Email addresses are a great example of boring infrastructure hiding decades of edge cases
gerdesj 8 hours ago [-]
Email is just like physical mail and thankfully just as endearingly human (sometimes).
Once upon a time (1970/80s) I lived on and off in a mystic land called West Germany. Our postal addresses ended with incantations such as BFPO 40.
Around 1985ish my granny send a Christmas card to us. I should note that she was at this time nearly seventy and sadly suffering from Parkinsons. She addressed the card, in rather crabbed but legible handwriting, to:
Graham and Heath
BFPO 40
My mum's name is abbreviated - her daughter. At that time Rheindahlen (nr Moenchengladbach) had a pretty large contingent of Brits in it - it was HQ (BAOR).
The card arrived well before Chrimbo and it took about a week judging by the post mark, which was petty normal in those days. She shoved it into a post box in Ipplepen, nr Newton Abbot, Devon and it found its way to an obscure address in another country. I seem to recall she also forgot the stamp but it still got through.
I'm sure mail like that becomes a point of honour to deliver and HM PO and BFPO did the job admirably.
That attitude is how email MTAs are generally designed to work. They cling on to the good old days and sadly the world is a bit shit. Case sensitivity ... lol!
cjs_ac 20 minutes ago [-]
Bill Bryson claimed to have received a letter addressed to ‘Bill Bryson, Writer, Yorkshire’.
I have some cousins who live in a small town in Australia where the houses have neither names nor numbers. You just address the envelope to ‘<name>, <street>, <town>’, and it’s the postie’s responsibility to know where everyone lives. (‘Postie’ is the official job title in Australia Post because it’s gender-neutral.)
KurSix 6 minutes ago [-]
I love these examples because they show that addressing has never really been as formal as we like to pretend
8n4vidtmkvmk 7 hours ago [-]
New rule: when emailing someone, you need to include their name. If you do that, the email delivery gods will correct typos in your email address.
KurSix 8 minutes ago [-]
[dead]
Freak_NL 56 minutes ago [-]
This all old hat, unfortunately, and also a thing which will be gotten wrong by developers for years to come. Just shouting 'give me a regex for validating email addresses' will make an LLM like ChatGPT happily output bullshit suggesting some overlong regex which is flawed precisely as outlined by the linked article, even though no one is arguing for those long unmaintainable regexes once they've seen the light.
Ah well.
Where there is still room for improvement is in how email addresses are often made a little bit anonymous by a lot of websites. Did you ever see something like 'j*h@gmail.com'? Oh wow, that neatly leaves out John Smith's full name! Like showing only the last four numbers of an IBAN or credit card.
Except for us edge cases with a personal domain, where I then get 'm*l@myfullname.nl'. So stop that. Store it next to the bit of knowledge about validating email addresses — the bits of knowledge you use to correct junior developers and senior idiots.
KurSix 4 minutes ago [-]
This is a nice sibling problem to validation. In both cases, the bug is assuming an email address has a predictable human structure
This is one of my favorite articles on validating emails using RegEx, I fondly remember reading it over 15 years ago. It's stuck with me ever since.
julian_t 1 hours ago [-]
"Email addresses always have a 'normal' TLD"
I registered a ".consulting" domain for my little company when they became available, and it has proved highly problematic ever since. Strangely (or perhaps not) it seems to be the larger players that have the most problems. I would at lest have expected ISPs and comms companies to keep up with this (looking at you, Three)
KurSix 3 minutes ago [-]
The annoying bit is that owning a domain should make email feel more stable and professional
dijit 1 hours ago [-]
I once worked for a company that had a .company gTLD but not the .com
It was also a bloody nuisance. Spam filters were one thing but there were so many validation forms that failed.
Every reasonable variation of the company name as a .com/.net/.org was taken, including <companyname>company.com
Ugh, what a nightmare.
Domain holders are the landed gentry of tomorrow if we keep this up.
merelysounds 51 minutes ago [-]
> Every reasonable variation of the company name as a .com/.net/.org was taken, including <companyname>company.com
Even then it seems better to come up with a different prefix, or suffix (or both!), just to stay with ‘.com’.
Of course hindsight is 20/20 and I did the same, my personal homepage used to have a ‘.xyz’ address.
thih9 58 minutes ago [-]
Another anecdote, I no longer use my ‘.email’ email address for the same reason.
frereubu 1 hours ago [-]
We have a UK client in the healthcare industry who registered the domain clientname.healthcare, and they rapidly found that the NHS imposed regexes which rejected name@clientname.healthcare emails.
Aside from regexes though, I also think the new TLDs confuse quite a lot of people. name@clientname.healthcare just doesn't click as an email address as quickly as name@clientname.com, and I'm in tech so I'm sure it's much more confusing for people outside that space.
In fact, that reminds me that we built a site for another client for use inside an exhibition space which was spacename.house and against our advice they put that - without www or https:// - on exhibition panels for use on mobile phones. I am absolutely convinced that most people didn't realise it was a web address.
farfatched 8 hours ago [-]
> It’s likely that more people out there are being filtered by badly-implemented form validation than there are being filtered by their own need of hand-holding.
