6/8/2026 at 2:24:57 PM
by theanonymousone
6/10/2026 at 9:58:31 AM
Maybe I'm taking this too lightly but honestly, if you're playing games with your email address and then don't get my verification mail, it's kind of a you problem. If your email address contains non-printable unicode characters or an IP address as the domain part, I don't really care enough to add support just for you. And surely everyone who does this has a "normal" email as a fallback anyways.by echoangle
6/10/2026 at 9:25:00 AM
> In that sense, it’s actually pretty surprising that so much of the world’s population wasn’t able to put their own name, in its native written form, in an email address until just 14 years ago.Maybe for some internal usages. but imagine someone from a country using different language and characters gives me a card with their email. It's now far less portable for me to use it. Those days, I surely could picture it and find the email most likely getting it right.
But email as means of international communication, like passport, should be readable as possible or it kills its purpose.
Even with ASCII emails I have, I already sometimes struggle to pass them over phone or other methods :)
by rock_artist
6/10/2026 at 9:39:04 AM
Agreed, (a subset of) ASCII as the lingua franca of identifies is very useful. Almost all languages managed pretty well with ASCII-encodings of their special characters even if some individuals choose to be offended.by account42
6/10/2026 at 7:59:00 AM
We have a UK client in the healthcare industry who registered the domain clientname.healthcare, and they rapidly found that the NHS imposed regexes which rejected name@clientname.healthcare emails.Aside from regexes though, I also think the new TLDs confuse quite a lot of people. name@clientname.healthcare just doesn't click as an email address as quickly as name@clientname.com, and I'm in tech so I'm sure it's much more confusing for people outside that space.
In fact, that reminds me that we built a site for another client for use inside an exhibition space which was spacename.house and against our advice they put that - without www or https:// - on exhibition panels for use on mobile phones. I am absolutely convinced that most people didn't realise it was a web address.
by frereubu
6/10/2026 at 12:38:42 AM
Email is just like physical mail and thankfully just as endearingly human (sometimes).Once upon a time (1970/80s) I lived on and off in a mystic land called West Germany. Our postal addresses ended with incantations such as BFPO 40.
Around 1985ish my granny send a Christmas card to us. I should note that she was at this time nearly seventy and sadly suffering from Parkinsons. She addressed the card, in rather crabbed but legible handwriting, to:
Graham and Heath BFPO 40
My mum's name is abbreviated - her daughter. At that time Rheindahlen (nr Moenchengladbach) had a pretty large contingent of Brits in it - it was HQ (BAOR).
The card arrived well before Chrimbo and it took about a week judging by the post mark, which was petty normal in those days. She shoved it into a post box in Ipplepen, nr Newton Abbot, Devon and it found its way to an obscure address in another country. I seem to recall she also forgot the stamp but it still got through.
I'm sure mail like that becomes a point of honour to deliver and HM PO and BFPO did the job admirably.
That attitude is how email MTAs are generally designed to work. They cling on to the good old days and sadly the world is a bit shit. Case sensitivity ... lol!
by gerdesj
6/10/2026 at 8:41:51 AM
Bill Bryson claimed to have received a letter addressed to ‘Bill Bryson, Writer, Yorkshire’.I have some cousins who live in a small town in Australia where the houses have neither names nor numbers. You just address the envelope to ‘<name>, <street>, <town>’, and it’s the postie’s responsibility to know where everyone lives. (‘Postie’ is the official job title in Australia Post because it’s gender-neutral.)
by cjs_ac
6/10/2026 at 8:55:16 AM
I love these examples because they show that addressing has never really been as formal as we like to pretendby KurSix
6/10/2026 at 1:35:30 AM
New rule: when emailing someone, you need to include their name. If you do that, the email delivery gods will correct typos in your email address.by 8n4vidtmkvmk
6/10/2026 at 8:53:12 AM
[dead]by KurSix
6/10/2026 at 8:05:26 AM
This all old hat, unfortunately, and also a thing which will be gotten wrong by developers for years to come. Just shouting 'give me a regex for validating email addresses' will make an LLM like ChatGPT happily output bullshit suggesting some overlong regex which is flawed precisely as outlined by the linked article, even though no one is arguing for those long unmaintainable regexes once they've seen the light.Ah well.
