Currently when the email is changed in the account management console or the admin console it is updated immediately. There should at least be an option on the realm to require the email to be verified first.
When the email is updated it should be added to a temporary attribute as unverified and an email sent to the user to verify. This should use required actions to drive the verification. When it is verified the email should be updated and the temporary email attribute should be removed.