Is it a good practise to validate email addresses using SMTP validation?

StackOverflow https://stackoverflow.com/questions/22616661

  •  20-06-2023
  •  | 
  •  

Question

Let's imagine that I have a site with some features that require email validation (eg. user registration). Of course I will validate emails using regex but once upon a time I saw SMTP validation in someone else's code. What good and bad sides has SMTP validation?

I can assume the following pros and cons:

Pros:

  • We can check out some email addresses for existence (not all SMTP servers allows this feature).

Cons:

  • Our site can be blocked.
  • Maybe we can use this to make webserver going down. Webserver will take domain part of email address and make request to it. We can create fake SMTP server that will receive request but will make great delay to response. Maybe if we force webserver to make dozens of such checks it will not be able to answer other clients.
  • Not all SMTP servers provide this capability.

Please be constructive.

Était-ce utile?

La solution

"SMTP Validation" I assume refers to the SMTP VRFY command, and in this day and age you would be a fool to trust in it. It's a great feature if you're a spammer because it allows you to enumerate email addresses for a given server.

No one in their right mind will expose this command to the internet and have it respond with anything other than 252 send some mail, i'll try my best, aka "I'm only going to validate email addresses during an actual mail transaction".

The only sane use of VRFY these days is as an internal interface between a spam filtering appliance and the mail server hiding behind it.

TL;DR Don't use "SMTP Validation", it will be horribly unreliable at best.

If you want to validate that a user has entered a valid email address, then send it an email with an activation link/code.

Autres conseils

In addition to Sammitch's answer, there are email validation services available via API that can provide SMTP validation - sometimes down to the mailbox level - for reasonable prices.

You can find these with a simple Google search, but I'm told LeadSpend and QAS (an Experian subsidiary) are among the best of the bunch.

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top