diff --git a/resources/static/dialog/controllers/dialog.js b/resources/static/dialog/controllers/dialog.js
index 1a3372d72a40f43d41d7b643c642e5a263948856..8e5b8f1cd22e84a05175a9b7b1393c7c69e4a45f 100644
--- a/resources/static/dialog/controllers/dialog.js
+++ b/resources/static/dialog/controllers/dialog.js
@@ -167,6 +167,24 @@ BrowserID.Modules.Dialog = (function() {
           params.tosURL = fixupURL(origin_url, paramsFromRP.termsOfService);
           params.privacyURL = fixupURL(origin_url, paramsFromRP.privacyPolicy);
         }
+
+        if (hash.indexOf("#CREATE_EMAIL=") === 0) {
+          var email = hash.replace(/#CREATE_EMAIL=/, "");
+          if (!bid.verifyEmail(email))
+            throw "invalid #CREATE_EMAIL= (" + email + ")";
+          params.type = "primary";
+          params.email = email;
+          params.add = false;
+        }
+        else if (hash.indexOf("#ADD_EMAIL=") === 0) {
+          var email = hash.replace(/#ADD_EMAIL=/, "");
+          if (!bid.verifyEmail(email))
+            throw "invalid #ADD_EMAIL= (" + email + ")";
+          params.type = "primary";
+          params.email = email;
+          params.add = true;
+        }
+
       } catch(e) {
         // note: renderError accepts HTML and cheerfully injects it into a
         // frame with a powerful origin. So convert 'e' first.
@@ -184,19 +202,6 @@ BrowserID.Modules.Dialog = (function() {
       // XXX Perhaps put this into the state machine.
       self.bind(win, "unload", onWindowUnload);
 
-      if(hash.indexOf("#CREATE_EMAIL=") === 0) {
-        var email = hash.replace(/#CREATE_EMAIL=/, "");
-        params.type = "primary";
-        params.email = email;
-        params.add = false;
-      }
-      else if(hash.indexOf("#ADD_EMAIL=") === 0) {
-        var email = hash.replace(/#ADD_EMAIL=/, "");
-        params.type = "primary";
-        params.email = email;
-        params.add = true;
-      }
-
       self.publish("start", params);
     }