I wish this was asserted with evidence. The author might suggest this because they have unrealistic views of some users.
> In the year of our lord 2026, you can reasonably expect your users to know how to type their own email address - or even better, auto-input from their OS, browser, keyboard app, or password manager.
This really depends on who your users are.
I have multiple family members who have healthy memory, but can't accurately remember their email address everytime: the localpart, the domain, the syntax, everything.
Sending an email verification isn't sufficient, because if the user has typo'd ".com", they might never receive that email, and the user might never be back, or then have to escalate to support.
Meanwhile, if a site is opinionated on TLDs, they might prevent those users facing issues.
I'm sure there are many sites were users have a large variety of odd email addresses, but also there are sites that cater to mostly non-technical users within 1-2 locales, and so may find the friendliest UX is having opinionated validation.
wolrah 7 hours ago [-]
That's why the article says "verify, not validate". Send an email, have a process for them to confirm they received it.
If the user gets the email and completes the validation, the email is valid. If they fucked up, they don't get the email and the account never gets created.
No one ever gets prevented from creating an account with a legitimate email address, as opposed to "opinionated validation" where that absolutely will happen. Speaking from years of experience having a .info domain which isn't even all that odd, and at one point using gmail-style + addresses regularly. "Opinionated validation" has forced me to use my .com domain without a plus dozens of times.
I know part of this is intentional, those who know they plan to sell your email addresses don't want you to use the plus addresses, but that doesn't make the advice to not filter addresses any less correct.
layer8 1 hours ago [-]
While I’m opposed to opinionated validation as well, you seem to be missing the issue it tries to solve, which is the user mistyping their email address, not receiving the verification email, and either thinking everything is fine, or thinking that the process is borked, and in any case not proceeding and not becoming your customer. The goal of opinionated validation is to inform the user about an incorrect email address immediately when they are entering it, so they can correct it right away.
rmunn 8 hours ago [-]
> I have multiple family members who have healthy memory, but can't accurately remember their email address everytime: the localpart, the domain, the syntax, everything.
I got Gmail early enough that I have (my first name) dot (my last name) at gmail dot com. About twenty years ago, I started getting strange emails. At first I thought they were spam, because they were addressed to me by name but I had never joined those sites. Eventually I figured out that they were addressed to (my first name) (my last name) at gmail dot com. Which Gmail treats as the same address as the one with a dot in between.
Since I had never ever given out a version of my email address without a dot in the middle, I eventually figured out that these emails were meant for someone else who shared the same first and last name as me. But since I don't think Gmail would allow one person to register john.example@gmail.com and then later allow someone else to register johnexample@gmail.com, my name doppelganger must have registered firstnamelastname@yahoo.com, and then forgot the domain and given out firstnamelastname@gmail.com when asked for an email address. And probably never noticed that they weren't receiving emails like "Dear customer, thank you for purchasing (product). Would you like to try (other product)?", so they never realized that they were giving out the wrong email address.
Semaphor 5 hours ago [-]
I also have first.last@gmail.com (which I don’t use anymore, and just keep around), I get all kinds of private mails. Contracts, invoices, confidential material, private photos.
And of course, also automated signup mails, newsletters (which I make sure to block and report as spam, unsubscribing is a feature for newsletters that are opt-in), transactional mails etc.
People really suck at knowing what their e-mail is. The private mails are down to 1/month, the others to ~3/week, but it used to be much higher for both categories.
Oh and of course there is some kind of weird scam going on where spammers on German classifieds (Kleinanzeigen) send an e-mail to firstlast@gmail.com for whatever public first and last name of the lister is, and ask if the product is still available. No link, nothing. And all sent via gmail which has by an overwhelming majority become the biggest sender of spam for me. I guess they are trying to get someone to reply and then do some manual scam or something.
jcranmer 8 hours ago [-]
Randall estimates in the alt-text of https://xkcd.com/1279/ that there's about ¾ of a million people who just use somebody else's email on gmail without realizing it's not their email address.
trumpdong 8 hours ago [-]
There's something you can do in between - you can check the domain has an MX record.
TZubiri 2 hours ago [-]
>I have multiple family members who have healthy memory, but can't accurately remember their email address everytime: the localpart, the domain, the syntax, everything.
But you can't do anything about that except asking them to validate their address with an email.
If you can catch 50% of user errors with some complex regex, but the other 50% such errors are uncaught, is that of any benefit during sofware design? No, because you still have to solve that problem, probably with email validation by code. You have reduced your workload by 0%, you just split it into 2 parts (unnecessarily).
SeanLuke 6 hours ago [-]
These are waaay too complicated. Web developers can't even handle the easy stuff. My email address is of the form sean@foo.bar.baz, and email address validators on websites reject my address about 30% of the time because it has two periods.
christophilus 5 hours ago [-]
Honestly, I just validate that it has an @ and then let it through. The actual sender (mailgun, or whatever) can do the dirty work for me.
