verified_at date for UserEmail and UserPhone

[jace]

The UserEmail model should have a verified_at or active_at datetime field that records the last time a message sent to this address was opened (especially if it's an explicit probe to confirm the address).

Auto-verified emails from Google, GitHub etc logins will have this field set to null, while a manually verified email (conversion from EmailClaim) will have it equal to created_at.

This field will be critical for use cases like identifying employer-linked email addresses that may have since expired – and preventing account access backdoors from such instances (password reset, automatic account merger based on shared email).

[jace]

Related to #135.

[jace]

UserPhone also needs a verified_at column as users may have a business-assigned phone number that gets reassigned to someone else when they switch jobs.

[jace]

mxsniff introduced a probe feature in 0.3.1 that can be used to confirm an email address is valid, without actually sending it an email. This can be used in a periodic automated sweep. It is unclear if probing will work at scale though, as mail servers may detect and block unusual behaviour if it crosses a threshold, risking accidentally blocking some email addresses.