diff --git a/browserid/lib/db_mysql.js b/browserid/lib/db_mysql.js
index 6eb73c77caf45eb2ab55af420b6a5a49b7a3f294..c86e72897351d6e0a6634c71db5d4dd6e14ae03e 100644
--- a/browserid/lib/db_mysql.js
+++ b/browserid/lib/db_mysql.js
@@ -213,12 +213,30 @@ exports.gotVerificationSecret = function(secret, cb) {
         var o = rows[0];
 
         function addEmailAndPubkey(userID) {
+          // issue #170 - delete any old records with the same
+          // email address.  this is necessary because
+          // gotVerificationSecret is invoked both for 
+          // forgotten password flows and for new user signups.
+          // We could add an `ON DUPLICATE KEY` clause, however
+          // We actually want to invalidate all old public keys.
+          //
+          // XXX: periodic database cleanup should remove old expired
+          // keys, but this is moot once we move to certs as the
+          // server won't know about old keys 
           client.query(
-            "INSERT INTO email(user, address) VALUES(?, ?)",
-            [ userID, o.email ],
+            "DELETE FROM email WHERE address = ?",
+            [ o.email ],
             function(err, info) {
               if (err) { logUnexpectedError(err); cb(err); return; }
-              addKeyToEmailRecord(info.insertId, o.pubkey, cb);
+              else {
+                client.query(
+                  "INSERT INTO email(user, address) VALUES(?, ?)",
+                  [ userID, o.email ],
+                  function(err, info) {
+                    if (err) { logUnexpectedError(err); cb(err); return; }
+                    addKeyToEmailRecord(info.insertId, o.pubkey, cb);
+                  });
+              }
             });
         }
 
diff --git a/browserid/tests/forgotten-email-test.js b/browserid/tests/forgotten-email-test.js
index 94279f3f4a975fe54cd323a58984e0b37f8fb52e..1e8d9e14727ddb204fca5fee58c29f65dc489144 100755
--- a/browserid/tests/forgotten-email-test.js
+++ b/browserid/tests/forgotten-email-test.js
@@ -75,6 +75,7 @@ suite.addBatch({
     },
     "account created": function(r, err) {
       assert.equal(r.code, 200);
+      assert.strictEqual(true, JSON.parse(r.body));
     }
   }
 });
@@ -120,6 +121,7 @@ suite.addBatch({
     },
     "account created": function(r, err) {
       assert.equal(r.code, 200);
+      assert.strictEqual(true, JSON.parse(r.body));
     }
   }
 });
@@ -187,6 +189,7 @@ suite.addBatch({
     },
     "account created": function(r, err) {
       assert.equal(r.code, 200);
+      assert.strictEqual(true, JSON.parse(r.body));
     }
   }
 });
diff --git a/browserid/tests/lib/start-stop.js b/browserid/tests/lib/start-stop.js
index 636c042a4c8efb27542813eeb1b26691ea6dfcf8..f9e69b8a53d1c2021ff42fb2e01da6ee62c92311 100644
--- a/browserid/tests/lib/start-stop.js
+++ b/browserid/tests/lib/start-stop.js
@@ -107,6 +107,17 @@ exports.addShutdownBatches = function(suite) {
     }
   });
 
+  // stop the database
+  suite.addBatch({
+    "stop the database": {
+      topic: function() {
+        require("../../lib/db.js").close(this.callback);
+      },
+      "stopped": function(x) {
+        assert.isUndefined(x);
+      }
+    }
+  });
 
   // clean up
   suite.addBatch({