JavaScript email address validation part 2

A few people have responded to yesterday's post about validating email addresses in JavaScript pointing out that it's very very wrong. For starters, Skud points out that .info addresses won't work. Howie points out .mobi and further, .museum being valid domains.

Stephen Thorne was most scathing, and has very good points to say.

For a start, ' is valid in email addresses, but not at the beginning or the end, O'Brian@example.com. That's just a simple real-world case and ignores the perfectly valid myname@[59.167.98.48], email addresses with doublequotes and spaces, the myriad ways of escaping, etc. RFC821 has a full grammar for email addresses.

The best possible way to validate an email address is to ask the MX for that domain if you can deliver mail there. Can't be done in javascript without ajax of course, but it's probably the best way. You do the "HELO/MAIL FROM: <>/RCPT TO: $username" handshake with the mx, and if it doesnt' reject you, you know it's at least partway valid.

Otherwise, your best bet is to check that it contains an @ and is more than 4 characters. Anything in between will reject valid email addresses.

I suppose what this results in is that you want 1 or more characters left of the @, then three or more characters to the right, with at least one period. The right-hand side you can constrain a bit more, since the acceptable characters for domains are easily defined.

And yes, myname@[59.167.98.48] is a valid SMTP addressee, but I'm not sure I'd call it an email address in the modern sense any more than I'd expect bang paths.

I'll work up a regex implementing what I outlined above shortly, though I've got a higher-priority project for today so it'll probably be tomorrow. Thanks for the feedback!

PS: RFC2821 supersedes 821.

PPS: Both Skud and Stephen wanted a way to comment on my blog. I don't have the time nor energy to spend 45 minutes de-spamming my blog, which is why I put a "contact me" link on it, which points to my mail form.

Be sure to see this followup.

0 responses