diff --git a/core/modules/user/config/install/user.mail.yml b/core/modules/user/config/install/user.mail.yml
index f8e41ce..cc5a728 100644
--- a/core/modules/user/config/install/user.mail.yml
+++ b/core/modules/user/config/install/user.mail.yml
@@ -4,6 +4,12 @@ cancel_confirm:
 password_reset:
   body: "[user:display-name],\n\nA request to reset the password for your account has been made at [site:name].\n\nYou may now log in by clicking this link or copying and pasting it into your browser:\n\n[user:one-time-login-url]\n\nThis link can only be used once to log in and will lead you to a page where you can set your password. It expires after one day and nothing will happen if it's not used.\n\n--  [site:name] team"
   subject: 'Replacement login information for [user:display-name] at [site:name]'
+mail_change_notification:
+  body: "[user:display-name],\n\nA request to change your e-mail address has been made at [site:name]. In order to complete the change you will need to follow the instructions sent to your new e-mail address within one day."
+  subject: 'E-mail change information for [user:display-name] at [site:name]'
+mail_change_verification:
+  body: "[user:display-name],\n\nA request to change your e-mail address has been made at [site:name]. You need to verify the change by clicking on the link below or copying and pasting it in your browser:\n\n[user:mail-change-login-url]\n\nThis is a one-time URL, so it can be used only once. It expires after one day. If not used, your e-mail address at [site:name] will not change."
+  subject: 'E-mail change information for [user:display-name] at [site:name]'
 register_admin_created:
   body: "[user:display-name],\n\nA site administrator at [site:name] has created an account for you. You may now log in by clicking this link or copying and pasting it into your browser:\n\n[user:one-time-login-url]\n\nThis link can only be used once to log in and will lead you to a page where you can set your password.\n\nAfter setting your password, you will be able to log in at [site:login-url] in the future using:\n\nusername: [user:name]\npassword: Your password\n\n--  [site:name] team"
   subject: 'An administrator created an account for you at [site:name]'
diff --git a/core/modules/user/config/install/user.settings.yml b/core/modules/user/config/install/user.settings.yml
index 8372ccd..44e0ccf 100644
--- a/core/modules/user/config/install/user.settings.yml
+++ b/core/modules/user/config/install/user.settings.yml
@@ -3,6 +3,8 @@ verify_mail: true
 notify:
   cancel_confirm: true
   password_reset: true
+  mail_change_notification: true
+  mail_change_verification: true
   status_activated: true
   status_blocked: false
   status_canceled: false
diff --git a/core/modules/user/config/schema/user.schema.yml b/core/modules/user/config/schema/user.schema.yml
index 627d8a6..d027c7b 100644
--- a/core/modules/user/config/schema/user.schema.yml
+++ b/core/modules/user/config/schema/user.schema.yml
@@ -20,6 +20,12 @@ user.settings:
         password_reset:
           type: boolean
           label: 'Notify user when password reset'
+        mail_change_notification:
+          type: boolean
+          label: 'Notify user when email changes'
+        mail_change_verification:
+          type: boolean
+          label: 'Require email verification when a user changes their email address'
         status_activated:
           type: boolean
           label: 'Notify user when account is activated'
@@ -61,6 +67,12 @@ user.mail:
   password_reset:
     type: mail
     label: 'Password recovery'
+  mail_change_notification:
+    type: mail
+    label: 'Change mail notification'
+  mail_change_verification:
+    type: mail
+    label: 'Change mail verification'
   register_admin_created:
     type: mail
     label: 'Account created by administrator'
diff --git a/core/modules/user/src/AccountForm.php b/core/modules/user/src/AccountForm.php
index 8b0149e..bf05df4 100644
--- a/core/modules/user/src/AccountForm.php
+++ b/core/modules/user/src/AccountForm.php
@@ -386,13 +386,32 @@ protected function flagViolations(EntityConstraintViolationListInterface $violat
    * {@inheritdoc}
    */
   public function submitForm(array &$form, FormStateInterface $form_state) {
+    $account = $this->getEntity($form_state);
+    $new_email = $form_state->getValue('mail');
+
+    if(!$account->isNew() && $account->getEmail() !== $new_email && !\Drupal::currentUser()->hasPermission('administer users')) {
+      $old_email = $account->getEmail();
+
+      // Send a verification to the new email address.
+      $account->setEmail($new_email);
+      if(_user_mail_notify('mail_change_verification', $account, NULL)) {
+        // Send notification email to the old email address.
+        $account->setEmail($old_email);
+        _user_mail_notify('mail_change_notification', $account);
+      }
+
+      // The user's email address will be updated after verification.
+      $form_state->setValue('mail', $old_email);
+
+      drupal_set_message($this->t('Your email address needs to be validated. Further instructions have been sent to your new email address.'), 'warning');
+    }
+
     parent::submitForm($form, $form_state);
 