Joker_vD 3 hours ago [-]
\.{1,100}@\.{1,100}
I'd probably also have a red warning line under the input field for something really fishy and also most common typos (like "gmail.con") but other than that, I'd let it through.
JuustoKakku 3 hours ago [-]
I've had sites correct me with an email address ending in ".fi" with "are you sure you don't mean ".fr"?
jamesfinlayson 2 hours ago [-]
Just had to update this this week - a previous dev had used 2,4 and someone came through complaining with a six character domain suffix. Apparently 24 or so is the current limit for a real domain suffix.
davchana 5 hours ago [-]
Discover bank, refuses to accept name@sub.example.in, but happily accepted name@example.us
riddley 7 hours ago [-]
I have a gmail address that at least three other people think is their address. I constantly get emails for the dumb stuff they sign up for. NONE of them ever have an "I didn't request this" link. I mean, I get it. That won't make them money, but oh man is it annoying.
hnfong 2 hours ago [-]
The weirdest time was when I got on a girl sorority email list. Told them they got the wrong email a couple times, gave up, and just added a mail filter...
JimTheMan 7 hours ago [-]
I get scammers using my email to sign up for websites, but they very obviously cannot login to my account. I often wonder what is in it for them. I'm sure someone on HN can tell me!
vintermann 28 minutes ago [-]
Commission schemes, possibly. Sign up with their code and they get something out of it. So they submit 10000 harvested addresses, and hope some small % of them think it's something they signed up for and complete the registration process.
You'd think big companies would know better than enlisting spammers to spam on their behalf, but I'm pretty sure Netflix had a scheme like this a few years ago. "Grow at any costs" sites like streaming or social media are probably happy with a tiny bit of plausible deniability for their spamming.
AndroTux 1 hours ago [-]
I assume they just need a valid email address to put in and hope they can use the service without email verification.
rimliu 2 hours ago [-]
I feel your pain. My gmail address is just my first name, and oh boy, don't half of the people sharing the same first name also think they share my email.
zephen 3 hours ago [-]
I have exactly the same problem.
> I mean, I get it.
I don't.
Seriously, that's a huge fricking red flag. Obviously, most of those companies I would never do business with anyway, but this puts it over the line for all the others.
If they don't understand the first thing about validating their putative customers' emails by, you know, sending an email saying "is this really you?" then they've completely proven their technical incompetence.
The worst one is robinhood. I have two different email addresses that different people have used to sign up for robinhood accounts (back when they were giving anybody an account).
Occasionally, I tweak them about sending me shit.
"Sure! Just send us a copy of your photo ID to prove you're not that person."
Nah, bro, you've proven you're clueless, and there's no way I'm sending PIA to clueless people.
dvh 43 minutes ago [-]
It's not lies. And it's not about me either. If I collect email address, it will be used somewhere, someday, in god knows what app. If I'm the one collecting the email, I will make it as restrictive at possible so that it doesn't causes issues down the line. If it's too different than John.Doe_123@example.com, it's best to reject it.
For robust systems the goal was never to allow user type any technically valid email. It is to allow only emails that will not cause issues in the future.
smelendez 4 hours ago [-]
Another one is that you can tell “professional” from “personal” email addresses or that every address even cleanly fits into just one category.
A lot of small business owners use gmail or a longstanding ISP account. A lot of people have personal email addresses you can’t easily distinguish from professional ones, between college alumni addresses, personal domains, and obscure ISP and email providers that aren’t in your database.
p0w3n3d 2 hours ago [-]
You really did -- in your domain name, didn't you?
amiga386 9 hours ago [-]
Add the lie "emails are delivered instantly, so the user can click a link I email them within 1 minute"
And the lie "users always read emails on the same device they're logging into a website with"
And the lie "users can always view HTML email so no need to send a plaintext equivalent, especially if I have a long complex URL I want them to click"
And the lie "Clickable links sent in email are more secure than passwords so I'll stop supporting passwords and instead rely on email delivery of a link for all logins. Whoever clicks that link first is definitely the user who wanted to log in"
trumpdong 8 hours ago [-]
If you try to create a Discord account with Firefox Klar as your default browser, on Android, immediately upon signing up you'll be banned. I have to assume this is because it clears cookies and thinks you're a bot farm.
wodenokoto 9 hours ago [-]
If you have a password reset form, you probably already have a log-in with email with extra steps functionality.
technion 7 hours ago [-]
Claude, for my non Gmail domain, expects me to click a magic link on every device I wish to use it. Its wild that a product like that cannot take a password, or a passkey.
Terr_ 7 hours ago [-]
> And the lie "users always read emails on the same device they're logging into a website with"
Or the same browser, or the same browser-profile. For example, on my phone I have external links (from other apps) opening in incognito mode by default.
nosioptar 8 hours ago [-]
When I had protonmail, I often wouldn't get emails for hours, sometimes a day.
Most other providers I've used range from instant to a few minutes.
butvacuum 7 hours ago [-]
I don't think it's about security. It's about fobing off password resets on somebody else.
