Results 1 to 14 of 14
  1. #1
    Join Date
    Jul 2005
    Posts
    55

    Validating email addresses

    So I want to have high confidence that an email address being entered is a valid one.

    So as part of that, I am checking that the domain portion of the address has a valid MX record (PHP):

    Code:
    if(checkdnsrr($domain,"MX"))
    But my question is, what happens if an SMTP server does not find an MX record for an address it is trying to send to? Does it just fail and return an error? Does it fall back to an A record if one is available? Can a CNAME be used for sending email to another domain?

    In short, is checking for only an MX record going to filter potentially valid email addresses?

  2. #2
    Join Date
    Jul 2008
    Location
    Minneapolis, MN
    Posts
    276
    If I recall, per the RFC's, CNAME's cannot be used.

    Some SMTP servers will fall back to an A record, and some will fail with "undeliverable". There is no good reason that a valid domain will not have an MX record, so if one is missing, then they either have a major configuration issue, or they are sketchy to begin with.
    01 Networks / Hosting and Consulting Services
    Pay as you Go hosting -- the cheapest prices in town.
    Zimbra (Network Edition and Open Source) Hosting
    100% full uptime guarantee / 24x7x365 support

  3. #3
    Join Date
    Jul 2005
    Posts
    55
    Thank you very much for you input Krishopper. And you make an extremely valid point about domains without an MX record being in the pile of undesirables anyway.

    Awesome, thank you.

  4. #4
    ive never seen a email validation check the mx record good method, make sure you also regex the string as well with pregmatch

  5. #5
    Join Date
    Jul 2005
    Posts
    55
    Yep, I am also using this very handy PHP function which validates an email address string against the current RFC and Errata:

    Code:
    filter_var($email, FILTER_VALIDATE_EMAIL)

  6. #6
    The reasonable approach is to use regex validation and then so send an activation link to that email address. Once user clicks the link account is activated and email marked as valid.
    PHPRunner - building the best PHP code generator, one byte at the time
    Forms, AJAX, reports, charts, advanced security, Google maps, CAPTCHA and more

  7. #7
    Quote Originally Posted by InspiRunner View Post
    The reasonable approach is to use regex validation and then so send an activation link to that email address. Once user clicks the link account is activated and email marked as valid.
    Google "Email Regex PHp Script"

  8. #8
    Join Date
    Jan 2004
    Posts
    593
    Smart process to see if the domain allows email. The downside I see is that you still can't confirm the email address just by checking for MX records. The only true determination is to send a test message and see if the user exists.

  9. #9
    Join Date
    Mar 2007
    Location
    UK
    Posts
    89
    You can check whether the mailbox exists without actually sending an email...

    eg open a socket connection on port 25 to the server retrieved from the MX handler
    HELO <your domain>
    MAIL FROM:<[email protected]>
    RCPT TO:<target email address>

    If you get a 550 error, then the mailbox doesn't exist.

    I just tested this using telnet to gmail's primary MX (testing the email address "[email protected]"):
    Code:
    220 mx.google.com ESMTP 18si14555474wet.122
    HELO bob.com
    250 mx.google.com at your service
    MAIL FROM:<[email protected]>
    250 2.1.0 OK 18si14555474wet.122
    RCPT TO:<[email protected]>
    550-5.1.1 The email account that you tried to reach does not exist. Please try
    550-5.1.1 double-checking the recipient's email address for typos or
    550-5.1.1 unnecessary spaces. Learn more at
    550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 18si14555474wet.122
    You can then drop the connection without sending an actual email.


    Cheers,

    Simon

  10. #10
    Join Date
    Mar 2007
    Location
    UK
    Posts
    89
    Incidentally, the more external checking you perform, the slower this process will be.
    If you find that all of these checks are making your website unacceptably slow, you could get them to enter their email address as one of the first steps in your process and flag it for testing in the db. A separate daemon process can then do the checking in the background and you can highlight the problem to them in the final stage of your signup process etc.

    (I'm assuming that this is a sign up process)


    Cheers,

    Simon

  11. #11
    Quote Originally Posted by isurus View Post
    You can check whether the mailbox exists without actually sending an email...
    Not strictly true. This depends how the server is configured. Many do not respond this way to prevent brute force/dictionary attacks on the server.

  12. #12
    Join Date
    Mar 2007
    Location
    UK
    Posts
    89
    Many do not respond this way to prevent brute force/dictionary attacks on the server
    I haven't come across that before, although it seems logical. That said, from a quick skim of RFC 821 it seems that getting rid of the 550 responses would render those servers non-RFC compliant. Doesn't it cause problems?

    Have you got any idea how common this practice is?

  13. #13
    RFC 821 is almost 30 years old. Compliance against a 30 year old document isn't something I would be concerned about personally RFC 2505 details some anti-spam recommendations if you're interested and is... a little more up to date

    Does it cause problems? Not at all. The outcome is still the same; the message isn't delivered. The upside is it prevents people from attempting to brute force addresses to send spam to.

  14. #14
    Join Date
    Jan 2004
    Posts
    593
    Quote Originally Posted by JulesR View Post
    RFC 821 is almost 30 years old. Compliance against a 30 year old document isn't something I would be concerned about personally RFC 2505 details some anti-spam recommendations if you're interested and is... a little more up to date

    Does it cause problems? Not at all. The outcome is still the same; the message isn't delivered. The upside is it prevents people from attempting to brute force addresses to send spam to.
    Yep. Allowing telnet to see if an address exists is a scary thing. Spammers would have a field day and brute force attacks would be an hourly issue for every webhost.

Similar Threads

  1. Email Addresses and IP Addresses
    By getahost1 in forum Web Hosting
    Replies: 7
    Last Post: 01-17-2011, 03:30 PM
  2. Replies: 9
    Last Post: 06-19-2007, 12:38 PM
  3. Validating email address by url requests
    By cerebis in forum Programming Discussion
    Replies: 1
    Last Post: 09-16-2005, 02:32 PM
  4. CPanel Email Filtering.. How Do I Copy To 2 Email Addresses?
    By Kristy in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 11-22-2004, 04:23 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •