DEV Community

Cover image for There's only one way to validate an email address
Jerod Santo
Jerod Santo

Posted on • Originally published at changelog.com

There's only one way to validate an email address

The only thing that you can reliably do to validate an email address is to send it an email. YOU SEND IT AN EMAIL! That's the only way you can do it. I know what you're thinking,

"I have the best regular expression for this!"

No, you do not. You think you do, but you don't. Your regular expression is invalid; it's not good enough. You know the old adage:

"A developer, when faced with a problem, thought 'I know. I'll use regular expressions.' Now he has two problems."

That's what you have - you have two problems. I've known this for years, and yet I was still convinced recently to add a regular expression-based email validation server-side;

(First of all, never trust a client, right? You can do it all you want there, but it can bypass all your checks. It's gotta be server-side.)

I put a regular expression-based email validation and I thought "This one's pretty good."

In fact -- man, I don't know what came over me; I was actually even talked into copy-pasting one off of a gist! 😭

It looked pretty good, and it covered most of the bases, and sure enough, last week I got an email from a prospective user saying

"Hey, I'm trying to sign up for Changelog Weekly, but it says my email address isn't valid, and it obviously is valid, because I'm emailing you with it right now..."

And I thought, "I'm an idiot. Why did I put a regular expression-based email validation on my system?"

So don't do that. I know you can find one on Stack Overflow... I'll tell you right now, it's not good enough. Email addresses are SO complicated. There's so many valid things...

If you're going to do it -- and I'll admit that I kept it in there, but I just check that there's some stuff, and then an @, and then some stuff.

~r/^\S+@\S+\.\S+$/
Enter fullscreen mode Exit fullscreen mode

That's pretty much what you're gonna be able to do... And that's just to basically make sure that you don't get some junk into your database... πŸ™…β€β™€οΈ

But still, all you've gotta do is send them an email, and if they click on it, well that's a valid email address. If they don't click on it, then who cares...? That's a hard-learned lesson!

If you want to validate an email address, send it an email. Problem solved.

Until bots start clicking on emails. Then we're gonna have a whole new issue... But so far I don't think there are bots that will

  1. create a fake email address
  2. sign up for your thing, and then
  3. access that email address and click on the link

When we get there, then we'll have to come up with something else. But until then, just send it an email.


What you've just read is an excerpt from JS Party #39. I fixed up the formatting a bit for readability, but these (almost) exact words were spoken by me during the Pro Tips segment of that episode. In addition to tips like this one, we also discuss news & trends, interview awesome guests, teach each other things like we're 5, and have lots of fun doing it. You should totally come party with us live on Thursdays or subscribe to the produced version! Take a listen and let us know what you think. πŸ’š

play pause JS Party

Top comments (30)

Collapse
 
eriksk profile image
Erik Skoglund

Just a bit :D

Collapse
 
ri5hirajp profile image
Rishiraj Purohit

I totally agree with the problems in regex and how sending an email is best way to validate an email. To add to the bot scenario in the ending I've faced situation where after I click the link in email I was faced with a recaptcha which seems good unless bots learn to solve those too

Collapse
 
ferricoxide profile image
Thomas H Jones II

…recaptcha which seems good unless bots learn to solve those too

2017

Collapse
 
nickjj profile image
Nick Janetakis

In fact -- man, I don't know what came over me; I was actually even talked into copy-pasting one off of a gist!

As soon as I read this, I knew I was in trouble haha. I remember that conversation. Good thing you've had it fixed for almost a year now!

Collapse
 
timkor profile image
Timkor • Edited

Interesting article. However, what do you actually propose that a valid email address is:

  • An emailadress that works? Then this check is great.
  • Detecting it's not a bot? I don't really see this working. Especially not on long term.
  • Detecting it's not fraud/scam? Does not work. Scammers can steal credentials of their victims or what happens more often, just let the victims confirm their email.

If it's just about checking if a user did not mistyped his of her email. You're best off using a well tested browser implementation or just keeping the input loosely validated. The last thing you want is loosing conversion by someone that can not enter a valid email. At the end, it's the users responsibility to enter their correct emailadress.