9 hours ago [-]
CPLX 9 hours ago [-]
> Clickable links sent in email are more secure than passwords so I'll stop supporting passwords and instead rely on email delivery of a link for all logins
God, I fucking hate that.
I have a fucking password manager, I have various machines and things open. Just let me fucking log in.
If anyone is reading this who is in charge of the internet please stop doing this.
roygbiv2 8 hours ago [-]
I seem to spend half my life logging into thing's, confirming 2fa,confirming biometric data. Then when I go back to the first thing it's timed out and I have to sign in again.
paradox460 1 hours ago [-]
I'll heap email and sms based otp into that
I have many ways to generate totp codes. All of them are vastly more convenient than sending me an email or sms
anon7000 8 hours ago [-]
So agreed. It’s fucking crazy. Password manager is so much easier and more secure. If you do this dumb email or SMS OTP flow, at LEAST support passkeys for my password manager!
It’s wild that they’re like “it’s more secure to not have a password” and then choose two unencrypted delivery mechanisms for the very short OTP.
Sure, people who reuse passwords are not secure. And fair, I guess it’s a tragedy of the commons. But at least continue supporting it and make it dead simple for password managers if you actually care bout security
8n4vidtmkvmk 7 hours ago [-]
I thought the same for a long time but now i don't know. If your computer is compromised, they can exfiltrate your password, but with a hardware key they can't, so i think that's legitimately more secure than password+otp. It still needs a pin though to protect against device theft.
I bring this up because there's been a ton of compromised developer packages recently and windows itself is being attacked so even if you're pretty good about protecting yourself, you still might get screwed.
nvme0n1p1 7 hours ago [-]
If your computer is compromised, the attacker can just as easily read your email.
OTP can be used with a password.
denkmoon 9 hours ago [-]
The people in charge of the internet are "cybersecurity" "professionals" who can't even follow NIST guidance.
technion 6 hours ago [-]
A lot of those same people seemed perfectly capable of insisting on 60 day password rotation back when they could use nist guidance as an authority to appeal to (for about five years after the recommendation changed too).
Kaliboy 8 hours ago [-]
It is with much hesitation that I write this, because I just implemented such a flow.
My reasoning was this: my customers keep forgetting their password and somehow that becomes a trigger to contact me. No passwords, no problem.
I tried convincing them to use password managers but that was pointless.
But I see the pain and frustration so I will add passwords. And I quite liked the passkey idea, have to see how that works. Not that my customers would ever use it, but I would. It literally never occured to me.
denkmoon 7 hours ago [-]
To be clear, no shade on actual devs faced with actual problems. My ire is reserved exclusively for the "we must do this because it is on the checklist, no I don't understand what a subnet is" people.
butvacuum 7 hours ago [-]
Good to see my take verified. But, where does the buck stop? What if your phone relies on email, but your email needs your phone.
readthenotes1 8 hours ago [-]
The "change your password every 6 months" guidance?
trumpdong 8 hours ago [-]
That was revoked some years ago.
denkmoon 7 hours ago [-]
Specifically the revocation of such guidance. If the field gave even the slightest deference to empiricism we wouldn't be changing our password every 180 days, but here we are.
Terr_ 7 hours ago [-]
There's a landlord/apartment portal where the whole login process has changed to be:
1. Enter username (e.g. an email)
2. Choose from either email or SMS on file
3. Enter the code you got somehow through the respective unencrypted channel
Given that this same site is involved with bank-account details for payment, I am concerned...
BobbyTables2 4 hours ago [-]
It’s really rich when banking/finance apps are fully happy doing 2FA to the phone when using its own browser…
Yeah — loose the phone and it’s pretty much game over.
adamzwasserman 2 days ago [-]
I enjoyed the deep dice. A lot of sensible advice, and enjoyed the deep dive. A lot of articles do not get a lot of that as right as this article does.
I would like to point out that the "suggested" validation pattern, ^[^@]+@[^@\s]+$, can filter out valid addresses. "user@something"@example.com is a valid address, and excluding @'s in the user part rejects it.
zenoprax 1 hours ago [-]
> "user@something"@example.com is a valid address
I appreciate your commitment to correctness but like [XKCD 1172](https://xkcd.com/1172/) ... the user is clearly in the wrong at this point.
sohex 8 hours ago [-]
IIIRC in terms of clients mutt (&co) will actually handle “@“ in the local part correctly.
> But the real reason I do that is just because I just like to sit in anger whenever this breaks the user experience because of programming errors or inconsistencies.
Genuinely delighted by the fact that I’m not alone in that.
atoav 2 hours ago [-]
I think most of these issues are easy to resolve by being more permissive and supporting what the technical standard allows for.
The Big Problem™ however is case sensitivity in the local-part, because there multiple incompatible things collide:
1. Users are not universally aware of case (in)sensitivity in one direction or the other
2. Existing systems may or may not interpret case at all
My preferred solution would be to adjust the standard to ignore case in the local part by forcing it to lowercase. That aligns with most of the systems and mental model of technically proficient users anyways. It makes much more sense from an UX standpoint since the goal is to be imambiguous.
