Why does HTML5 form-validation allow emails without a dot?

Question

I'm writing a very simple mock-up to demonstrate some HTML5 form-validation. However, I noticed the email validation doesn't check for a dot in the address, nor does it check for characters following said dot.

In other words, "john@doe" is considered valid, when it's clearly not a valid email address; "doe" isn't a domain.

This is how I'm coding my email field:

<input type="email" required />

Is that not enough?

Check this fiddle to see what I mean.

Note: I know how to accomplish this via a RegEx pattern instead. I'm just wondering how someone could get away with using the email type instead.

@Katana314 - heh, yup. Most (well-configured) mailservers will reject messages being sent to addresses that don't match an expected domain, so generally speaking there isn't an issue with `localhost` addresses. — admdrew, Dec 13 '13 at 18:43
possible duplicate of [How does HTML5 input type email works without top level domain name](http://stackoverflow.com/questions/14373433/how-does-html5-input-type-email-works-without-top-level-domain-name) — Léo Lam, Apr 20 '14 at 16:56

DBS · Answer 1 · 2023-07-17T09:49:15.310

174

You can theoretically have an address without a "." in.

Since technically things such as:

user@com
user@localserver
user@[IPv6:2001:db8::1]

Are all valid emails.

So the standard HTML5 validation allows for all valid E-mails, including the uncommon ones.

For some easy to read explanations (Instead of reading through the standards): http://en.wikipedia.org/wiki/Email_address#Examples

edited Jul 17 '23 at 09:49

answered Dec 13 '13 at 18:37

DBS

9,110
4
35
53

2

Agreed, this one answers the 'why', not the 'solution'. I was also curious about the why. Now I know not to "fix". – Eleanor Zimmermann Aug 23 '16 at 20:35
1

An example of the first type is the domain `uz`, which directly points to an IP as of Oct 2018. If you do an `nslookup uz`, it points to `91.212.89.8`, so it should be possible to have email on this domain as well. – pulsejet Oct 07 '18 at 18:40
2

Dotless domains are permitted so emails too. Please read this article where is explained this dotless domain case: https://www.bleepingcomputer.com/news/technology/dotless-domains-home-to-the-internet-s-shortest-urls/ – Arkowsky Jan 20 '23 at 12:28

score 114 · Accepted Answer · answered Dec 13 '13 at 18:47

114

Because a@b is a valid email address (eg localhost is a valid domain). See http://en.wikipedia.org/wiki/Email_address#Examples

Also, keep in mind that you should always do the input validation in server. The client side validation should be only for giving feedback to the user and not be relied on, since it can be easily bypassed.

answered Dec 13 '13 at 18:47

Ali Alavi

2,367
2
18
22

13

Thanks. I just don't see how any company could benefit from this out-of-box email validation. Facebook wouldn't let someone sign-up w/ an a@b address. Thanks for the info though. (I didn't downvote your answer) – WEFX Dec 13 '13 at 18:58
11

In case of websites like Facebook with public access it is of no use. But think of internal websites. You might want to write to joe@support. But I also think that it is of minimum use. Nevertheless, the web browsers are to implement based on standards (i.e. RFCs), not based on the most common cases. – Ali Alavi Dec 17 '13 at 16:26
14

I wonder when the last time someone actually sent an email to localhost! – Matthew Lock May 19 '17 at 03:14
4

As a sidenote one of the shortest working email addresses ( https://recordsetter.com/world-record/shortest-email-address/4327 ) is `au@ua` – Kyborek Oct 16 '18 at 07:09
2

`a@b` is a valid address according to RFC822, but that's not the end of the story. [ICANN banned so-called "dotless" domains](https://www.icann.org/news/announcement-2013-08-30-en) back in 2013, so whether they are syntactically valid is irrelevant. – Synchro Oct 01 '20 at 18:11
ICANN banned dotless domain email addresses for new gTLDs only in 2013. Existing ones are unaffected by the ruling and these dotless email addresses still work - so actually it is quite relevant as to whether they are valid or not – Martin Nov 19 '21 at 11:11
Dots or no dots aside, email addresses cannot start or end with dots no matter what, right? – trndjc Feb 23 '22 at 21:33
1

@liquidLFGUKRAINE If unquoted, yes. If quoted, no. For example, `.john.smith@email.com` is invalid and `".john.smith"@email.com` is valid. See https://en.wikipedia.org/wiki/Email_address#Local-part – Ali Alavi Mar 01 '22 at 23:20
John.@email.com is invalid according to RFC but html input type="email" does allow it – Ole K Apr 05 '22 at 20:01
https://www.bleepingcomputer.com/news/technology/dotless-domains-home-to-the-internet-s-shortest-urls/ – Arkowsky Jan 20 '23 at 12:18

APAD1 · Answer 3 · 2014-12-19T23:43:18.917

34

Try adding this to the input

pattern="[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,63}$"

