• ono
    link
    fedilink
    English
    28
    edit-2
    11 months ago

    By the way, please don’t write regex to try to validate email addresses. Seriously.

    Amen.

    There are libraries for that; some of them are even good.

    Spoiler alert: Few of them are good, and those few are so simple that you might as well not use a library.

    The only way to correctly validate an email address is to send a message to it, and verify that it arrived.

    • @[email protected]
      link
      fedilink
      3211 months ago

      You can use a regex to do basic validation. That regex is .+@.+. Anything beyond that is a waste of time.

        • @[email protected]
          link
          fedilink
          1011 months ago

          Which ones? In RFC 5322 every address contains an addr-spec at some point, which in turn must include an @. RFC 6854 does not seem to change this. Or did I misread something?

            • @[email protected]
              link
              fedilink
              5
              edit-2
              11 months ago

              And it’s matched by .+@.+ as it contains an @.

              Remember, we’re taking about regular expressions here so .+ means “a sequence of one or more arbitrary characters”. It does not imply that an actual dot is present.

              (And I overlooked the edit. Oops.)

      • @hansl
        link
        -411 months ago

        There are also cases where you want to have a disallow list of known bad email providers. That’s also part of the parsing and validating.

        • @[email protected]
          link
          fedilink
          2411 months ago

          It’s a valid need, but a domain blacklist isn’t part of email parsing and if you conflate the two inside your program then you’re mixing concerns.

          Why is the domain blacklist even in your program? It should be a user configurable file or a list of domains in the database.

          • @hansl
            link
            111 months ago

            We were discussing validation, not parsing. There’s no parsing in an email. You might give it a type once it passes validation, but an email is just a string with an @ in it (and likely some . because you want at least 1 TLD but even that I’m not sure).

          • Black616Angel
            link
            fedilink
            111 months ago

            You are right in that it isn’t (or shouldn’t be) part of the parsing, but the program has to check the blacklist even if it’s in a database.

        • anti-idpol action
          link
          fedilink
          9
          edit-2
          11 months ago

          fuck any website that requires an account to just READ it’s stupid content and at the same time blocks guerrillamail/10minutemail (looking at you, Glassdoor,I don’t want to get fucking spam just so that I can check approximate salary in a company)

          • @hansl
            link
            311 months ago

            Sounds like your gripe is with people requiring accounts for reading public content, and not with preventing usage of automated email creation and trying to limit bots on your website.

        • ono
          link
          fedilink
          English
          1
          edit-2
          11 months ago

          disallow list of known bad email providers.

          Imagine giving someone your phone number, and having them say you have to get a different one because they don’t like some of the digits in it.

          I have seen this nonsense more times than I care to remember. Please don’t build systems this way.

          If you’re trying to do bot detection or the like, use a different approach. Blacklisting email addresses based on domain or any other pattern does a poor job of it and creates an awful user experience.

          (And if it prevents people from using spam-fighting tools like forwarding services, then it’s directly user-hostile, and makes the world a worse place.)

    • @fubo
      link
      9
      edit-2
      11 months ago

      The only way to correctly validate an email address is to send a message to it, and verify that it arrived.

      If you’re accepting email addresses as user input (e.g. from a web form), it might be nice to check that what’s to the right of the rightmost @ sign is a domain name with an MX or A record. That way, if a user enters a typo’d address, you have some chance of telling them that instead of handing an email to user#example.net or user@gmailc.om to your MTA.

      But the validity of the local-part (left of the rightmost @) is up to the receiving server.

      • ono
        link
        fedilink
        English
        11
        edit-2
        11 months ago

        Checking MX in your application means you needlessly fail on transient outages, like when a DNS server is rebooting or a net link hiccups. When it happens, the error flag your app puts on the user’s email address is likely to confuse or frustrate them, will definitely waste their time, and may drive them away and/or generate support calls.

        Also, MX records are not required. Edit to clarify: So checking MX in your application means you fail 100% of the time on some perfectly valid email domains. Good luck to the users and support staff who have to troubleshoot that, because there’s nothing wrong with the email address or domain; the problem is your application doing something it should not.

        Better to just hand the verification message off to your mail server, which knows how to handle these things. You can flag the address if your outgoing mail server refuses to accept it.

        • @fubo
          link
          511 months ago

          If DNS is transiently down, the most common mail domains are still in local resolver cache. And if you’re parsing live user requests, that means the IP network itself is not in transient failure at the moment. So it takes a pretty narrow kind of failure to trigger a problem… And the outcome is the app tells the user to recheck their email address, they do, and they retry and it works.

          If DNS is having a worse problem, it’s probably down for your mail server too, which means an email would at least sit in the outbound mail spool for a bit until DNS comes back. Meanwhile the user is wondering where their confirmation email is, because people expect email delivery in seconds these days.

          So yeah … yay, tradeoffs!

          (Confirmation emails are still important for closed-loop opt-in, to make sure the user isn’t signing someone else up for your marketing department’s spam, though.)