Misguided developers incorrectly "validating" email addresses is the reason that one of my clients couldn't use one of the newer TLDs, ".place", and ended up scrapping it and trying to find something they wanted a lot less in the much more crowded .com space.
It's also why I far-too-often run into forms that won't let me use a "+" in the username part of my email address, which I use to track who's responsible for sending my email account off to third parties (e.g., "rob+paypal@....").
Some kinds of email validation are better than others. Using regular expressions and strictly adhering to the RFC is the one that developers are usually talking about when they say not to do it. filter_var(..., FILTER_VALIDATE_EMAIL) is sort of okay, although there are lots of edge cases that it doesn't handle correctly.
Genuinly curious: does '+' trick work? I would imagine any infringing parties would learn to remove plus sign and all after it before selling the database of addresses by now...
Other than that: true, I hate incorrect validation. But I hate sloppy security practices even more.
Not as much as it used to. You're right, they've caught on to it. I need to stand up another mail server pretty soon, I want to try making it easy to generate random recipient aliases, so e.g. qti3XZ@mydomain.com is an alias for rob+someservice@mydomain.com and gdUTgp@mydomain.com is an alias for rob+otherservice@mydomain.com. That oughtta stump 'em for a while.
Sometimes not allowing a "+" is an anti-abuse feature. If you have a service tied to a customer providing a unique email address then you don't want them able to use a "+".
That seems like a strange place to verify that a user is only allowed to create one account. After all, they could just create a second email account on a free email provider and use that to sign up.
To get around that, the service provider would have to verify identity further down the line, making the email format restriction redundant.
I have been down this route and you also have to disable the use of free email accounts.
If the service value is not too high then even making people who want to abuse the service go through the process of registering a free email account works. Put a little bit of friction into the process and the script kiddies move onto an easier target.
It depends on the service. Some services are only aimed at business which have their own domain, but yes I agree this is a pretty drastic step to take.
The specific character depends on your MTA configuration. In Postfix this is the recipient_delimiter setting. I went with a "+" because that's the same character Gmail uses. Other mail services may not support this feature. Hope this helps!
It's also why I far-too-often run into forms that won't let me use a "+" in the username part of my email address, which I use to track who's responsible for sending my email account off to third parties (e.g., "rob+paypal@....").
Some kinds of email validation are better than others. Using regular expressions and strictly adhering to the RFC is the one that developers are usually talking about when they say not to do it. filter_var(..., FILTER_VALIDATE_EMAIL) is sort of okay, although there are lots of edge cases that it doesn't handle correctly.