Fiddle

edited Dec 19 '14 at 23:43

answered Dec 13 '13 at 18:31

APAD1

13,509
8
43
72

63

-1. Firstly, you haven't even tried to explain what this does permits or restricts, nor why somebody would want those rules. Secondly, it is far more restrictive than the standards permit (I won't pretend to have read and grokked the standards, but see, for example, http://en.wikipedia.org/wiki/Email_address#Internationalization or the many email validation questions on Stack Overflow for examples of weird email addresses). Why do it? If somebody is entering something unusual as their email, just accept it - chances are they know better than you. – Mark Amery Feb 08 '15 at 19:19
9

Actually, I'd say that the "chances are" that they are making a mistake. It /may/ be that they have a very unusual email address, but I'd say the majority of times you'd simply be getting a correct email address in place of an incorrect one if you were to stop it passing validation and prompt the user to check. – Geoff Kendall Feb 24 '16 at 16:57
3

This should have a ^, denoting it should start matching from the beginning of the string and also accept upper case: `^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]+$` – Kohjah Breese Dec 06 '18 at 14:18

gitaarik · Answer 4 · 2022-02-24T14:19:55.857

This MDN page shows the regex browsers should use to validate the email:

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/email#Validation

You can slightly change this regex to require at least one dot in the domain name: change the star * at the end of the regex to a plus +. Then use that regex as the pattern attribute:

<form>
  <input
    type="email"
    pattern="^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)+$"
    title="Valid e-mail address including top-level domain"
    required
  />
  <button type="submit">Test</button>
</form>

This is not fully qualified validation. Eg. ".test@test.com" and "test.@test.com" is invalid according to RFC — Ole K, May 17 '22 at 13:03

Ortomala Lokni · Answer 5 · 2016-07-04T07:27:52.417

The RFC 822, chapter 6, gives the specification of an address in augmented Backus-Naur Form (BNF):

addr-spec   =  local-part "@" domain
local-part  =  word *("." word)
domain      =  sub-domain *("." sub-domain)

Using this specification a@b is a valid address.

UPDATE

To answer the comment of Trejkaz, I add the following definitions. We see that SPACE are allowed but only in quoted string.

word          =  atom / quoted-string
atom          =  1*<any CHAR except specials, SPACE and CTLs>
quoted-string = <"> *(qtext/quoted-pair) <">
SPACE         =  <ASCII SP, space>
CTL           =  <any ASCII control character and DEL> 
qtext         =  <any CHAR excepting <">, "\" & CR, and including linear-white-space>
quoted-pair   =  "\" CHAR

OTOH, RFC 822 also permits me to put spaces in the local-part, which Chrome at least doesn't appear to be permitting, so I'm not sure they use the RFC as a reference. (Even though they should be!) — Hakanai, Jul 04 '16 at 04:19

score 3 · Answer 6 · answered Apr 26 '17 at 00:04

You can customize the pattern of the email field:

input:valid {
  border-color: green
}

input:invalid {
  border-color: red
}

Email:
<input type="email" required value="a@b.c" /><br>

Non-dots Email:
<input type="email" required pattern="[^.]+@[^.]+" value="a@b.c" />

score 3 · Answer 7 · answered Oct 22 '19 at 09:20

Here is how you can do it with html5 using regex pattern. You can also include a custom message to display.

<form>
  <input type="email" value="paul@test" required pattern="[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,63}$" title="Hey, you are missing domain part in the email !!!"/>
  <button type="submit">Click Me</button>
</form>

Michael Benjamin · Answer 8 · 2022-07-14T18:27:49.733

Hostnames without a TLD appear to be valid.

I say "appear" because there is this 2013 ICANN prohibition on dotless domains . . .

At its meeting on 13 August 2013, the ICANN Board New gTLD Program Committee (NGPC) adopted a resolution affirming that "dotless domain names" are prohibited.

. . . but judging from real world experience, it appears to have never been enforced.

Regardless, the PHP function FILTER_VALIDATE_EMAIL doesn't allow for dotless domain names.

So here's a simple back-end validation set-up that covers both your email and required fields:

if (empty($required_field) OR empty($another_required_field) OR
    !filter_var($email_field, FILTER_VALIDATE_EMAIL)) {
    // error handling here
    exit;
    }

While the "malformed" email may get passed the browser, it won't get passed the server.

References:

FILTER_VALIDATE_EMAIL definition
List of valid and invalid email addresses

score -4 · Answer 9 · answered Apr 27 '17 at 11:12

-4

This pattern always works for me.

Text must in lowercase pattern="[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}$" but I think it covers more or less most emails.

answered Apr 27 '17 at 11:12

TSlegaitis

1,231
15
29

Why does HTML5 form-validation allow emails without a dot?

9 Answers9

Linked

Related