Hmm... there's always /nickserv identify, but I have absolutely zero idea how that even works.
What if you made your own bot that listened for private messages from users, and verified them? So all I had to do was /yourbot julian hunter2?
Then your bot would probably communicate with a companion plugin on our end to verify users by username/password... There's a possibly MITM issue present if you don't use HTTPS though... less so if everything is on one machine and you're communicating via localhost connections...
But perhaps I should add a not in the sign up agreement that "by signing up you agree to receive emails from us" or something like that, to be safe.
If you're in the EU, this wouldn't constitute as opt-in. The EU states that a user must specifically click a button that states "I want to receive these emails". Unless it's regarding their account. So, if the daily digest included notifications, it would be fine, but if it was just new topics, I'm not so sure. It should be fine either way, as you've said.