Re: that last boost, my answer would’ve been “verify” too. If their email gets compromised, you potentially keep the bad actor out of your system, and also limit the splash damage.
Then you’ve got the problem of password recovery via email, so ideally you’d verify with a memorable word or recovery code instead…