Where there is still room for improvement is in how email addresses are often made a little bit anonymous by a lot of websites. Did you ever see something like 'j*h@gmail.com'? Oh wow, that neatly leaves out John Smith's full name! Like showing only the last four numbers of an IBAN or credit card.
Except for us edge cases with a personal domain, where I then get 'm*l@myfullname.nl'. So stop that. Store it next to the bit of knowledge about validating email addresses — the bits of knowledge you use to correct junior developers and senior idiots.
by Freak_NL
6/10/2026 at 8:56:53 AM
This is a nice sibling problem to validation. In both cases, the bug is assuming an email address has a predictable human structureby KurSix
6/10/2026 at 9:32:36 AM
> It is relatively expensive to runCompared to sending a mail or to a customer not getting a mail they wanted?
> Try to keep it as non-restrictive as possible. Something like ^[^@]+@[^@\s]+$, which only makes sure your user has input “something@something”
Requiring a dot in the domain part is perfectly valid. It makes no sense to not validate that the address is in a format that you can actually send something to, which include a domain that you can look up and isn't specifically rejected by your MTA.
> This belief will probably be more commonly held in the English-speaking world, but I’m curious: If you’re not in the Anglosphere, do you still expect emails to require ASCII latin characters?
Yes, I do not trust Unicode with all its ambiguities and alternate forms to resolve to the same identifier on your and that I intended. ASCII-only email addresses are the norm everywhere I have seen.
by account42
6/10/2026 at 2:53:03 AM
https://fightingforalostcause.net/content/misc/2006/compare-...This is one of my favorite articles on validating emails using RegEx, I fondly remember reading it over 15 years ago. It's stuck with me ever since.
by mmh0000
6/10/2026 at 12:31:45 AM
> It’s likely that more people out there are being filtered by badly-implemented form validation than there are being filtered by their own need of hand-holding.I wish this was asserted with evidence. The author might suggest this because they have unrealistic views of some users.
> In the year of our lord 2026, you can reasonably expect your users to know how to type their own email address - or even better, auto-input from their OS, browser, keyboard app, or password manager.
This really depends on who your users are.
I have multiple family members who have healthy memory, but can't accurately remember their email address everytime: the localpart, the domain, the syntax, everything.
Sending an email verification isn't sufficient, because if the user has typo'd ".com", they might never receive that email, and the user might never be back, or then have to escalate to support.
Meanwhile, if a site is opinionated on TLDs, they might prevent those users facing issues.
I'm sure there are many sites were users have a large variety of odd email addresses, but also there are sites that cater to mostly non-technical users within 1-2 locales, and so may find the friendliest UX is having opinionated validation.
by farfatched
6/10/2026 at 2:02:10 AM
That's why the article says "verify, not validate". Send an email, have a process for them to confirm they received it.If the user gets the email and completes the validation, the email is valid. If they fucked up, they don't get the email and the account never gets created.
No one ever gets prevented from creating an account with a legitimate email address, as opposed to "opinionated validation" where that absolutely will happen. Speaking from years of experience having a .info domain which isn't even all that odd, and at one point using gmail-style + addresses regularly. "Opinionated validation" has forced me to use my .com domain without a plus dozens of times.
I know part of this is intentional, those who know they plan to sell your email addresses don't want you to use the plus addresses, but that doesn't make the advice to not filter addresses any less correct.
by wolrah
6/10/2026 at 7:37:15 AM
While I’m opposed to opinionated validation as well, you seem to be missing the issue it tries to solve, which is the user mistyping their email address, not receiving the verification email, and either thinking everything is fine, or thinking that the process is borked, and in any case not proceeding and not becoming your customer. The goal of opinionated validation is to inform the user about an incorrect email address immediately when they are entering it, so they can correct it right away.by layer8
6/10/2026 at 10:04:52 AM
You could do soft validation that provides protection for common mistakes while still allowing users to use domains you didn't expect."Did you mean layer8@gmail.com instead of layer8@gmailc0m [Y][N]".
by account42
6/10/2026 at 1:16:26 AM
> I have multiple family members who have healthy memory, but can't accurately remember their email address everytime: the localpart, the domain, the syntax, everything.I got Gmail early enough that I have (my first name) dot (my last name) at gmail dot com. About twenty years ago, I started getting strange emails. At first I thought they were spam, because they were addressed to me by name but I had never joined those sites. Eventually I figured out that they were addressed to (my first name) (my last name) at gmail dot com. Which Gmail treats as the same address as the one with a dot in between.
