Please, kill all email validators

This post is essentially a retranscription of this talk by Stavros Korokithakis.

Email validators are nonsense. You can not validate an email address.

Let’s play a game, here is a list of email addresses, try to know if they are valid or not. The answer are at the end of the post.

  1. hi@stavros.io
  2. stavros.@stavros.io
  3. stavros..k@stavros.io
  4. !#$%&’*(-/=?@stavros.io
  5. f*ck@stavros.io
  6. #&%!^/&@stavros.io
  7. h(a)i@stavros.io
  8. (sta)vros@stavros.io
  9. stavros@stavros.io(io)
  10. em@il@stavros.io
  11. “<\”@\”.!#%$@stavros.io
  12. <\”@\\”.!#%$@stavros.io
  13. “hi@you”@stavros.io
  14. “hi you”@stavros.io
  15. ” “@stavros.io
  16. hi”@”you@stavros.io
  17. “<\”@\\”.!;#%$@stavros.io
  18. hi\ there@stavros.io
  19. cow@[dead::beef]
  20. stavros@io
  21. 1@23456789
  22. 1@[23456789]

Just take a look at the number of monstruous Regex that you can find nearly everywhere:

^[_A-Za-z0-9-]+(\\.[_A-Za-z0-9-]+)*@[A-Za-z0-9]+(-[A-Za-z0-9]+)*(\\.[A-Za-z0-9]+(-[A-Za-z0-9]+)*)*(\\.[A-Za-z]{2,})$

(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])

You can find many more just by typing “regex email” into you favorite search engine.

So, how do I know if an email is valid you say ?

That is actually quite simple:

  1. Check that the address has at least one “@”
  2. Facultative: check that the domain has at least one MX record
  3. Just send the email !
  4. If the email is not valid, the end user will simply not receive it.

You can see one example of this logic here :