This is a post for IPv6 geeks and people who care about email address validation. That’s probably not you, so I’m warning you that it gets a bit nerdy below. YHBW.

People keep saying the IPv4 address space is going to run out Real Soon Now but it’s still the protocol you are using right now to connect to the internet. It’s still working. When I was at school many years ago, I was told that oil would probably run out before the year 2000. People who believed this started investing in Alternative Energy such as solar power, wind power and, least successful of all, wave power. Most of the early investors lost their money, I guess.

The Alternative Energy of the internet is IPv6. This is the solution that people designed when they first thought the IPv4 address space was in danger of running out. It’s still a minority sport even though your Windows PC has it installed and running. It’s talking this language to nobody though. Even if you have a few computers at your house, the router you use to network them together is still only talking IPv4.

IPv6 is there and it’s real. One day we might start using it. Until then it remains a laboratory curiosity.

But it’s a valid part of an email address. So if you want to validate somebody’s email address in your registration form you shouldn’t go rejecting jon.postel@[IPv6:1234::cdef] just because it doesn’t match the usual first.last@domain.com format. It’s a valid address. Check out RFC 5321 if you don’t believe me.

OK, let’s assume you actually clicked that link and read the RFC (I won’t tell if you don’t).

Now tell me whether this is a valid address: jon.postel@[IPv6:1111:2222:3333:4444:5555::7777:8888]

The answer according to the bible of SMTP is no. I quote the comments to the definition of ipv6-comp: “The “::” represents at least 2 16-bit groups of zeros. No more than 6 groups in addition to the “::” may be present.”

But let’s look at the bible of IPv6, RFC 4291: “The use of “::” indicates one or more groups of 16 bits of zeros.”

So RFC 4291 appears to disagree with RFC 5321. Thanks, IETF. Which should we use as our authority when validating email addresses? Perhaps RFC 5321 is documenting a special case of IPv6 that only applies to SMTP transactions. Hmmm.

Fortunately just when we feel like banging John Klensin’s head against RFC 4291 or (frankly) anything solid, along come Seiichi Kawamura and Masanobu Kawashima to our rescue. The brand-new RFC 5952 gives us clear guidelines about the use of the double colon in IPv6 addresses:

The symbol “::” MUST NOT be used to shorten just one 16-bit 0 field.

Phew. We have clarity at last.

Or do we?

Remember Jon Postel’s Robustness Principle? “Be conservative in what you do, be liberal in what you accept from others”. How might we apply that here? RFC 5952 still accepts the authority of RFC 4291. It is a recommendation for how IPv6 addresses might be standardised when written as text. The robustness principle would suggest we should ensure our own addresses conform to RFC 5952, but we should accept any addresses that conform to RFC 4291.

My conclusion is this: my own validator is_email() will accept as valid any address that conforms to RFC 4291 (even though that is contradicted by RFC 5321). It will raise a warning if the double colon elides only one zero group.

As a final personal note, I would say that an address of the format ::1111:2222:3333:4444:5555:6666:7777 is nonsense. It’s valid according to RFC 4291 but it contains 8 colons. That’s just silly. I think it’s clear that the only sensible use of the double colon is to elide two or more zero groups and I certainly agree with RFC 5952 that that should be the standard.

Quick links: Source code | Email address validators head-to-head

Thanks to my correspondent Michael Rushton for bringing my attention to this issue.

I’ve had a lot of correspondence about is_email(), the free PHP email address validation software that I maintain. The principle topics of debate were the edge cases where an email address is technically valid but extremely unlikely in the real world.

Examples of this sort of address would be “”@example.com or benedictXIII@va – the first because it doesn’t contain any text to identify the mailbox and the second because it’s at a Top Level Domain.

Both these addresses could exist but neither is likely to. If a user entered one of these addresses into your registration page it is much more likely to be a typo than a real address.

So in the first versions of is_email() I made the decision to call these address invalid because they were unlikely. It was this decision that generated most of the correspondence.

My learned correspondents were right. The purpose of is_email() is to determine whether an address is valid or not. It should not be rejecting valid addresses – this is the most common fault of other ways of validating email addresses.

But I wanted to identify unlikely addresses without declaring them invalid. For this reason I added a Warning feature to is_email(). Without losing any backward compatibility, I have enabled it to return a diagnostic code that identifies either the fault (if it’s invalid) or the reason it’s unlikely to be a real address (despite being valid).

This has allowed me to make it a true validator – it follows the RFCs as precisely as I can make it – without losing real-world usefulness.

is_email() version 2.1 was released yesterday. Try it. Let me know if it works for you.

Quick links: Source code | Email address validators head-to-head

I was turning a blind eye to the part of RFC5322 that allows you to put comments within an email address. But Cal H brought it up in an email so I had to bite the bullet.

On reflection I think this was worthwhile. The most common error in email address validators is that they reject valid addresses. This really annoys people who like to put a ‘+’ in their address and find they can’t because registration form won’t allow it.

Why do they like putting a ‘+’ in their address? Well it effectively tags the incoming email for you automatically. Mail sent to first.last+hello@example.com will go to the first.last mailbox, tagged with ‘hello’. GMail will do this for you – try it.

So that’s why I think it’s worth allowing comments. The next GMail might be able to do the same thing or something even more useful with comments:

first.last(notify IM)@example.com

Version 1.6 of my validator now passes all 222 unit tests. So does Cal’s. I see no reason why you wouldn’t use one of these in your project: they are free and they work. Why reinvent the wheel?

