Do all email providers ignore periods in front of @?

Question

I know that gmail lets a user insert as many periods as he/she wants in an email address before the @ sign. Gmail also lets users append the email address like this: userName+anyStringHere@gmail.com. All those "different" email addresses are essentially the same address. (Link to google blog describing these "features")

I want to prevent users from creating multiple accounts with what is essentially the same email address. I decided to store email addresses in my database with those periods and anything following and including a + sing stripped, but now I am wondering: Is it a standard to ignore periods in front of the @ sign that email providers are mostly following?

At most someone could clarify is this is specified in the SMTP standard. If, as I suspect, the answer is not, then who could know what all providers support or not. — madth3, Feb 14 '13 at 00:49
no SMTP RFC only specifies . or + are valid characters on the left side of @ — Pascal Belloncle, Feb 14 '13 at 00:54

score 38 · Answer 1 · edited Jun 20 '20 at 09:12

38

Over the last few days, I encountered the same problem. After researching on the web and checking a few things, I found that:

DOTS MATTER IN: Microsoft Outlook, Yahoo Mail, Apple iCloud ID
DOTS DON’T MATTER IN: Gmail, Facebook ID
DOTS STRICTLY PROHIBITED: Twitter

Source: An article on Slate

I came to the conclusion that a majority of users use services offered by Microsoft, Google, or Yahoo. So I can have an application-specific regex like this.

var eml_exp = /^[-a-z0-9~!$%^&*_=+}{\'?]+(\.[-a-z0-9~!$%^&*_=+}{\'?]+)*@(gmail.com)$/i;
if(eml_exp.test("email@addrss"))
//if it's a gmail address, then remove periods from local part and also anything
// after `+` sign . Then compare the address in your existing user table,
// if you find it unique or unused then let the user to register.

You can read manuals of other known services also and implement according to them.

"Don't forget to open source your work :p"

Update

According to this SO question Adding + text before the @ in an email , you may block use of + sign the whole problem of yours and mine will get solved.

edited Jun 20 '20 at 09:12

Community

1
1

answered Mar 21 '16 at 07:42

Ravinder Payal

2,884
31
40

17

**Please don't do this**, I personally use the `+` feature of gmail to tag emails sent from third-parties and detect which one is dishonest and sells (or just "loses") their customer emails, or just spams them themselves. I don't see any good reason to restrict the kind of email address your customer can and can't use on your services. – Emile Bergeron Jul 14 '16 at 18:36
Why not user can enter his/her original email address and what you are telling is an old smarter way of bundling emails from different type of senders in different bags but this is now automatically done my top email service providers , see inbox by google – Ravinder Payal Jul 14 '16 at 21:40
3

You shouldn't have to tell your user how to use their email. It's their choice. And by prohibiting these email addresses, you're only inconveniencing the honest people while failing to solve the real problem. – Emile Bergeron Jul 15 '16 at 13:14
Try to add + sign on Facebook or any other major players, they will just deny you to use these – Ravinder Payal Jul 15 '16 at 13:30
And you would be wrong, since Facebook and most major websites accept these. – Emile Bergeron Jul 15 '16 at 13:38
Maybe you are right, but when I tried I failed to use. – Ravinder Payal Jul 15 '16 at 13:45
7

@EmileBergeron If the developer is smart enough to exclude the +DoITrustThisSite, then they're smart enough to parse it out of the email and sell the address off anyways. – claudekennilol Sep 15 '16 at 15:35
3

@claudekennilol you're overestimating the intelligence and the effort that people who sells emails are ready to make. – Emile Bergeron Sep 15 '16 at 15:42
1

Hey both of you, listen, we same developer develop products and if we succeed in making big user database and then try to monetize in every possible way... So it's absurd to talk about capacity of data{or email in this case} sellers. – Ravinder Payal Sep 15 '16 at 16:17
@cesoid just doing the check would be fine (to prevent multiple accounts), but what most devs end up doing is to just prevent `+`-using emails from registering at all. – Emile Bergeron Jul 25 '21 at 15:45

score 37 · Accepted Answer · answered Feb 14 '13 at 00:41

37

This is really specific to gmail, but this applies to google apps for domain as well, so you would only be able to do it for @gmail.com