If we were to enforce the opposite: case sensitivity in the local part this would have multiple downsides:
1. It is inconsistent with itself by making the local part case sensitive but the host part not, that is harder to explain
2. You have to train users to be precise about case on entry. As someone who worked in IT-support, this is a very bad idea. This includes second-order issues like phishing attacks by silbling emails where just the case differs
3. If your service stores email addresses it will need to know whether that specific Mailserver/client/etc treats the email as case-sensitive or not
In my eyes email servers that allow case sensitive local-parts are functionally broken, even if they don't break any rules.
teo_zero 9 hours ago [-]
The plus sign is a pet peeve of mine, too. But I stopped keeping a list of bad sites when their number has become double digit!
croes 2 hours ago [-]
And even if you know that an email address is perfectly valid it still could be simply wrong because of a tpyo.
chrisandchris 7 hours ago [-]
> It turns out that allowing senders to omit dots is common but by no means universal!
I think this is mostly common with Gmail-heavy countries and does not apply to Europe? At least I do not know of anyone that thinks so.
atoav 2 hours ago [-]
One thing I have learned about verification is:
Don't just put a link into your mail that directly verifies an email when visited. At least put some button or code input field there.
Why? There are mail clients that will automatically open links for users and if that link is now invalid the user is confused about being able to click them.
davidw 4 hours ago [-]
[Old man voice] Back in my day these kinds of articles loved pointing out that, well, the email address could be a UUCP address and that's a whole different parsing situation.
Of course, even then in the mid 90ies, UUCP was not something one really encountered outside of "so you think you're going to parse an email address with regexp?!" articles.
Soooo, let's just send a validation email and if they confirm the code, then it's a valid email?
Functionally there's no false positives or false negatives
AndroTux 1 hours ago [-]
There's a lot of false negatives because emails get stuck for hours, get blocked by the spam filter or fail to be delivered for whatever reasons.
jeffbee 9 hours ago [-]
This article says that Gmail can't handle address literals. I personally wrote the IPv6 address literal support for Gmail, so this annoys me. I just tested it and it shortened "[IPv6:2001:etc:etc::192.etc.etc]" down to "@2001" then generated an extremely terse mail delivery subsystem notification that I've never seen before. Which is why you should never just rewrite software without understanding why all the test cases are in the test suite!
thwarted 7 hours ago [-]
> "[IPv6:2001:etc:etc::192.etc.etc]"
I'm trusting this is a throwaway example and that you used a real IPv6 address literal in this test, without the "IPv6" and with only colons and no dots (unless you mean to use v4 mapped address with dots)? Because this IPv6 literal is so malformed that I'm hardly expecting it to do something sane and changing that to "@2001" is nasal-demons quality undefined behavior. I tried with this exact literal and it let me send it but then there was a tiny red pop-up at the top of the gmail interface that said "could not be delivered, check your network connection" (which is odd; the same kind of pop-up that appears in gray when you legitimately are not connected to the internet) and it ended up in my drafts with the To: field empty.
I just tried to send a message to a "test@[" my current IPv6 address "]", and gmail told me
Error
The address "test@[«redacted»]" in the "To" field was not recognized.
Please make sure that all addresses are properly formed.
This address doesn't have an MDA listening on it, but it didn't accept it enough to give me a non-delivery notification, it didn't even let me send it. gmail did accept an IPv4 address literal in brackets, although it hasn't given me back a non-delivery notification. What it stuffed into my Sent folder for this message has the square brackets stripped and the IPv4 address appears right after the @.
jeffbee 6 hours ago [-]
All address literals other than IPv4 must be prefixed by a tag, such as "IPv6:". The form that I gave is a syntactically valid v6v4 address literal.
Interesting, TIL. That makes the conversion to @2001 even stranger.
farfatched 8 hours ago [-]
Could they have consciously chosen to remove that functionality?
E.g. to simplify code, or if they wanted all mails to have a domain (if, for example, they wanted to integrate with reputation systems that were domain oriented)?
jeffbee 8 hours ago [-]
Based on the incredibly basic bounce message, I suspect the problem is that the frontend eats the address before it even gets to delivery.
To your question, yes any product decision is possible, but enterprise/government people are surprisingly demanding about this stuff working because they have extremely weird requirements for routing mail to and through legacy systems. So I bet this still works at the mailer level and is broken in the UI.
jcranmer 8 hours ago [-]
I chuck IP address literals (both IPv4 and IPv6) on the list of things that you should care about for email if you're writing an MTA or an MUA but should otherwise generally not care about supporting if you're using email for something else (e.g., as a UID for login).
jiveturkey 8 hours ago [-]
> TL;DR: Don't overthink it, just send a verification email.
pretty bad advice, if taken only as written, without adding more flavor on top.
the major email providers will penalize you if you generate too many undeliverable emails. thus, if you just send a verification email without any pre-validation, it's pretty easy to get into a DoS situation where current/valid users don't get important email sent to them, or that email is significantly delayed, plus incur huge operating cost to resolve the problem.
some form of rate limiting is needed, plus IMHO it's better to use a verifier service or your own heuristic or ML model to test for email validity including valid but fake/spammy/disposable addresses.
sorry, but we are way past the point of being able to have nice things, esp. when we're talking about email.
the "lies" part of the content is great. people do assume all those wrong things. however the TLDR is just wrong, and potentially harmful.
teo_zero 3 hours ago [-]
> the major email providers will penalize you if you generate too many undeliverable emails.