RFC nerd notes

Comments can contain folding white space and can be nested. This is the final nail in the coffin for regular expressions that claim to validate email address. Show me a regex that says this is a valid address:

first(Welcome to
 the (“wonderful” (!)) world
 of email)@example.com

A thank-you also to Paul Gregg who allowed me to add his validator to the head-to-head (and added mine to his page). He also provided some more unit tests.

Quick links: Source code | Email address validators head-to-head

The amazingly helpful Cal Henderson has nearly caught up in the arms race that is email address validation. After our latest round of discussions we disagree about only one of the 161 test cases in the test suite. Cal’s validator successfully validates all the test cases except that one (and he may be right about it -we’ll see).

I’ve released version 1.3 of my validator and you can download it with the test cases from Google Code.

RFC nerd notes

I had a lesson from Cal on Folding White Space. Who knew that you could have an email address that was split over several lines? Please don’t run out and try this – it’s strictly for completeness.

Secondly, all those validators out there that use RFC2822 as their authority: those are yesterday’s validators. All the cool kids are validating using RFC5322. It’s the latest thing.

Quick links: Source code | Email address validators head-to-head

Do you think this is a valid email address?

“”@example.com

No, me neither. In one sense it clearly isn’t since there is no mailbox of that name at example.com’s mail host. Send mail to that address and you won’t find anybody reading it.

In another sense, however, it is a perfectly good email address. That is, if you believe the RFCs that define how email addresses should be constructed. Here’s the BNF from RFC5322 for example:

addr-spec       =       local-part "@" domain

local-part      =       dot-atom / quoted-string / obs-local-part

quoted-string   =       [CFWS]
                        DQUOTE *([FWS] qcontent) [FWS] DQUOTE
                        [CFWS]

Don’t worry if you can’t follow the BNF syntax – I couldn’t either until this week. Focus on the asterisk before ([FWS] qcontent). That asterisk means the contents of that bracket can occur zero or more times.

So tracing it through the specification:

1. An email address is a local-part followed by an @ sign followed by a domain
2. A local-part can be a quoted-string
3. A quoted-string is a pair of double quotes surrounding zero or more characters.

“”@example.com follows these rules perfectly. And yet common sense suggests this is a preposterous address. Where should the receiving host deliver it?

I have had some discussions about this with Cal Henderson and we are somewhat at a loss. Both of us have functions that validate email addresses and we cannot decide whether to follow the RFCs or common sense.

I could suggest the IETF add an erratum to their RFC but this format is also documented in RFC 5321 as well. No amount of published errata will correct the impression given by two published RFCs.

Perhaps we are wrong – can you think of a valid purpose for an email address of this format?

Quick links: Source code | Email address validators head-to-head

I had some very helpful input from Cal Henderson on interpreting RFC 2822. I’ve included his latest validator in my head-to-head comparison and updated the test suite to reflect the consensus from our discussion.

I’ve also updated my own routine so that it still passes all the tests, of which there are now 158. As always, the full analysis is on my website and the latest version of the source code will always be in Google Code.

I would really appreciate it if you find a valid address that fails my validator, or an invalid one that passes, if you would get in touch with me and let me know.

Here are the latest scores:

Dominic Sayers: 100% validated correctly
Simon Slick: 91%
Cal Henderson: 84%
Phil Haack: 80%
Dave Child: 79%

I know Cal is working on IPv6 validation so this may change soon.

RFC nerd notes

There are two principle changes in this version.

Firstly, I now accept Dave Child and Cal Henderson’s opinion that a backslash can escape anything in a quoted string local element. However, it must escape something – it can’t be at the end of the string.

Secondly, if the string is not quoted then the local element must be a vanilla atom. You can’t escape individual characters unless the element is surrounded by double quotes.

By “local element” I mean a single component of a dot-delimited local part.

I’ve extracted the raw specification of a valid email address in BNF (Backus-Naur form) from RFC 5322 and put it here: The BNF from RFC 5322 defining parts of a valid email address. If you try to follow this in the RFC you end up going backwards and forwards and getting confused – it’s much easier to understand in the way I’ve laid it out.

Quick links: Source code | Email address validators head-to-head

OK, after some correspondence with Dave Child and Cal Henderson I have now released version 1.0 of my PHP email address validator.

This version passes all 139 unit tests in the suite – tests I have collated from RFC 3696 and from articles by Dave Child, Doug Lovell and Phil Haack plus some of my own to test the IPv6 address format. The full analysis is on my website and the latest version of the source code will always be in Google Code.

I would really appreciate it if you find a valid address that fails my validator, or an invalid one that passes, if you would get in touch with me and let me know.

Here are the scores on the doors:

Dominic Sayers: 100% validated correctly
Simon Slick: 86%
Dave Child: 81%
Phil Haack: 79%
Cal Henderson: 71%

For the RFC nerds, this version now correctly validates the obsolete local form of word *(“.” word). In other words you can regard the local part of the address as a dot-delimited series of elements each of which can be separately quoted. This means that first.”last”@example.com is now recognised as a valid address.

Quick links: Source code | Email address validators head-to-head

I’ve discovered a number of other public-domain functions that attempt to validate the format of an email address. I tried to validate my 124 test cases against these functions with the results below:

Dominic Sayers: 100% correctly validated
Simon Slick: 88% 
Dave Child: 80%
Cal Henderson: 72%

Interestingly, all the other functions failed correctly to validate the example addresses given in RFC3696 (Section 3: Restrictions on email addresses).

I couldn’t include Doug Lovell’s function in my tests because the code is copyright All Rights Reserved by Linux Journal (ironically).

Some of the other functions also supply test cases; I’ve added these to my test suite. More analysis and commentary here: RFC-compliant email address validator.

In summary, I recommend you use my function if you want totally RFC-compliant address validation.

Quick links: Source code | Email address validators head-to-head