Since I had never ever given out a version of my email address without a dot in the middle, I eventually figured out that these emails were meant for someone else who shared the same first and last name as me. But since I don't think Gmail would allow one person to register john.example@gmail.com and then later allow someone else to register johnexample@gmail.com, my name doppelganger must have registered firstnamelastname@yahoo.com, and then forgot the domain and given out firstnamelastname@gmail.com when asked for an email address. And probably never noticed that they weren't receiving emails like "Dear customer, thank you for purchasing (product). Would you like to try (other product)?", so they never realized that they were giving out the wrong email address.
by rmunn
6/10/2026 at 4:24:18 AM
I also have first.last@gmail.com (which I don’t use anymore, and just keep around), I get all kinds of private mails. Contracts, invoices, confidential material, private photos.And of course, also automated signup mails, newsletters (which I make sure to block and report as spam, unsubscribing is a feature for newsletters that are opt-in), transactional mails etc.
People really suck at knowing what their e-mail is. The private mails are down to 1/month, the others to ~3/week, but it used to be much higher for both categories.
Oh and of course there is some kind of weird scam going on where spammers on German classifieds (Kleinanzeigen) send an e-mail to firstlast@gmail.com for whatever public first and last name of the lister is, and ask if the product is still available. No link, nothing. And all sent via gmail which has by an overwhelming majority become the biggest sender of spam for me. I guess they are trying to get someone to reply and then do some manual scam or something.
by Semaphor
6/10/2026 at 1:24:06 AM
Randall estimates in the alt-text of https://xkcd.com/1279/ that there's about ¾ of a million people who just use somebody else's email on gmail without realizing it's not their email address.by jcranmer
6/10/2026 at 12:50:27 AM
There's something you can do in between - you can check the domain has an MX record.by trumpdong
6/10/2026 at 10:08:21 AM
Yes, and the MX check is pretty simple to implement.But it is still lots more complicated than copying some imperfect email address regex, and for many sites, it's unlikely to even be worth spending much more effort than that.
Realistically, many sites can defacto choose to accept email addresses of few patterns. If a user's email address happens to be rejected, then they are either a non-technical user who quickly learns that they need a more commonly accepted email address, or a techie, who keeps a backup email address for these cases, and rightfully holds a grudge.
Most sites just aren't going to care enough to do anything more complex, for annoyed techies.
See also, IPv6 support.
And yes, I get annoyed if a site doesn't accept my domain-under-a-less-common-tld, or doesn't support IPv6. :)
by farfatched
6/10/2026 at 6:48:22 AM
>I have multiple family members who have healthy memory, but can't accurately remember their email address everytime: the localpart, the domain, the syntax, everything.But you can't do anything about that except asking them to validate their address with an email.
If you can catch 50% of user errors with some complex regex, but the other 50% such errors are uncaught, is that of any benefit during sofware design? No, because you still have to solve that problem, probably with email validation by code. You have reduced your workload by 0%, you just split it into 2 parts (unnecessarily).
by TZubiri
6/10/2026 at 9:53:48 AM
> If you can catch 50% of user errors with some complex regex, but the other 50% such errors are uncaught, is that of any benefit during sofware design? No, because you still have to solve that problem, probably with email validation by code. You have reduced your workload by 0%, you just split it into 2 parts (unnecessarily).In your example, the benefit is that users recover from the error 50% of the time at the time of registration, so it doesn't interrupt their workflow. Further, the fallback case (of contacting support, or enacting email validation, if a site chooses to implement) will see a dropoff in successful onboarding.
by farfatched
6/10/2026 at 8:50:07 AM
Email addresses are a great example of boring infrastructure hiding decades of edge casesby KurSix
6/10/2026 at 7:48:44 AM
"Email addresses always have a 'normal' TLD"I registered a ".consulting" domain for my little company when they became available, and it has proved highly problematic ever since. Strangely (or perhaps not) it seems to be the larger players that have the most problems. I would at lest have expected ISPs and comms companies to keep up with this (looking at you, Three)
by julian_t
6/10/2026 at 9:57:24 AM
While on the sending site you should accept any domain, it's IMO irresponsible to use nuTLDs for pretty much anything as they are privately owned and you have zero recourse when the owner decides to change the deal on you.by account42
6/10/2026 at 7:54:17 AM
I once worked for a company that had a .company gTLD but not the .comIt was also a bloody nuisance. Spam filters were one thing but there were so many validation forms that failed.