I suspect the rate at which new users may try to create new accounts and type a wrong email address is too low to be noticed by reputation metrics.
AndroTux 1 hours ago [-]
there's bad actors that use bots to sign up to websites using bogus data.
teo_zero 59 minutes ago [-]
Wait! Are you saying that you process new registration attempts without any rate limit, captcha, etc? Because the moment to filter out (or limit) bad actors is before they submit an email address, not through it.
trumpdong 8 hours ago [-]
I think the only way to deal with that right now is to hire a company whose job is to deal with it. They'll random-check your outgoing emails are indeed what you say they are, and they maintain a reputation with the big providers for checking it properly.
What pre-validation could you do that would possibly be useful?
jiveturkey 7 hours ago [-]
entropy check, for one
ashley95 8 hours ago [-]
This is cute and all. But for anyone coming here for real-world advice: just use a regex, normalize to lowercase, and surface any errors to users so they know if their email got rejected. This will avoid 99.9% of issues and work for 100% of real human users. This is what everyone else does, and if you have a user with an esoteric email, they will still be able to furnish another one that passes this validation.
pif 8 hours ago [-]
Display a warning and propose to edit instead of blocking the operation: your customers will be happier!
Rendered at 09:01:21 GMT+0000 (UTC) with Wasmer Edge.
Once upon a time (1970/80s) I lived on and off in a mystic land called West Germany. Our postal addresses ended with incantations such as BFPO 40.
Around 1985ish my granny send a Christmas card to us. I should note that she was at this time nearly seventy and sadly suffering from Parkinsons. She addressed the card, in rather crabbed but legible handwriting, to:
Graham and Heath BFPO 40
My mum's name is abbreviated - her daughter. At that time Rheindahlen (nr Moenchengladbach) had a pretty large contingent of Brits in it - it was HQ (BAOR).
The card arrived well before Chrimbo and it took about a week judging by the post mark, which was petty normal in those days. She shoved it into a post box in Ipplepen, nr Newton Abbot, Devon and it found its way to an obscure address in another country. I seem to recall she also forgot the stamp but it still got through.
I'm sure mail like that becomes a point of honour to deliver and HM PO and BFPO did the job admirably.
That attitude is how email MTAs are generally designed to work. They cling on to the good old days and sadly the world is a bit shit. Case sensitivity ... lol!
I have some cousins who live in a small town in Australia where the houses have neither names nor numbers. You just address the envelope to ‘<name>, <street>, <town>’, and it’s the postie’s responsibility to know where everyone lives. (‘Postie’ is the official job title in Australia Post because it’s gender-neutral.)
Ah well.
Where there is still room for improvement is in how email addresses are often made a little bit anonymous by a lot of websites. Did you ever see something like 'j*h@gmail.com'? Oh wow, that neatly leaves out John Smith's full name! Like showing only the last four numbers of an IBAN or credit card.
Except for us edge cases with a personal domain, where I then get 'm*l@myfullname.nl'. So stop that. Store it next to the bit of knowledge about validating email addresses — the bits of knowledge you use to correct junior developers and senior idiots.
This is one of my favorite articles on validating emails using RegEx, I fondly remember reading it over 15 years ago. It's stuck with me ever since.
I registered a ".consulting" domain for my little company when they became available, and it has proved highly problematic ever since. Strangely (or perhaps not) it seems to be the larger players that have the most problems. I would at lest have expected ISPs and comms companies to keep up with this (looking at you, Three)
It was also a bloody nuisance. Spam filters were one thing but there were so many validation forms that failed.
Every reasonable variation of the company name as a .com/.net/.org was taken, including <companyname>company.com
Ugh, what a nightmare.
Domain holders are the landed gentry of tomorrow if we keep this up.
Even then it seems better to come up with a different prefix, or suffix (or both!), just to stay with ‘.com’.
Of course hindsight is 20/20 and I did the same, my personal homepage used to have a ‘.xyz’ address.
Aside from regexes though, I also think the new TLDs confuse quite a lot of people. name@clientname.healthcare just doesn't click as an email address as quickly as name@clientname.com, and I'm in tech so I'm sure it's much more confusing for people outside that space.
In fact, that reminds me that we built a site for another client for use inside an exhibition space which was spacename.house and against our advice they put that - without www or https:// - on exhibition panels for use on mobile phones. I am absolutely convinced that most people didn't realise it was a web address.
I wish this was asserted with evidence. The author might suggest this because they have unrealistic views of some users.
> In the year of our lord 2026, you can reasonably expect your users to know how to type their own email address - or even better, auto-input from their OS, browser, keyboard app, or password manager.
This really depends on who your users are.
