Validating E-Mail Adresses

If you're client side address validation is more than "contains an @", you're most likely wrong.

Released: 23. Jul 2023
Share this on: Twitter

The Problem

I have a ".dev" domain (as you might have seen in the address bad of your browser). Sadly this often gets rejected by inputs with custom validation code as an invalid Mail address. In this post I will first show how not to validate addresses and then what to actually do.

What not to do

The items below are all things I've seen recommended for checking addresses and I'll write why they're wrong.
This is an incomplete list, so if your check isn't on here, it doesn't mean it's right!

Contains a dot in the domain

This is not right, because you can technically send a mail to a TLD (like a@com) and also IPv6 addresses (like postmaster@[IPv6:2001:0db8:85a3:0000:0000:8a2e:0370:7334]).

TLD is two to X characters long

If you're not using 63 as X (the longest allowed TLD), you're doing it wrong. The longest currently defined TLD is XN--VERMGENSBERATUNG-PWB, which is 24 characters long.

Only allow alphanumeric values in name or domains (plus dots)

You can use the comment syntax to apply tags to incoming mails like a(comment)@(comment2) This is totally valid and you shouldn't deny this!

Disallow spaces and other special characters

"this.(),:;<>[]is\"a very@unusual mail!address" is a valid address and so is

What to do

Every singly consideration you do should IMO allow for all valid addresses. If you're unsure about your validation, don't enforce it. There's nothing wrong with just asking the user "are you sure" and accepting the response.

If you want to actually do it right, just check that the address contains an "@" symbol and then send a verification mail.