If you really want to be sure and do not want to depend on a browser implementation or a strict validation process. You could even ask their email twice. Then the chance that the user mistyped will be very, very low.

Collapse
 
jerodsanto profile image
Jerod Santo

what do you actually propose that a valid email address is

To me, valid means it's an email address in control of a human who entered it in earnest. You could layer on bot defense (via recaptcha, etc) either on the email form itself or on the confirmation page linked to in the email. But in my opinion, that's a separate concern.

You're best off using a well tested browser implementation or just keeping the input loosely validated.

I'm all for using <input type=email> and letting browsers do their thing. But that's more for UX than it is for me as the site owner.

Collapse
 
ferricoxide profile image
Thomas H Jones II

If you really want to be sure and do not want to depend on a browser implementation or a strict validation process. You could even ask their email twice. Then the chance that the user mistyped will be very, very low.

Though, if you do that, you probably want to disable the ability to paste from cut-buffer into the form. Otherwise, most people will just copy-paystah and you can end up with the wrong string twice.

Remember: there's people out there constantly trying to build a better idiot.

Collapse
 
itr13 profile image
Mikael Klages • Edited

Would a regex catch either of the last two cases?

Collapse
 
timkor profile image
Timkor

No, pretty impossible using regex. There are tools like Siftscience though.

Collapse
 
ferricoxide profile image
Thomas H Jones II

Used to be, you could validate an email address by connecting to the SMTP server listed in the address's MX record, and then do a VRFY. But, also thanks to spammers, you can almost never do that any more.

Collapse
 
jerodsanto profile image
Jerod Santo

The good ole' days! πŸ‘΄

Collapse
 
matthewbdaly profile image
Matthew Daly

I agree that you shouldn't use a regex, but PHP in particular has the filter_var() function, which is a far better option. There are a few edge cases that are validated incorrectly, but it's generally fairly reliable.

However, sending an activation email is probably prudent in most cases since just because an email address is valid doesn't mean it actually exists.

Collapse
 
ferricoxide profile image
Thomas H Jones II

However, sending an activation email is probably prudent in most cases since just because an email address is valid doesn't mean it actually exists.

Or is owned by the person submitting the address… :p

Collapse
 
jerodsanto profile image
Jerod Santo

πŸ’―

Collapse
 
phlash profile image
Phil Ashby

Yep. There are similar challenges with telephone numbers too ("surely not!" I hear you cry... uh-huh: en.wikipedia.org/wiki/National_con...), and usually our clients want to confirm it's not made up, thus, we adopt similar solutions, such as sending an SMS message, or making an actual call.

Collapse
 
ferricoxide profile image
Thomas H Jones II • Edited

Thus the recent FCC warnings about dialing back unknown "local" numbers. Thus, "be careful about calling back".

A couple weeks ago, I received a call that, on my cell, very obviously came from the 20 country-code. However, on my VOIP line's handset - and its simplified display - the number simply appeared as a ten-digit 202NNNNNNN (the 202 area-code is local to me) number.

Collapse
 
jackharner profile image
Jack Harner πŸš€

What are people's thoughts on the registration flow where the user puts in an email first, has to click the verification link, then sets username/password/finish signing up?

Any pros/cons over getting the profile info and then verifying the account?

Collapse
 
jerodsanto profile image
Jerod Santo

That's pretty much what we do on changelog.com except we don't bother with a password.

There is a way you can join and give us all your info up front, but most people just give us their email and we go from there. Once they click the confirm link they are directed to their profile where they can fill out the rest of the info if they like.

Works pretty well, in my experience.

Collapse
 
jerodsanto profile image
Jerod Santo

Yeah... I'm not gonna touch that with a 10 foot pole πŸ˜‰

Collapse
 
scottishross profile image
Ross Henderson • Edited

When I validate an email I simply regex for alphanumeric, @ and a . following the @. As you say, it's impossible to truly validate an email address without sending an email, but it's worth making sure it's a potentially valid email address.

Edit: In fact I think my regex actually works like: [capture-group-1}@[capture-group-2].[capture-group-3]