-    $user = $this->getEntity($form_state);
     // If there's a session set to the users id, remove the password reset tag
     // since a new password was saved.
-    if (isset($_SESSION['pass_reset_'. $user->id()])) {
-      unset($_SESSION['pass_reset_'. $user->id()]);
+    if (isset($_SESSION['pass_reset_'. $account->id()])) {
+      unset($_SESSION['pass_reset_'. $account->id()]);
     }
   }
 }
diff --git a/core/modules/user/src/AccountSettingsForm.php b/core/modules/user/src/AccountSettingsForm.php
index b76897d..c20a020 100644
--- a/core/modules/user/src/AccountSettingsForm.php
+++ b/core/modules/user/src/AccountSettingsForm.php
@@ -201,7 +201,7 @@ public function buildForm(array $form, FormStateInterface $form_state) {
     );
     // These email tokens are shared for all settings, so just define
     // the list once to help ensure they stay in sync.
-    $email_token_help = $this->t('Available variables are: [site:name], [site:url], [user:display-name], [user:account-name], [user:mail], [site:login-url], [site:url-brief], [user:edit-url], [user:one-time-login-url], [user:cancel-url].');
+    $email_token_help = $this->t('Available variables are: [site:name], [site:url], [user:display-name], [user:account-name], [user:mail], [site:login-url], [site:url-brief], [user:edit-url], [user:one-time-login-url], [user:mail-change-login-url], [user:cancel-url].');
 
     $form['email_admin_created'] = array(
       '#type' => 'details',
@@ -303,6 +303,50 @@ public function buildForm(array $form, FormStateInterface $form_state) {
       '#rows' => 12,
     );
 
