

Stop Validating Email Addresses With Your Complex Regexes - cyen
http://davidcelis.com/blog/2012/09/06/stop-validating-email-addresses-with-regex

======
jyap
There's got to be a bug because this was on the front page 6 days ago:
<http://news.ycombinator.com/item?id=4486108>

Well the link in the previous post had a trailing slash.

~~~
crisnoble
So to sum up the comments on the previous submission:

1) Someone did make a fully compliant Regex
<https://github.com/larb/email_address_validator>

2) Lots of people (including the author
<http://news.ycombinator.com/item?id=4486264>) think that you should at least
validate that the '@' is somewhere to avoid username / email mixups

3) If your regex fails for foo+tag@something.com lots of people get pissed. I
learned you can use that for inbox sorting since foo+tag@something.com goes to
foo@something.com.

4) There are other schools of thought that promote validation and telling the
user something is wrong like mailcheck.js
(<https://github.com/Kicksend/mailcheck>), but these should not stop users
from submitting forms.

Did I miss anything?

~~~
ars
Yes.

5) Do some basic validation. If it fails, ask the user: Are you sure this
email address is correct? If they say yes, then allow it anyway.

This lets you catch all the typos, without annoying people with more
complicated email addresses.

------
ry0ohki
One suggestion I would add: Let them in right now, and confirm later. Sites
that require you to wait for an email, click a validation link etc... have a
higher barrier to entry. Sometimes email is slow, sometimes it ends up in
spam, etc...

Just let the users in at first to poke around before forcing them to validate
their email. After a day or two (or maybe to access certain features) remind
them they need to confirm that email they got if they haven't already. Yes,
some people may try your product and you won't have their real email address,
the the ROI on spamming these people later is probably not worth the initial
friction.

------
jere
If you've been developing login systems for any length of time, this should be
fairly obvious.

Be careful about taking that "it’ll get bounced" attitude too far though. The
last time I did so I forgot to trim the email addresses and didn't lowercase
them. Failing to trim will probably result in the email going through, but
then might cause problems later on when you try to match their login ID to
what they enter the next time.

A similar issue arises for case. Email addresses are _supposed_ to be case
sensitive but providers don't seem to take advantage of it in practice. Again,
the case a user types varies from time to time (I assumed nobody used upper
case... it seems silly). And if you switch to case insensitive login IDs down
the line, you may have to deal with duplicate accounts (same email but
different case).

~~~
Steuard
Regarding upper case: I've taken to typing the first part of my work email
address as "JensenS". My wife and I work at the same place, and when I wrote
it as "jensens" there were honestly people who assumed that address was a
plural and went to both of us.

~~~
jere
>when I wrote it as "jensens" there were honestly people who assumed that
address was a plural and went to both of us.

 _facepalm_

------
ericd
Following this advice creates a lot of "I never got my activation email" and
"Why won't it let me log in" support emails that are a big pain to deal with.
It's pretty important to nip that in the bud, hence immediate email address
validation.

------
leeoniya
we've been doing full mx lookups and smtp RCPT TO: queries for some time.

beware: yahoo's smtp servers always say addresses are valid...making
validation quite pointless.

------
egiva
I couldn't help thinking while reading this that my main concern with
registration systems isn't the complicated Regex as much, but rather the
really annoying registry bots that sign up phantom accounts. I'm not a huge
Captcha fan, but without something (Recaptcha, ghosted fields, etc) you'll get
SPAMMED with tons of fake accounts - and they have valid emails, AND the bots
click on the links in the confirmation email automatically. It's really sad.

~~~
crisnoble
Well now some bots can read captchas too:
<http://userscripts.org/scripts/show/56989>

------
TomatoTomato
What about just checking if a MX record exists?

~~~
kingatomic
That verifies the domain, but not the actual mailbox.

One possibility would be to lookup the MX, then connect to the remote MTA and
ask it directly if the mailbox is valid. But that seems a bit like over-
engineering.

~~~
ars
It's also possible that the email server is down at the moment, but will come
back up later.

------
tete
HTML 5 input fields support it now (if you want to do it for the user input).

------
madprops
I just check if there's a @

~~~
crisnoble
Which the authors conceded is good idea most of the time on the old submission
<http://news.ycombinator.com/item?id=4486264>

