How do we validate email addresses correctly? And why don’t we just validate by sending an email?
Turns out, there are security considerations to take into account. In this video, Alex presents the main parts of email address validation, the reasoning for each of them, and a few tips on how to think and implement them properly.
This video is based on a few resources:
- RFC 5322 https://datatracker.ietf.org/doc/html/rfc5322
- Falsehoods about emails https://github.com/kdeldycke/awesome-falsehood#emails
- I Knew How To Validate An Email Address Until I Read The RFC
https://haacked.com/archive/2007/08/21/i-knew-how-to-validate-an-email-address-until-i.aspx/ - Perl email validation regexp http://www.ex-parrot.com/~pdw/Mail-RFC822-Address.html
- Examples of verification emails https://newoldstamp.com/blog/the-best-verification-email-templates-with-tips-to-create-yourself/
- OWASP validation Regexp repository https://owasp.org/www-community/OWASP_Validation_Regex_Repository
- Example of email injection https://www.invicti.com/learn/email-injection/
- Wikipedia article about email addresses https://www.wikiwand.com/en/Email_address
- Twitter conversation on the topic https://twitter.com/alexboly/status/1656630828435222529
- SMTP Injection example https://www.geeksforgeeks.org/smtp-injection/