How To Validate An Email Address: Don’t Bother
Every so often I run into developers trying to validate email addresses, either with super-simple and permissive regular expressions, semi-complex regular expressions, or with library routines. Any typical user registration form is usually going to have something along these lines.
Unless you are writing actual email software, this is a waste of time. And if you are writing an MTA, I might argue that is probably a bad idea, too - but that’s not the point.
First and foremost, what problem are you actually trying to solve by validating a user’s address? The two that come to mind are typos and abuse.
Typos that result in an RFC-invalid email address are quite unlikely. Email addresses formats are extremely diverse and permissive. Much more likely is that a typo will result in a functionally invalid address: one that just doesn’t end up in the user’s inbox.
On the abuse side of things, I am hard-pressed to come up with a reason why an attacker would specifically want to get your system to accept an RFC-invalid email address when an RFC-valid one won’t suffice. If you are doing all the right things with user input to protect from XSS, SQL injection, etc, it doesn’t matter. Much more plausible is an attacker who is using a fake, stolen, or throw-away address that is perfectly “valid.”
So for both problems, RFC-oriented validation is difficult to do right and wins you essentially nothing. Even if you just plug in a library routine to do the validation for you, I’d question the value you think you’re getting with it.
At the end of the day, the only way to validate an email address (in the only sense of “validation” that matters) is to send a confirmation email. So next time you think about the tricky task of RFC-oriented email address validation, just drop it. Move on to more important problems.