I have multiple family members who have healthy memory, but can't accurately remember their email address everytime: the localpart, the domain, the syntax, everything.
Sending an email verification isn't sufficient, because if the user has typo'd ".com", they might never receive that email, and the user might never be back, or then have to escalate to support.
Meanwhile, if a site is opinionated on TLDs, they might prevent those users facing issues.
I'm sure there are many sites were users have a large variety of odd email addresses, but also there are sites that cater to mostly non-technical users within 1-2 locales, and so may find the friendliest UX is having opinionated validation.
If the user gets the email and completes the validation, the email is valid. If they fucked up, they don't get the email and the account never gets created.
No one ever gets prevented from creating an account with a legitimate email address, as opposed to "opinionated validation" where that absolutely will happen. Speaking from years of experience having a .info domain which isn't even all that odd, and at one point using gmail-style + addresses regularly. "Opinionated validation" has forced me to use my .com domain without a plus dozens of times.
I know part of this is intentional, those who know they plan to sell your email addresses don't want you to use the plus addresses, but that doesn't make the advice to not filter addresses any less correct.
I got Gmail early enough that I have (my first name) dot (my last name) at gmail dot com. About twenty years ago, I started getting strange emails. At first I thought they were spam, because they were addressed to me by name but I had never joined those sites. Eventually I figured out that they were addressed to (my first name) (my last name) at gmail dot com. Which Gmail treats as the same address as the one with a dot in between.
Since I had never ever given out a version of my email address without a dot in the middle, I eventually figured out that these emails were meant for someone else who shared the same first and last name as me. But since I don't think Gmail would allow one person to register john.example@gmail.com and then later allow someone else to register johnexample@gmail.com, my name doppelganger must have registered firstnamelastname@yahoo.com, and then forgot the domain and given out firstnamelastname@gmail.com when asked for an email address. And probably never noticed that they weren't receiving emails like "Dear customer, thank you for purchasing (product). Would you like to try (other product)?", so they never realized that they were giving out the wrong email address.
And of course, also automated signup mails, newsletters (which I make sure to block and report as spam, unsubscribing is a feature for newsletters that are opt-in), transactional mails etc.
People really suck at knowing what their e-mail is. The private mails are down to 1/month, the others to ~3/week, but it used to be much higher for both categories.
Oh and of course there is some kind of weird scam going on where spammers on German classifieds (Kleinanzeigen) send an e-mail to firstlast@gmail.com for whatever public first and last name of the lister is, and ask if the product is still available. No link, nothing. And all sent via gmail which has by an overwhelming majority become the biggest sender of spam for me. I guess they are trying to get someone to reply and then do some manual scam or something.
But you can't do anything about that except asking them to validate their address with an email.
If you can catch 50% of user errors with some complex regex, but the other 50% such errors are uncaught, is that of any benefit during sofware design? No, because you still have to solve that problem, probably with email validation by code. You have reduced your workload by 0%, you just split it into 2 parts (unnecessarily).
You'd think big companies would know better than enlisting spammers to spam on their behalf, but I'm pretty sure Netflix had a scheme like this a few years ago. "Grow at any costs" sites like streaming or social media are probably happy with a tiny bit of plausible deniability for their spamming.
> I mean, I get it.
I don't.
Seriously, that's a huge fricking red flag. Obviously, most of those companies I would never do business with anyway, but this puts it over the line for all the others.
If they don't understand the first thing about validating their putative customers' emails by, you know, sending an email saying "is this really you?" then they've completely proven their technical incompetence.
The worst one is robinhood. I have two different email addresses that different people have used to sign up for robinhood accounts (back when they were giving anybody an account).
Occasionally, I tweak them about sending me shit.
"Sure! Just send us a copy of your photo ID to prove you're not that person."
Nah, bro, you've proven you're clueless, and there's no way I'm sending PIA to clueless people.
For robust systems the goal was never to allow user type any technically valid email. It is to allow only emails that will not cause issues in the future.
A lot of small business owners use gmail or a longstanding ISP account. A lot of people have personal email addresses you can’t easily distinguish from professional ones, between college alumni addresses, personal domains, and obscure ISP and email providers that aren’t in your database.
And the lie "users always read emails on the same device they're logging into a website with"
And the lie "users can always view HTML email so no need to send a plaintext equivalent, especially if I have a long complex URL I want them to click"
And the lie "Clickable links sent in email are more secure than passwords so I'll stop supporting passwords and instead rely on email delivery of a link for all logins. Whoever clicks that link first is definitely the user who wanted to log in"
Or the same browser, or the same browser-profile. For example, on my phone I have external links (from other apps) opening in incognito mode by default.
Most other providers I've used range from instant to a few minutes.
God, I fucking hate that.
I have a fucking password manager, I have various machines and things open. Just let me fucking log in.
If anyone is reading this who is in charge of the internet please stop doing this.
I have many ways to generate totp codes. All of them are vastly more convenient than sending me an email or sms
It’s wild that they’re like “it’s more secure to not have a password” and then choose two unencrypted delivery mechanisms for the very short OTP.
