Verifying Email Addresses Is Impossible

sysadmin

Email - or really, the Simple Mail Transfer Protocol has shortcomings. SMTP is great because it is simple. RFC 821, the original specification, is only 68 pages long, short for a technical RFC. It is relatively easy to implement a minimal SMTP client or server.

One of the features that one might want out of their email library is the ability to verify that an address exists. Perhaps when a user signs up, we could detect that they made a mistake entering their email address with AJAX, alerting them to a problem before they submit the form. Or we could prune old email addresses from our mailing list automatically by periodically checking that the email addresses exist.

It turns out that RFC 821 actually has a VRFY command which allows the client to check if an address exists. However, because it could be used by spammers to prune their lists - and hence, make their activities harder to detect - RFC 2505 specifically suggests limiting VRFY to authenticated / trusted users. As such, no public mail server is going to allow an arbitrary client to use VRFY today, if they turn on VRFY support at all.

Some people have come up with clever ways of attempting to verify addresses in other ways. The most common proposed way of doing this is to start an SMTP transaction, and treat an error after sending the proposed recipient address as proof that the address does not exist. Al Iverson has laid out why this is a bad idea, though, which amounts to: it does not work (many servers have a ‘catchall’ address) and it will get your server on spam blacklists.

So, there is no way to verify an email address without sending a message, much less a good way to do so. The best you can do is ask your user to click a link in an email that you have sent them - but even this has a significant cost in that it inconveniences your user. The best solution is to design your application in such a way that no email address verification is required.

Get Notified of New Posts

* indicates required