+    $form['email_email_change_notification'] = array(
+      '#type' => 'details',
+      '#title' => t('Email change notification'),
+      '#collapsible' => TRUE,
+      '#collapsed' => TRUE,
+      '#description' => t("Edit the email messages sent to users' old email address when the email address is changed.") . ' ' . $email_token_help,
+      '#group' => 'email',
+      '#weight' => 11,
+    );
+    $form['email_email_change_notification']['user_email_change_notification_subject'] = array(
+      '#type' => 'textfield',
+      '#title' => t('Subject'),
+      '#default_value' => $mail_config->get('mail_change_notification.subject'),
+      '#maxlength' => 180,
+    );
+    $form['email_email_change_notification']['user_email_change_notification_body'] = array(
+      '#type' => 'textarea',
+      '#title' => t('Body'),
+      '#default_value' => $mail_config->get('mail_change_notification.body'),
+      '#rows' => 12,
+    );
+
+    $form['email_email_change_verification'] = array(
+      '#type' => 'details',
+      '#title' => t('Email change verification'),
+      '#collapsible' => TRUE,
+      '#collapsed' => TRUE,
+      '#description' => t("Edit the email messages sent to users' new email address when the email address is changed.") . ' ' . $email_token_help,
+      '#group' => 'email',
+      '#weight' => 13,
+    );
+    $form['email_email_change_verification']['user_email_change_verification_subject'] = array(
+      '#type' => 'textfield',
+      '#title' => t('Subject'),
+      '#default_value' => $mail_config->get('mail_change_verification.subject'),
+      '#maxlength' => 180,
+    );
+    $form['email_email_change_verification']['user_email_change_verification_body'] = array(
+      '#type' => 'textarea',
+      '#title' => t('Body'),
+      '#default_value' => $mail_config->get('mail_change_verification.body'),
+      '#rows' => 12,
+    );
+
     $form['email_activated'] = array(
       '#type' => 'details',
       '#title' => $this->t('Account activation'),
@@ -445,6 +489,10 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
       ->set('cancel_confirm.subject', $form_state->getValue('user_mail_cancel_confirm_subject'))
       ->set('password_reset.body', $form_state->getValue('user_mail_password_reset_body'))
       ->set('password_reset.subject', $form_state->getValue('user_mail_password_reset_subject'))
+      ->set('mail_change_notification.subject', $form_state->getValue('user_email_change_notification_subject'))
+      ->set('mail_change_notification.body', $form_state->getValue('user_email_change_notification_body'))
+      ->set('mail_change_verification.subject', $form_state->getValue('user_email_change_verification_subject'))
+      ->set('mail_change_verification.body', $form_state->getValue('user_email_change_verification_body'))
       ->set('register_admin_created.body', $form_state->getValue('user_mail_register_admin_created_body'))
       ->set('register_admin_created.subject', $form_state->getValue('user_mail_register_admin_created_subject'))
       ->set('register_no_approval_required.body', $form_state->getValue('user_mail_register_no_approval_required_body'))
diff --git a/core/modules/user/src/Controller/UserController.php b/core/modules/user/src/Controller/UserController.php
index 772884b..018cfb5 100644
--- a/core/modules/user/src/Controller/UserController.php
+++ b/core/modules/user/src/Controller/UserController.php
@@ -139,6 +139,58 @@ public function resetPass($uid, $timestamp, $hash) {
   }
 
   /**
+   * Returns the user change email page.
+   *
+   * @param int $uid
+   *   UID of user requesting reset.
+   * @param int $timestamp
+   *   The current timestamp.
+   * @param string new_email
+   *   The user's new email address.
+   * @param string $hash
+   *   Login link hash.
+   *
+   * @return array|\Symfony\Component\HttpFoundation\RedirectResponse
+   *   The form structure or a redirect response.
+   *
+   * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+   *   If the timestamp passed is in the future.
+   */
+  public function changeEmail($uid, $timestamp, $new_email, $hash) {
+    $user = \Drupal::currentUser();
+    $account = $this->userStorage->load($uid);
+
+    // We need to set the new email here to validate the hash correctly, which is
+    // created using the new mail adress. We only save the account if the hash matches.
+    $account->setEmail($new_email);
+
+    $timeout = 24 * 60 * 60;
+    $current = $_SERVER['REQUEST_TIME'];
+
+    if ($timestamp < $current) {
+      if($current - $timestamp > $timeout) {
+        drupal_set_message(t('You have tried to use a one-time email address change link for %account that has expired -- your change of email address was not completed. Please visit your account edit page if you wish to attempt the change again.', array('%account' => $account->name)), 'error');
+      }
+      else if ($user->id() && $user->id() != $account->id()) {
+        drupal_set_message(t('You are currently logged in as %user, and are attempting to confirm an email address change for %account, which is not allowed. Please log in as %account and initiate a new change of email request.', array('%user' => $user->name, '%account' => $account->name)), 'error');
+      }
+      else if ($hash != user_pass_rehash($account, $timestamp)) {
+        drupal_set_message(t('There was a problem validating the used link. Please visit your account edit page and retry changing your email address.'), 'error');
+      }
+      else if ($timestamp > $account->getLastLoginTime() && $timestamp < $current) {
+        $account->save();
+        drupal_set_message(t('Your email address has been changed to %mail.', array('%mail' => $new_email)));
+      }
+    }
+    else {
+      // Deny access if the timestamp passed is in the future.
+      throw new AccessDeniedHttpException();
+    }
+
+    return $this->redirect('user.page');
+  }
+
+  /**
    * Redirects users to their profile page.
    *
    * This controller assumes that it is only invoked for authenticated users.
diff --git a/core/modules/user/src/Tests/UserEditedOwnAccountTest.php b/core/modules/user/src/Tests/UserEditedOwnAccountTest.php
index 017ca85..b7fb095 100644
--- a/core/modules/user/src/Tests/UserEditedOwnAccountTest.php
+++ b/core/modules/user/src/Tests/UserEditedOwnAccountTest.php
@@ -10,7 +10,7 @@
 use Drupal\simpletest\WebTestBase;
 