I wouldn't do this, this is only going to alienate your honest users and not prevent anyone determined to create multiple accounts.

answered Feb 14 '13 at 00:41

Pascal Belloncle

11,184
3
56
56

yeah right , as you can also create any number of gmail accounts – Ravinder Payal Jul 14 '16 at 18:28
2

Actually if the site has "one account per person" policy, then saving canonical email addresses in the database makes a lot of sense. – Karolis Dec 23 '17 at 18:16
5

You could store the gmail address as entered and still disallow signing up with one that's a variant of another that already exists in your database. If someone wants to be identified with a gmail address with a dot or a "plus" segment for a legitimate reason they should be able to. – regularmike Jan 08 '18 at 22:29
Is this still the case for "apps for domain"? Doesn't seem that way when I just added a period to the middle of the first part of an email address. – Jared Sohn Feb 09 '19 at 00:51
Like @regularmike, I would suggest preventing people from signing up with an address that sends to the same account, but allow them to choose (and change) which variation you send mail to. I don't think you should base a decision on whether someone *can* prevent a *determined* person. Every solution is imperfect; the question is *how it affects* them, e.g., does it slow them down, and does it reduce the number of people who misuse your site. A gmail address makes thousands of variations immediately available. Creating one new account with gmail, for example, takes at least a few minutes. – cesoid Jul 25 '21 at 14:07

KajMagnus · Answer 3 · 2018-07-15T02:31:16.890

"I want to prevent users from creating multiple accounts"

Maybe, like the others here say, that is not a good reason to ignore periods.

However a good reason can be to prevent users from accidentally creating different accounts. Let's say, a web app has recently been installed, and not yet configured to work with Gmail OpenAuth. So people type their addresses manually, to sign up with local email + password accounts.

Later, the web app configures OpenAuth and a Sign in with Gmail button. Now people with a gmail address, click that button to sign in. And ... in some cases, people accidentally manually typed their addresses with no dots, or with dots, or different dots, when they typed by hand (well, keyboard) previously.

Now, the app thinks the addresses are different, and auto-creates a new account for the user. S/he then wonders: "Where is all my old stuff? That I created before with this account? I logged in with the same email address!"

Real life example of this happening: https://meta.discourse.org/t/discourse-creates-new-users-if-dots-are-present-absent-in-google-email-address-when-logging-in-using-google/66151

I would think that for non-technical people, ignoring dots in Gmail addresses is the user friendly approach.

To let technical people create many accounts using the same Gmail addr (for testing purposes), you can choose to consider whatever+with-tags@gmail a different address. — Everyone happy :- ) (Astroturfing & spam filters can take into account that bob@gmail.com and bob+with-a-tag@gmail.com is the same person.)

score 0 · Answer 4 · answered Oct 08 '22 at 16:43

0

I failed to add the SMTP servers user and password attributes.

Since I tested with an email address on that server, the server apparently didn't check the user and password.

answered Oct 08 '22 at 16:43

user3594510

99
1
1
4

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Oct 13 '22 at 05:09

score 0 · Answer 5 · answered Mar 08 '23 at 23:53

This question is answered by the IETF RFCs for email (specifically RFC 2821)

2.3.10 Mailbox and Address

As used in this specification, an "address" is a character string that identifies a user to whom mail will be sent or a location into which mail will be deposited. The term "mailbox" refers to that depository. The two terms are typically used interchangeably unless the distinction between the location in which mail is placed (the mailbox) and a reference to it (the address) is important. An address normally consists of user and domain specifications. The standard mailbox naming convention is defined to be "local- part@domain": contemporary usage permits a much broader set of applications than simple "user names". Consequently, and due to a long history of problems when intermediate hosts have attempted to optimize transport by modifying them, the local-part MUST be interpreted and assigned semantics only by the host specified in the domain part of the address.

In order to prevent users creating multiple accounts in your system, your system must have sufficient knowledge to determine how the domain that owns the email address assigns semantics. In the absence of an SMTP command to obtain the canonical representation of an address from the domain this a difficult (probably intractable) problem (Also see How can I extract the canonical email address given an address that includes BATV or other tags?)

Do all email providers ignore periods in front of @?

5 Answers5

Linked