Every reasonable variation of the company name as a .com/.net/.org was taken, including <companyname>company.com
Ugh, what a nightmare.
Domain holders are the landed gentry of tomorrow if we keep this up.
by dijit
6/10/2026 at 9:58:47 AM
> Every reasonable variation of the company name as a .com/.net/.org was taken, including <companyname>company.comThat also means that customers WILL confuse your company with others in non-domain contexts so perhaps it's a good idea to choose a more unique company name.
by account42
6/10/2026 at 8:09:58 AM
> Every reasonable variation of the company name as a .com/.net/.org was taken, including <companyname>company.comEven then it seems better to come up with a different prefix, or suffix (or both!), just to stay with ‘.com’.
Of course hindsight is 20/20 and I did the same, my personal homepage used to have a ‘.xyz’ address.
by merelysounds
6/10/2026 at 8:03:19 AM
Another anecdote, I no longer use my ‘.email’ email address for the same reason.by thih9
6/10/2026 at 8:58:48 AM
The annoying bit is that owning a domain should make email feel more stable and professionalby KurSix
6/10/2026 at 2:56:35 AM
These are waaay too complicated. Web developers can't even handle the easy stuff. My email address is of the form sean@foo.bar.baz, and email address validators on websites reject my address about 30% of the time because it has two periods.by SeanLuke
6/10/2026 at 4:19:30 AM
Honestly, I just validate that it has an @ and then let it through. The actual sender (mailgun, or whatever) can do the dirty work for me.by christophilus
6/10/2026 at 5:59:56 AM
\.{1,100}@\.{1,100}
by Joker_vD
6/10/2026 at 6:22:57 AM
I've had sites correct me with an email address ending in ".fi" with "are you sure you don't mean ".fr"?by JuustoKakku
6/10/2026 at 9:42:20 AM
Realistically, the length of the domain part is likely ultimately constrained by how large a domain name can fit into a DNS/UDP query packet (alongside EDNS0).by JdeBP
6/10/2026 at 6:35:54 AM
Just had to update this this week - a previous dev had used 2,4 and someone came through complaining with a six character domain suffix. Apparently 24 or so is the current limit for a real domain suffix.by jamesfinlayson
6/10/2026 at 9:37:47 AM
Even that's not the true length limit of a label in the Domain Name System. (RFC 1034 § 3, for the curious.) So someone is likely going to be fixing that, years down the line. Then of course there's the fact, as called out earlier, that there can be more than 2 labels in a domain name.by JdeBP
6/10/2026 at 4:30:20 AM
Discover bank, refuses to accept name@sub.example.in, but happily accepted name@example.usby davchana
6/10/2026 at 2:03:09 AM
I have a gmail address that at least three other people think is their address. I constantly get emails for the dumb stuff they sign up for. NONE of them ever have an "I didn't request this" link. I mean, I get it. That won't make them money, but oh man is it annoying.by riddley
6/10/2026 at 9:11:16 AM
I have the same with my email address. There seriously exist people out there who think that if they start to give away everywhere an email address, this email address will become theirs. Then there are many service providers and institutions who don't verify an email but simply start sending stuff to it.by undebuggable
6/10/2026 at 6:49:08 AM
The weirdest time was when I got on a girl sorority email list. Told them they got the wrong email a couple times, gave up, and just added a mail filter...by hnfong
6/10/2026 at 2:12:26 AM
I get scammers using my email to sign up for websites, but they very obviously cannot login to my account. I often wonder what is in it for them. I'm sure someone on HN can tell me!by JimTheMan
6/10/2026 at 8:33:50 AM
Commission schemes, possibly. Sign up with their code and they get something out of it. So they submit 10000 harvested addresses, and hope some small % of them think it's something they signed up for and complete the registration process.You'd think big companies would know better than enlisting spammers to spam on their behalf, but I'm pretty sure Netflix had a scheme like this a few years ago. "Grow at any costs" sites like streaming or social media are probably happy with a tiny bit of plausible deniability for their spamming.
by vintermann
6/10/2026 at 7:45:41 AM
I assume they just need a valid email address to put in and hope they can use the service without email verification.by AndroTux
6/10/2026 at 6:58:39 AM
I feel your pain. My gmail address is just my first name, and oh boy, don't half of the people sharing the same first name also think they share my email.by rimliu
6/10/2026 at 6:12:39 AM
I have exactly the same problem.> I mean, I get it.