Sure, people who reuse passwords are not secure. And fair, I guess it’s a tragedy of the commons. But at least continue supporting it and make it dead simple for password managers if you actually care bout security
OTP can be used with a password.
My reasoning was this: my customers keep forgetting their password and somehow that becomes a trigger to contact me. No passwords, no problem.
I tried convincing them to use password managers but that was pointless.
But I see the pain and frustration so I will add passwords. And I quite liked the passkey idea, have to see how that works. Not that my customers would ever use it, but I would. It literally never occured to me.
1. Enter username (e.g. an email)
2. Choose from either email or SMS on file
3. Enter the code you got somehow through the respective unencrypted channel
Given that this same site is involved with bank-account details for payment, I am concerned...
Yeah — loose the phone and it’s pretty much game over.
Anyone who also enjoyed it would probably get a kick out of my article on the same subject that goes into the regex (which has some valid use cases): https://hackernoon.com/on-the-practicality-of-regex-for-emai...
I appreciate your commitment to correctness but like [XKCD 1172](https://xkcd.com/1172/) ... the user is clearly in the wrong at this point.
> But the real reason I do that is just because I just like to sit in anger whenever this breaks the user experience because of programming errors or inconsistencies.
Genuinely delighted by the fact that I’m not alone in that.
The Big Problem™ however is case sensitivity in the local-part, because there multiple incompatible things collide:
1. Users are not universally aware of case (in)sensitivity in one direction or the other
2. Existing systems may or may not interpret case at all
My preferred solution would be to adjust the standard to ignore case in the local part by forcing it to lowercase. That aligns with most of the systems and mental model of technically proficient users anyways. It makes much more sense from an UX standpoint since the goal is to be imambiguous.
If we were to enforce the opposite: case sensitivity in the local part this would have multiple downsides:
1. It is inconsistent with itself by making the local part case sensitive but the host part not, that is harder to explain
2. You have to train users to be precise about case on entry. As someone who worked in IT-support, this is a very bad idea. This includes second-order issues like phishing attacks by silbling emails where just the case differs
3. If your service stores email addresses it will need to know whether that specific Mailserver/client/etc treats the email as case-sensitive or not
In my eyes email servers that allow case sensitive local-parts are functionally broken, even if they don't break any rules.
I think this is mostly common with Gmail-heavy countries and does not apply to Europe? At least I do not know of anyone that thinks so.
Don't just put a link into your mail that directly verifies an email when visited. At least put some button or code input field there.
Why? There are mail clients that will automatically open links for users and if that link is now invalid the user is confused about being able to click them.
Of course, even then in the mid 90ies, UUCP was not something one really encountered outside of "so you think you're going to parse an email address with regexp?!" articles.
https://en.wikipedia.org/wiki/UUCP#Mail_routing
Functionally there's no false positives or false negatives
I'm trusting this is a throwaway example and that you used a real IPv6 address literal in this test, without the "IPv6" and with only colons and no dots (unless you mean to use v4 mapped address with dots)? Because this IPv6 literal is so malformed that I'm hardly expecting it to do something sane and changing that to "@2001" is nasal-demons quality undefined behavior. I tried with this exact literal and it let me send it but then there was a tiny red pop-up at the top of the gmail interface that said "could not be delivered, check your network connection" (which is odd; the same kind of pop-up that appears in gray when you legitimately are not connected to the internet) and it ended up in my drafts with the To: field empty.
I just tried to send a message to a "test@[" my current IPv6 address "]", and gmail told me
This address doesn't have an MDA listening on it, but it didn't accept it enough to give me a non-delivery notification, it didn't even let me send it. gmail did accept an IPv4 address literal in brackets, although it hasn't given me back a non-delivery notification. What it stuffed into my Sent folder for this message has the square brackets stripped and the IPv4 address appears right after the @.https://datatracker.ietf.org/doc/html/rfc5321#section-4.1.3
E.g. to simplify code, or if they wanted all mails to have a domain (if, for example, they wanted to integrate with reputation systems that were domain oriented)?
To your question, yes any product decision is possible, but enterprise/government people are surprisingly demanding about this stuff working because they have extremely weird requirements for routing mail to and through legacy systems. So I bet this still works at the mailer level and is broken in the UI.
pretty bad advice, if taken only as written, without adding more flavor on top.
the major email providers will penalize you if you generate too many undeliverable emails. thus, if you just send a verification email without any pre-validation, it's pretty easy to get into a DoS situation where current/valid users don't get important email sent to them, or that email is significantly delayed, plus incur huge operating cost to resolve the problem.
some form of rate limiting is needed, plus IMHO it's better to use a verifier service or your own heuristic or ML model to test for email validity including valid but fake/spammy/disposable addresses.
sorry, but we are way past the point of being able to have nice things, esp. when we're talking about email.
the "lies" part of the content is great. people do assume all those wrong things. however the TLDR is just wrong, and potentially harmful.
I suspect the rate at which new users may try to create new accounts and type a wrong email address is too low to be noticed by reputation metrics.
What pre-validation could you do that would possibly be useful?