drops or protecting against reseller abuse, that’s usually enough.

Learn more about customer purchase limits or install DC Order Limits to start tracking purchase history across orders.

Share:
Back to Blog

Related Posts

View All Posts »
Install App