I don't.
Seriously, that's a huge fricking red flag. Obviously, most of those companies I would never do business with anyway, but this puts it over the line for all the others.
If they don't understand the first thing about validating their putative customers' emails by, you know, sending an email saying "is this really you?" then they've completely proven their technical incompetence.
The worst one is robinhood. I have two different email addresses that different people have used to sign up for robinhood accounts (back when they were giving anybody an account).
Occasionally, I tweak them about sending me shit.
"Sure! Just send us a copy of your photo ID to prove you're not that person."
Nah, bro, you've proven you're clueless, and there's no way I'm sending PIA to clueless people.
by zephen
6/10/2026 at 5:14:24 AM
Another one is that you can tell “professional” from “personal” email addresses or that every address even cleanly fits into just one category.A lot of small business owners use gmail or a longstanding ISP account. A lot of people have personal email addresses you can’t easily distinguish from professional ones, between college alumni addresses, personal domains, and obscure ISP and email providers that aren’t in your database.
by smelendez
6/9/2026 at 11:40:05 PM
Add the lie "emails are delivered instantly, so the user can click a link I email them within 1 minute"And the lie "users always read emails on the same device they're logging into a website with"
And the lie "users can always view HTML email so no need to send a plaintext equivalent, especially if I have a long complex URL I want them to click"
And the lie "Clickable links sent in email are more secure than passwords so I'll stop supporting passwords and instead rely on email delivery of a link for all logins. Whoever clicks that link first is definitely the user who wanted to log in"
by amiga386
6/10/2026 at 9:49:00 AM
I'm surprised that this has not triggered all of the reminiscences of sitting running mailq at intervals for hours to watch mail that hasn't even left the local sending machine yet.by JdeBP
6/10/2026 at 12:45:24 AM
If you try to create a Discord account with Firefox Klar as your default browser, on Android, immediately upon signing up you'll be banned. I have to assume this is because it clears cookies and thinks you're a bot farm.by trumpdong
6/10/2026 at 12:07:33 AM
If you have a password reset form, you probably already have a log-in with email with extra steps functionality.by wodenokoto
6/10/2026 at 2:22:09 AM
Claude, for my non Gmail domain, expects me to click a magic link on every device I wish to use it. Its wild that a product like that cannot take a password, or a passkey.by technion
6/10/2026 at 1:46:40 AM
> And the lie "users always read emails on the same device they're logging into a website with"Or the same browser, or the same browser-profile. For example, on my phone I have external links (from other apps) opening in incognito mode by default.
by Terr_
6/10/2026 at 12:47:46 AM
When I had protonmail, I often wouldn't get emails for hours, sometimes a day.Most other providers I've used range from instant to a few minutes.
by nosioptar
6/10/2026 at 1:49:18 AM
I don't think it's about security. It's about fobing off password resets on somebody else.by butvacuum
6/10/2026 at 12:17:03 AM
> Clickable links sent in email are more secure than passwords so I'll stop supporting passwords and instead rely on email delivery of a link for all loginsGod, I fucking hate that.
I have a fucking password manager, I have various machines and things open. Just let me fucking log in.
If anyone is reading this who is in charge of the internet please stop doing this.
by CPLX
6/10/2026 at 12:46:38 AM
I seem to spend half my life logging into thing's, confirming 2fa,confirming biometric data. Then when I go back to the first thing it's timed out and I have to sign in again.by roygbiv2
6/10/2026 at 1:04:16 AM
So agreed. It’s fucking crazy. Password manager is so much easier and more secure. If you do this dumb email or SMS OTP flow, at LEAST support passkeys for my password manager!It’s wild that they’re like “it’s more secure to not have a password” and then choose two unencrypted delivery mechanisms for the very short OTP.
