diff --git a/package.json b/package.json
index 7ef490d..49239dd 100644
--- a/package.json
+++ b/package.json
@@ -25,6 +25,7 @@
     "mariasql": "^0.2.6",
     "moment": "^2.22.2",
     "morgan": "^1.9.0",
+    "nodemailer": "^4.6.8",
     "qs": "^6.5.2",
     "sequelize": "^4.28.6",
     "sequelize-mysql": "^1.7.0",
diff --git a/server/db/users.js b/server/db/users.js
index 342970f..1683ccc 100644
--- a/server/db/users.js
+++ b/server/db/users.js
@@ -45,6 +45,27 @@ function init() {
     }, {
       timestamps: false
     });
+
+    const Authentication = db.sequelize.define('authentication', {
+      key: {
+        type: Sequelize.STRING,
+        primaryKey: true,
+        allowNull: false
+      },
+      issued: Sequelize.DATE,
+      type: {
+        type: Sequelize.ENUM,
+        values: [ 'account-setup', 'password-reset' ]
+      },
+      userId: {
+        type: Sequelize.INTEGER,
+        allowNull: false,
+        references: {
+          model: User,
+          key: 'id',
+        }
+      }
+    })
     return db.sequelize.sync({
       force: false
     }).then(function () {
diff --git a/server/routes/users.js b/server/routes/users.js
index f95579d..30b561e 100755
--- a/server/routes/users.js
+++ b/server/routes/users.js
@@ -3,12 +3,18 @@
 const express = require("express"),
   config = require("config"),
   LdapAuth = require("ldapauth-fork"),
-  crypto = require("crypto");
+  crypto = require("crypto"),
+  createTransport = require("nodemailer").createTransport;
 
 const router = express.Router();
 
 let userDB;
 
+let mail = createTransport({
+  host: config.get("smtp.host"),
+  pool: true,
+  port: config.has("smtp.port") ? config.get("smtp.port") : 25
+});
 
 let ldap;
 if (config.has("ldap.url")) {
@@ -63,6 +69,11 @@ router.post("/create", function(req, res) {
       return res.status(400).send("Email address already used.");
     }
 
+    let re = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
+    if (!re.exec(mail)) {
+      return res.status(400).send("Invalid email address.");
+    }
+
     return userDB.sequelize.query("INSERT INTO users " + 
         "(uid,displayName,password,mail,memberSince,authenticated,notes) " +
         "VALUES(:username,:name,:password,:mail,CURRENT_TIMESTAMP,0,:notes)", {
@@ -73,7 +84,16 @@ router.post("/create", function(req, res) {
         mail: mail,
         notes: who
       }
-    }).then(function(results) {
+    }).spread(function(results, metadata) {
+      return userDB.sequelize.query("INSERT INTO authentications " + 
+        "(userId,issued,key,type) VALUES " +
+        "(:userId,CURRENT_TIMESTAMP,:key,'account-setup')", {
+        replacements: {
+          key: "magic cookie",
+          userId: metadata.lastID
+        }
+      }).then(function() {
+      });
 /*
       req.session.user = {
         name: name,
@@ -82,6 +102,7 @@ router.post("/create", function(req, res) {
       };
       return res.status(200).send(req.session.user);
 */
+    }).then(function() {
       req.session.user = {};
       return res.status(401).send("Account has not been authenticated.");
     });