Question: How do you validate an email address?
Answer: It depends.
The absolute answer is that you have to send mail to that address and request that the user take some action to indicate that they received the email. That might be as simple as replying to your email or logging into a webpage by providing a code included in the email that you sent. This is the only way you can really validate an email address.
But maybe you'd like to do some pre-checking before you go to all that trouble. It's easy enough to write a regular expression that matches email addresses as defined in RFC822 - and you should definitely look at that before you decide that you know what a valid address looks like! But that's just syntactically correct - it doesn't mean that the domain exists or that it has a mailserver if it does exist or that the user at that address actually exists. Still, regex checking can eliminate a lot of the worst crap people will type in to a web form
See How to Find or Validate an Email Address for more thoughts on using regexes to validate addresses.
The next step is therefore to check that the domain part has an MX record or records. If "dig whateverxyz.com mx" doesn't give back something like
whateverxyz.com. 7200 IN MX 10 inbound.registeredsite.com.
then it's pretty obvious that "firstname.lastname@example.org" isn't a valid address.
If it is valid, you could try asking the server if it will accept mail for that user. That used to be a lot easier than it is now: all you had to do was connect and issue a "VRFY jack". Almost nobody lets you do that today because it was an easy way for spammers to check addresses - they would just try every name they could think of and send junk to the addresses that existed.
But you still can ask by using "rcpt to:". See How do I test an SMTP server for details; you look up the MX for the domain, connect to that and issue a "Helo yourdomain.org", a "Mail from: email@example.com" command and then a "rcpt to: firstname.lastname@example.org". If you get a positive response (a 250 rather than a 55? or anything else, that SHOULD be a valid address. Maybe :-)
See SMTP reply codes for server responses.
However, there are any number of reasons that a server might give you back a 250 for a completely bogus user. Many servers today are configured to do exactly that to avoid giving spammers information about users. So they accept anything and then may or may not send back a bounce message later. More and more are configured to be totally silent - you'll just never know the address was bad.
(Most Kerio mail servers are configured that way.)
Even if that were not true, it may be configured to forward unknown users to some other server - again, you won't know anything unless that server chooses to tell you. That brings us back to what I said at the top: the only absolute trest is to send email that requests the recipient take some verifiable action.
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Anthony Lawrence
Find me on Google+
© 2011-07-08 Anthony Lawrence