How can I be sure an email address is unique?

Question

There's a pub in my town whereby, if you sign up to their newsletter using their website and provide a "unique" email address, you get a free drink. On a whim, I decided to sign up a second time using myemail+one@gmail.com. It let me. I'm now sitting on a nice comfy pile of free drink vouchers.

This got me thinking about a system we have here, where the email address is considered the unique identifier. Checking the code, sure enough, if we were offering vouchers in our business, someone else would be sitting pretty.

The basic, stab-in-the-dark, fix is to check for the "+" character and ignore everything after it (up to the @), and compare using that. But I am unsure if this was the intent for the + character. Would that work?

Secondly, are there any other caveats that would allow a user to sign up multiple times with a seemingly different email address, but which actually would always end up in the same mailbox?

This question is language-agnostic.

Answer 1

While using a plus sign as an e-mail address alias is a known feature of gmail, other mailers do either not allow it or use a minus sign instead. '+' is a legitimate character to be used as part of an email address according to the RFC.

The use of '.' is also a gray area. john.doe@gmail.com and johndoe@gmail.com send also both to the same email address and look different.

In order to validate the uniqueness of an email address you will have to prepare a rule base for your application, keep it up to date and still expect surprises...