Sure, people who reuse passwords are not secure. And fair, I guess it’s a tragedy of the commons. But at least continue supporting it and make it dead simple for password managers if you actually care bout security
by anon7000
6/10/2026 at 1:31:56 AM
I thought the same for a long time but now i don't know. If your computer is compromised, they can exfiltrate your password, but with a hardware key they can't, so i think that's legitimately more secure than password+otp. It still needs a pin though to protect against device theft. I bring this up because there's been a ton of compromised developer packages recently and windows itself is being attacked so even if you're pretty good about protecting yourself, you still might get screwed.by 8n4vidtmkvmk
6/10/2026 at 1:44:48 AM
If your computer is compromised, the attacker can just as easily read your email.OTP can be used with a password.
by nvme0n1p1
6/10/2026 at 7:53:51 AM
I'll heap email and sms based otp into thatI have many ways to generate totp codes. All of them are vastly more convenient than sending me an email or sms
by paradox460
6/10/2026 at 12:30:33 AM
The people in charge of the internet are "cybersecurity" "professionals" who can't even follow NIST guidance.by denkmoon
6/10/2026 at 1:25:45 AM
It is with much hesitation that I write this, because I just implemented such a flow.My reasoning was this: my customers keep forgetting their password and somehow that becomes a trigger to contact me. No passwords, no problem.
I tried convincing them to use password managers but that was pointless.
But I see the pain and frustration so I will add passwords. And I quite liked the passkey idea, have to see how that works. Not that my customers would ever use it, but I would. It literally never occured to me.
by Kaliboy
6/10/2026 at 1:38:12 AM
To be clear, no shade on actual devs faced with actual problems. My ire is reserved exclusively for the "we must do this because it is on the checklist, no I don't understand what a subnet is" people.by denkmoon
6/10/2026 at 1:52:26 AM
Good to see my take verified. But, where does the buck stop? What if your phone relies on email, but your email needs your phone.by butvacuum
6/10/2026 at 2:35:33 AM
A lot of those same people seemed perfectly capable of insisting on 60 day password rotation back when they could use nist guidance as an authority to appeal to (for about five years after the recommendation changed too).by technion
6/10/2026 at 12:44:18 AM
The "change your password every 6 months" guidance?by readthenotes1
6/10/2026 at 12:46:00 AM
That was revoked some years ago.by trumpdong
6/10/2026 at 1:36:03 AM
Specifically the revocation of such guidance. If the field gave even the slightest deference to empiricism we wouldn't be changing our password every 180 days, but here we are.by denkmoon
6/10/2026 at 1:48:18 AM
There's a landlord/apartment portal where the whole login process has changed to be:1. Enter username (e.g. an email)
2. Choose from either email or SMS on file
3. Enter the code you got somehow through the respective unencrypted channel
Given that this same site is involved with bank-account details for payment, I am concerned...
by Terr_
6/10/2026 at 4:33:58 AM
It’s really rich when banking/finance apps are fully happy doing 2FA to the phone when using its own browser…Yeah — loose the phone and it’s pretty much game over.
by BobbyTables2
6/10/2026 at 9:21:05 AM
I don't think it should be the sites' responsibility to guess whether the browser session is the have device will receive an SMS message... The fact that it is SMS is already bad anyway.Time-code apps or passkeys are a different story.
1. You should be able to make backups.
2. There's nothing to intercept in plaintext.
3. The all can (unlike SMS features) be locked down by default and require a second layer of unlocking, so that they usually aren't accessible to someone who grabs your phone out of your hand.
by Terr_
6/10/2026 at 7:08:13 AM
You really did -- in your domain name, didn't you?by p0w3n3d
6/10/2026 at 9:32:28 AM
I wonder if bot traffic is less if an emdash is included.by ramon156
6/10/2026 at 8:18:25 AM
It's not lies. And it's not about me either. If I collect email address, it will be used somewhere, someday, in god knows what app. If I'm the one collecting the email, I will make it as restrictive at possible so that it doesn't causes issues down the line. If it's too different than John.Doe_123@example.com, it's best to reject it.For robust systems the goal was never to allow user type any technically valid email. It is to allow only emails that will not cause issues in the future.
by dvh
6/10/2026 at 2:24:29 AM
I would like to point out that the "suggested" validation pattern, ^[^@]+@[^@\s]+$, can filter out valid addresses. "user@something"@example.com is a valid address, and excluding @'s in the user part rejects it.by miningtcup
6/10/2026 at 7:48:48 AM
> "user@something"@example.com is a valid addressI appreciate your commitment to correctness but like [XKCD 1172](https://xkcd.com/1172/) ... the user is clearly in the wrong at this point.
