Can I check if e-mail address is valid?

Question

How can I implement following logic?

• User registers with an e-mail address

• If provided e-mail address is a valid email address Then user account get's activated

• or if it is a fake email then user account is not activated

I doubt that I can catch the - "Delivery failed reply message", right? anyhow how would you suggest to implement the above logic?

PS. I will have to find a way no matter what, client wants it =)

Answer 1

You probably want to be sure not only that the e-mail address is valid, but also that it belongs to this particular user. The usual way to do this is to send an e-mail with a link. The user has to click the link to activate the account.

For example, the link could look like this:

http://example.com/activate?token=bc59fb46c9a0a25346889e5ab336f11c

where the token is a random string that you generated and stored in your database, linked to that account. The server-side code behind the activate page will then activate the account. If you don't get a hit for this token within, say, a week, you can clean up the account and the activation token.

---

Addition in reply to your comment...

An alternative way would be to initiate an SMTP connection, and try to begin sending an e-mail. This is similar to callback verification amongst mail servers. For example (< is what the mail server says, > is what your script might send):

< 220 example.com ESMTP Postfix
> EHLO foobar.com
< 250 OK
> MAIL FROM: noreply@foobar.com
< 250 OK
> RCPT TO: johndoe@example.com
< 550 Recipient address rejected: User unknown in local recipient table
> QUIT
< 221 Bye

There are several serious problems with this approach, which is why it is not used in practice. Most of these will result in incorrectly accepted messages, some will cause the check to fail entirely:

• If your site is behind a firewall that prohibits outgoing connections on port 25 (SMTP) and 445 (SSMTP), you cannot even connect to the remote server.
• This technique will not tell you if the address was mistyped, but resulted in another valid address. For example, at hotmail.com, pretty much any address you can imagine will be taken.
• If the mail server is down or unreachable, account creation will fail.
• If the mail server is configured to accept mail for invalid addresses, any address will be accepted.
• If the mail server is not the final recipient, but just a relay host, any address will be accepted.
• If you probe a mail server too often, it might blacklist you.
• Your site can be abused by a malicious person or bot to hammer mail servers. (This is also the case when you send out a full verification e-mail. Use a captcha in both cases.)

See also the Postfix manual and a disputed section on Wikipedia. I hope this list is long enough to convince your client that there is no good solution to his problem, and that he should stop asking the impossible from you.

Answer 2

why don't you implement a verification system. They create an account. send them an email with a verification number. they click the link in the email and then run through that database and activate that particular verification id.

many website use this technique and it helps keep some kind of control.

Hope this helps

Answer 3

You can also use the PHP function checkdnsrr($hostname). For example:

if (checkdnsrr("comcast.net")) 
{ 
echo 'Email valid!'
return true;
}
else
{
echo 'Email invalid!';
return false;
}

This will return true and echo "Email valid!" because comcast.net is a valid ISP. This function, at least, will prevent your users from entering 'johndoe@foobar.com".

Answer 4

Here is a service that will validate an email address, not sure if that was the intended route you were interested in. Service

Answer 5

Look into Regular Expressions, it is a way that you can validate the email's format to ensure it's a valid email structure (ie. contains an "@", has a top level domain, a domain, etc.)

That will just ensure the email is valid, but a fake email like fakeMan@FakeLand.com would still pass. To ensure that the email is real, you'd need to send an email through a mail server, and check for bounce backs. That process could take a while, because you'd have to wait for the email server to respond with a bounce back, which is hard to predict how long that will take. If you want your users to wait a couple of days, then that's fine.

The standard is to validate the email to make sure it's the right format, using Regular Expressions. Then what you do is send a verification key to the user's email. They need a valid email to then get the key, to complete the sign up process.

Of course, there are still users who use temporary emails to sign up for sites. It's an email that exists for 24 hours or so, enough to get them the verification key... There's no real way to get around users who do this, other than blacklisting all the services that do this (and there are lots.)

Answer 6

This is the true email syntax regular expression: http://ex-parrot.com/~pdw/Mail-RFC822-Address.html

You see, it is not a trivial job.