8

I created a form in which you have to insert an email address.

I already have a validation method. But i need to make sure that the email actually exists.

Is it possible?

Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59
Shay Mishali
  • 97
  • 1
  • 6
  • Yes, it is, see http://stackoverflow.com/questions/4776907/what-is-the-best-easy-way-to-validate-an-email-address-in-ruby/4776943#4776943 – paxdiablo Nov 17 '16 at 23:29
  • 1
    I agree with the answer which says that the only way to be sure that the email address is real, and belongs to the user submitting it, is to send a verification link to that email address and require the user to click on that link before they can continue. I use this on my site and get zero spam. However, I also get very few comments, so be aware that there is a strong disincentive to visitors to go through such a process of verification. – Bobulous Nov 17 '16 at 23:33

1 Answers1

19

In the general case it is not possible without user interaction.

A few things you can do to validate an email address:

Regular expression

You can use a regex to validate the email address format. It does not guarantee that the address exists, but at least your user input will be well formed. Validating email addresses by a regular expression is not straightforward though, see here for difficulties. You can find guidelines here.

DNS lookup

Once the address is well-formed, you can check with a simple DNS query whether the domain name actually exists and has an associated MX record. If it does not, the email is obviously invalid. If it does, it can still be any valid domain, and there is no proof that there actually is a valid user of the name specified on that domain.

VRFY

If the domain exists, you can issue an SMTP VRFY command to the smtp server read from the MX record of the domain. VRFY will tell you whether the user name (the part before @) is a valid email address on that server. The caveat is that some server will not tell you the truth and deny all usernames or not implement the VRFY command as it is a security risk (in many cases, email accounts are valid usernames for the server, so this would allow username enumeration).

So if a VRFY command tells you the address is valid, there is a good chance that it really is. If it tells you it is not valid or VRFY is not implemented on the SMTP server, you basically gained no info. Because of this, you may not want to do this at all.

More info on this is here and here (among many others).

Sending a confirmation email

Ultimately, you should send a confirmation email with a one-time token to the given email address, and store that token in your database for future reference. If the user can click a link in the email sent (ie. can send the token back), he proves that the email address is valid and it actually belongs to him.

Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59
  • Thank you very much! Best answer i could get. I will go with the last option seems most comfortable. That is a very informative answer, thanks again! :) – Shay Mishali Nov 17 '16 at 23:49