 /**
- * Tests user edited own account can still log in.
+ * Tests the user edit form for the current user.
  *
  * @group user
  */
@@ -23,6 +23,9 @@ class UserEditedOwnAccountTest extends WebTestBase {
    */
   public static $modules = array('user_form_test');
 
+  /**
+   * Tests user edited own account can still log in.
+   */
   function testUserEditedOwnAccount() {
     // Change account setting 'Who can register accounts?' to Administrators
     // only.
@@ -34,7 +37,8 @@ function testUserEditedOwnAccount() {
 
     // Change own username.
     $edit = array();
-    $edit['name'] = $this->randomMachineName();
+    $name = $this->randomMachineName();
+    $edit['name'] = $name;
     $this->drupalPostForm('user/' . $account->id() . '/edit', $edit, t('Save'));
 
     // Log out.
@@ -43,5 +47,20 @@ function testUserEditedOwnAccount() {
     // Set the new name on the user account and attempt to log back in.
     $account->name = $edit['name'];
     $this->drupalLogin($account);
+
+    // Set a new email address for the user account.
+    $new_email = $this->randomMachineName() . '@example.com';
+    $edit = array(
+      'current_pass' => $account->pass_raw,
+      'mail' => $new_email,
+    );
+    $this->drupalPostForm('user/' . $account->id() . '/edit', $edit, t('Save'));
+
+    $site_name = $this->config('system.site')->get('name');
+    $user_mail = $this->drupalGetMails(array(
+      'to' => $new_email,
+      'subject' => "E-mail change information for $name at $site_name",
+    ));
+    $this->assertTrue(count($user_mail), 'A verification email was sent to the user.');
   }
 }
diff --git a/core/modules/user/src/Tests/UserTokenReplaceTest.php b/core/modules/user/src/Tests/UserTokenReplaceTest.php
index b7877d8..c35677a 100644
--- a/core/modules/user/src/Tests/UserTokenReplaceTest.php
+++ b/core/modules/user/src/Tests/UserTokenReplaceTest.php
@@ -134,6 +134,7 @@ function testUserTokenReplacement() {
     // Generate login and cancel link.
     $tests = array();
     $tests['[user:one-time-login-url]'] = user_pass_reset_url($account);
+    $tests['[user:mail-change-login-url]'] = user_change_mail_url($account);
     $tests['[user:cancel-url]'] = user_cancel_url($account);
 
     // Generate tokens with interface language.
diff --git a/core/modules/user/user.install b/core/modules/user/user.install
index 91a908e..0c59cb7 100644
--- a/core/modules/user/user.install
+++ b/core/modules/user/user.install
@@ -85,3 +85,16 @@ function user_install() {
     ))
     ->save();
 }
+
+
+/**
+ * Update config for change mail notifications.
+ */
+function user_update_8002() {
+  $mail_config = \Drupal::service('config.factory')->getEditable('user.mail');
+  $mail_config->set('mail_change_notification.body',"[user:display-name],\n\nA request to change your e-mail address has been made at [site:name]. In order to complete the change you will need to follow the instructions sent to your new e-mail address within one day.");
+  $mail_config->set('mail_change_notification.subject','E-mail change information for [user:display-name] at [site:name]');
+  $mail_config->set('mail_change_verification.body',"[user:display-name],\n\nA request to change your e-mail address has been made at [site:name]. You need to verify the change by clicking on the link below or copying and pasting it in your browser:\n\n[user:mail-change-login-url]\n\nThis is a one-time URL, so it can be used only once. It expires after one day. If not used, your e-mail address at [site:name] will not change.");
+  $mail_config->set('mail_change_verification.subject','E-mail change information for [user:display-name] at [site:name]');
+  $mail_config->save();
+}
diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index 3d76074..0246d24 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -593,6 +593,32 @@ function user_pass_reset_url($account, $options = array()) {
 }
 