by zenoprax
6/8/2026 at 2:35:33 PM
I enjoyed the deep dice. A lot of sensible advice, and enjoyed the deep dive. A lot of articles do not get a lot of that as right as this article does.Anyone who also enjoyed it would probably get a kick out of my article on the same subject that goes into the regex (which has some valid use cases): https://hackernoon.com/on-the-practicality-of-regex-for-emai...
by adamzwasserman
6/10/2026 at 12:37:11 AM
IIIRC in terms of clients mutt (&co) will actually handle “@“ in the local part correctly.> But the real reason I do that is just because I just like to sit in anger whenever this breaks the user experience because of programming errors or inconsistencies.
Genuinely delighted by the fact that I’m not alone in that.
by sohex
6/10/2026 at 4:43:29 AM
[Old man voice] Back in my day these kinds of articles loved pointing out that, well, the email address could be a UUCP address and that's a whole different parsing situation.Of course, even then in the mid 90ies, UUCP was not something one really encountered outside of "so you think you're going to parse an email address with regexp?!" articles.
by davidw
6/10/2026 at 6:59:51 AM
One thing I have learned about verification is:Don't just put a link into your mail that directly verifies an email when visited. At least put some button or code input field there.
Why? There are mail clients that will automatically open links for users and if that link is now invalid the user is confused about being able to click them.
by atoav
6/10/2026 at 6:55:23 AM
I think most of these issues are easy to resolve by being more permissive and supporting what the technical standard allows for.The Big Problem™ however is case sensitivity in the local-part, because there multiple incompatible things collide:
1. Users are not universally aware of case (in)sensitivity in one direction or the other
2. Existing systems may or may not interpret case at all
My preferred solution would be to adjust the standard to ignore case in the local part by forcing it to lowercase. That aligns with most of the systems and mental model of technically proficient users anyways. It makes much more sense from an UX standpoint since the goal is to be imambiguous.
If we were to enforce the opposite: case sensitivity in the local part this would have multiple downsides:
1. It is inconsistent with itself by making the local part case sensitive but the host part not, that is harder to explain
2. You have to train users to be precise about case on entry. As someone who worked in IT-support, this is a very bad idea. This includes second-order issues like phishing attacks by silbling emails where just the case differs
3. If your service stores email addresses it will need to know whether that specific Mailserver/client/etc treats the email as case-sensitive or not
In my eyes email servers that allow case sensitive local-parts are functionally broken, even if they don't break any rules.
by atoav
6/10/2026 at 12:00:38 AM
The plus sign is a pet peeve of mine, too. But I stopped keeping a list of bad sites when their number has become double digit!by teo_zero
6/10/2026 at 2:28:50 AM
> It turns out that allowing senders to omit dots is common but by no means universal!I think this is mostly common with Gmail-heavy countries and does not apply to Europe? At least I do not know of anyone that thinks so.
by chrisandchris
6/10/2026 at 7:12:42 AM
And even if you know that an email address is perfectly valid it still could be simply wrong because of a tpyo.by croes
6/10/2026 at 6:44:14 AM
Soooo, let's just send a validation email and if they confirm the code, then it's a valid email?Functionally there's no false positives or false negatives
by TZubiri
6/10/2026 at 7:49:46 AM
There's a lot of false negatives because emails get stuck for hours, get blocked by the spam filter or fail to be delivered for whatever reasons.by AndroTux
6/10/2026 at 12:22:40 AM
This article says that Gmail can't handle address literals. I personally wrote the IPv6 address literal support for Gmail, so this annoys me. I just tested it and it shortened "[IPv6:2001:etc:etc::192.etc.etc]" down to "@2001" then generated an extremely terse mail delivery subsystem notification that I've never seen before. Which is why you should never just rewrite software without understanding why all the test cases are in the test suite!by jeffbee
6/10/2026 at 1:33:44 AM
> "[IPv6:2001:etc:etc::192.etc.etc]"I'm trusting this is a throwaway example and that you used a real IPv6 address literal in this test, without the "IPv6" and with only colons and no dots (unless you mean to use v4 mapped address with dots)? Because this IPv6 literal is so malformed that I'm hardly expecting it to do something sane and changing that to "@2001" is nasal-demons quality undefined behavior. I tried with this exact literal and it let me send it but then there was a tiny red pop-up at the top of the gmail interface that said "could not be delivered, check your network connection" (which is odd; the same kind of pop-up that appears in gray when you legitimately are not connected to the internet) and it ended up in my drafts with the To: field empty.
