Front-end dev: email domains other than Gmail and Hotmail exist?!1! 😱 And email regex, what the hell is that? 😵

Good way to sort the services that has a bunch of issues. Chances are their DB might end up on haveibeenpwned because they didn't setup a firewall or whatever.

@irene Not if it follows specs.

@Alice racism! Oof!

@Alice I too, was so happy when starting to use my own email.. Just to find out nobody likes .dk either :(

@Alice That is stupid! *sigh*...

@Kandelborg you know that the specs allow unicode, multiple "@" and IPs? dont forget the "." at the end. ".+@.+" is the only case i know that handles all positive cases.

@stop I do actually. I'm embarrassed by the current state of my project.. But I've actually spent a lot of time making(copying, editing) regexps, reading RFC mailing lists and have come with a (so far only) JS(TS) RegExp that accepts almost every valid email and ignores the invalid ones.

Its extremely complicated and its so long since I've touched it that I don't remember if I ever found a perfect email RegExp.

https://github.com/MathiasKandelbor...

@Kandelborg looking through that code, I'm happy i was going to integrate it in my starter-kit after a clean up. It was my first TS project and I tried tons of different things while not having a clue what I were doing 😅

@stop hmm, so 👀😏🍆👣💦😌@1.2.3.4 would also be a valid email address? 🤔

I wonder how many sites would break on that 😛

I wouldn’t register to a website that stupid

@Condor yes

@Condor and dont forget punycode for domains. with that you can break server, clients, filter, ...

@Condor 👀😏🍆👣💦😌

Look me in the eye,
I said while smiling.
And I showed my eggplant.
She did the foot job.
We got sweat and wet.
I was very happy.

// Don't mind me, just practicing my emoji translation skill.

@iKameo I have bought 2 xyz domains in 2019. Have total 3 now. It's super cheap. $0.9 or something for a year at my seller. 🕺

If the forms don't recognize my domains, screw them 👀

@iKameo no $8 I think.

@irene The regex used by many backend frameworks is "good enough" for most purposes:

^[a-zA-Z0-9.!#$%&\'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)+$

It allows some invalid stuff, but meh.

Best validation is still to just send a mail with an activation link.

@bittersweet You should have copied the one from my repo, it's basically a modified version of that one which doesn't take as many invalid addresses 😝

@irene The one in Symfony/Laravel. Django separately validates parts using different validators.

My point is, email regex is VERY useful as a tool to guide users in the right direction... But I would opt for fairly loose validation, even just "^.+\@.+\..+$"

That way, your users at least see something red when they accidentally fill in their password or zipcode in the email field.

True validation should happen in two ways: First DNS-check the MX record to validate a mailserver exists to handle any sent mail. Temporarily store the email in your database if MX checks out. Then send an email with a token-link. Store the token link in your DB. When the link in the email is clicked, delete the token in your DB, and store the email as validated. Go through the same routine when a user updates their email.

Preferably this is done by normalizing the email out of the "users" table, so you can keep using an existing address while waiting for provisional addresses to be validated.

@bittersweet Thanks for the comprehensive explanation. I'm going to put this nugget with my other nuggets. I can soon make a basket!

@irene

So, email regex is perfectly valid as a UX tool, but obviously not as a security or data integrity tool.

Even if you had a super-perfect regex you couldn't trust it... smelly@giant-purple-dildos-in-your-butt.com is a valid address FORMAT, but there is no valid email SERVER on that domain.

And even with a valid email format on a registered domain with a working email server... I would still want you to prove you actually own that email address.

@bittersweet also, somebody should buy that domain and use it as email.. Just to prove you wrong haha

@Kandelborg @irene

I should make something like "🙃@[IPv6:2001:db8::1]" my official email address though.

Might be trying to check the availability of your domain in the background... That domain isn't reachable, and that's been a validation method of mine before...

@xewl My domain has 2 mail servers connected to it, with a HA of about 1.5 years straight which I'm actually quite proud of :) so availability shouldn't have been an issue.

@bittersweet Exactly! Front-end should be only basic integrity checks when it comes to emails, for the sole purpose of ensuring that the user typed their email address right. Security-wise, confirmation mails all the way!

I meant :80 tho' - I'm just guessing, wrongly if this is Front-end validation. Can you find why it actually validates like this, in code?

I always use this one and never had problems with it, but I am not sure if it is really correct:

/[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?/

Oh yeah? I found a field at work the other day that asked for "full name"

So I put in "Mr. Smith"

Please enter a valid name...

Wow, regex on a name field...

和夫 wouldn't work either

Naughty dev.

This is why real time email verification services exist, that perform smtp calls to see if the server and email address exists. It's up to you if you want to make a fuss about it to the user, or just store the response in your db and decide what to do with it later.

Account activation emails are your validation. Please stop trying to validate it with regexes that are always wrong...

I’m with @irene, validating an email address with regex will just cause more problems than it solves.

Ask yourself what problem it even solves in the first place. Well it might catch a user who accidentally entered their own email wrong, but only if the part they messed up on somehow made the email invalid (what is the likelihood of that?). That’s it.

It doesn’t actually verify the email belongs to the right person—that’s usually the next step. And if you’re doing that anyway it only makes the regex all the more pointless.

In the end all it’s actually likely to do is prevent someone with an unusual (but perfectly valid) email from using your app.