 /**
+ * Generates a unique URL for a one time email change confirmation.
+ *
+ * @param object $account
+ *   An object containing the user account.
+ * @param array $options
+ *   (optional) A keyed array of settings. Supported options are:
+ *   - langcode: A language code to be used when generating locale-sensitive
+ *    URLs. If langcode is NULL the users preferred language is used.
+ *
+ * @return
+ *   A unique URL that provides a one-time email change confirmation for the
+ *   user.
+ */
+function user_change_mail_url($account, $options = array()) {
+  $timestamp = $_SERVER['REQUEST_TIME'];
+  $langcode = isset($options['langcode']) ? $options['langcode'] : $account->getPreferredLangcode();
+  $url_options = array('absolute' => TRUE, 'language' => \Drupal::languageManager()->getLanguage($langcode));
+  return \Drupal::url('user.change_email', [
+    'uid' => $account->id(),
+    'timestamp' => $timestamp,
+    'new_email' => $account->getEmail(),
+    'hash' => user_pass_rehash($account, $timestamp),
+  ], $url_options);
+}
+
+/**
  * Generates a URL to confirm an account cancellation request.
  *
  * @param \Drupal\user\UserInterface $account
@@ -940,6 +966,7 @@ function user_mail($key, &$message, $params) {
  *   properties:
  *   - login: The UNIX timestamp of the user's last login.
  *   - pass: The hashed account login password.
+ *   - email: The user's email address.
  * @param array $options
  *   A keyed array of settings and flags to control the token replacement
  *   process. See \Drupal\Core\Utility\Token::replace().
@@ -947,6 +974,7 @@ function user_mail($key, &$message, $params) {
 function user_mail_tokens(&$replacements, $data, $options) {
   if (isset($data['user'])) {
     $replacements['[user:one-time-login-url]'] = user_pass_reset_url($data['user'], $options);
+    $replacements['[user:mail-change-login-url]'] = user_change_mail_url($data['user'], $options);
     $replacements['[user:cancel-url]'] = user_cancel_url($data['user'], $options);
   }
 }
@@ -1176,6 +1204,8 @@ function user_role_revoke_permissions($rid, array $permissions = array()) {
  *   - 'register_pending_approval': Welcome message, user pending admin
  *     approval.
  *   - 'password_reset': Password recovery request.
+ *   - 'mail_change_notification': Email change notification.
+ *   - 'mail_change_verification': Email change verification.
  *   - 'status_activated': Account activated.
  *   - 'status_blocked': Account blocked.
  *   - 'cancel_confirm': Account cancellation request.
diff --git a/core/modules/user/user.routing.yml b/core/modules/user/user.routing.yml
index 6eea7ec..2886adf 100644
--- a/core/modules/user/user.routing.yml
+++ b/core/modules/user/user.routing.yml
@@ -150,3 +150,14 @@ user.reset:
   options:
     _maintenance_access: TRUE
     no_cache: TRUE
+
+user.change_email:
+  path: 'user/change-mail/{uid}/{timestamp}/{new_email}/{hash}'
+  defaults:
+    _controller: '\Drupal\user\Controller\UserController::changeEmail'
+    _title: 'Change email address'
+  requirements:
+    _access: 'TRUE'
+  options:
+    _maintenance_access: TRUE
+    no_cache: TRUE