Sign using a unfunded BTC address, maybe something like 1BitMax... Or better yet, generate a PGP key and sign the message using that. Don't email it to the user, instead, provide it to them in a text file once their deposit address is shown. Delete it after the user confirms they have downloaded it from the server. That way, users could just choose to now download, and state that they did, to avoid getting the signed message if they wish to not have the file touch any of their devices. Those who worry about being scammed can download it and delete it securely after they receive coins.

Don't Trust. Verify.

No money lost this way, and if someone were to hack into your server, they'd be able to see transaction info anyway.