I just tried to send a message to a "test@[" my current IPv6 address "]", and gmail told me
Error
The address "test@[«redacted»]" in the "To" field was not recognized.
Please make sure that all addresses are properly formed.
by thwarted
6/10/2026 at 3:29:16 AM
All address literals other than IPv4 must be prefixed by a tag, such as "IPv6:". The form that I gave is a syntactically valid v6v4 address literal.by jeffbee
6/10/2026 at 6:08:27 AM
Interesting, TIL. That makes the conversion to @2001 even stranger.by thwarted
6/10/2026 at 12:34:26 AM
Could they have consciously chosen to remove that functionality?E.g. to simplify code, or if they wanted all mails to have a domain (if, for example, they wanted to integrate with reputation systems that were domain oriented)?
by farfatched
6/10/2026 at 12:39:36 AM
Based on the incredibly basic bounce message, I suspect the problem is that the frontend eats the address before it even gets to delivery.To your question, yes any product decision is possible, but enterprise/government people are surprisingly demanding about this stuff working because they have extremely weird requirements for routing mail to and through legacy systems. So I bet this still works at the mailer level and is broken in the UI.
by jeffbee
6/10/2026 at 9:24:12 AM
> but enterprise/government people are surprisingly demanding about this stuff working because they have extremely weird requirements for routing mail to and through legacy systems. So I bet this still works at the mailer level and is broken in the UIInteresting context, thanks.
by farfatched
6/10/2026 at 1:08:40 AM
I chuck IP address literals (both IPv4 and IPv6) on the list of things that you should care about for email if you're writing an MTA or an MUA but should otherwise generally not care about supporting if you're using email for something else (e.g., as a UID for login).by jcranmer
6/10/2026 at 12:47:04 AM
> TL;DR: Don't overthink it, just send a verification email.pretty bad advice, if taken only as written, without adding more flavor on top.
the major email providers will penalize you if you generate too many undeliverable emails. thus, if you just send a verification email without any pre-validation, it's pretty easy to get into a DoS situation where current/valid users don't get important email sent to them, or that email is significantly delayed, plus incur huge operating cost to resolve the problem.
some form of rate limiting is needed, plus IMHO it's better to use a verifier service or your own heuristic or ML model to test for email validity including valid but fake/spammy/disposable addresses.
sorry, but we are way past the point of being able to have nice things, esp. when we're talking about email.
the "lies" part of the content is great. people do assume all those wrong things. however the TLDR is just wrong, and potentially harmful.
by jiveturkey
6/10/2026 at 6:00:14 AM
> the major email providers will penalize you if you generate too many undeliverable emails.I suspect the rate at which new users may try to create new accounts and type a wrong email address is too low to be noticed by reputation metrics.
by teo_zero
6/10/2026 at 7:51:22 AM
there's bad actors that use bots to sign up to websites using bogus data.by AndroTux
6/10/2026 at 8:02:19 AM
Wait! Are you saying that you process new registration attempts without any rate limit, captcha, etc? Because the moment to filter out (or limit) bad actors is before they submit an email address, not through it.by teo_zero
6/10/2026 at 12:52:17 AM
I think the only way to deal with that right now is to hire a company whose job is to deal with it. They'll random-check your outgoing emails are indeed what you say they are, and they maintain a reputation with the big providers for checking it properly.What pre-validation could you do that would possibly be useful?
by trumpdong
6/10/2026 at 1:37:32 AM
entropy check, for oneby jiveturkey
6/10/2026 at 1:06:57 AM
This is cute and all. But for anyone coming here for real-world advice: just use a regex, normalize to lowercase, and surface any errors to users so they know if their email got rejected. This will avoid 99.9% of issues and work for 100% of real human users. This is what everyone else does, and if you have a user with an esoteric email, they will still be able to furnish another one that passes this validation.by ashley95
6/10/2026 at 1:24:06 AM
Display a warning and propose to edit instead of blocking the operation: your customers will be happier!by pif