You could follow the same flow usually used for password recovery.
Since you cannot send a “send confirmation mail” to a dynamic mail id, Use OTP verification.
- Generate a OTP, save it in database.
- Send a mail to the new email id entered in an input field by user.
- Have them enter the said OTP correctly in the next field which would imply that the mail id is not only correct, it is owned by them.
- Give them an additional notice that this will permanently change their email id (Just for UX) This also probes them to enter their existing password.
- Once they click confirm, run “update the user’s credentials”
Make sure to run the “generate otp” and “match OTP” at backend workflow for maximum security. Also have a field to expire otp and update that as expired after a certain time, or delete it from the system.