Email Validation Algorithm — Flexible vs. Strict
As developers, we may encounter the problem of validating email addresses. This can happen while developing a feature, reviewing code, or even creating unit tests for an email validation method.
It’s easy to rush and copy-paste a regex for email validation from a top answer on StackOverflow. It may work, and you might feel good for doing it quickly. However, doing something fast can lead to unexpected problems.
Your QA might pass it, but in the future, a new developer might develop unit tests and find that valid email addresses fail your validation method. You may not be there anymore, but think of the customers that may have been lost. They tried to register, but their favorite email was not accepted so they went away. The business would have lost money.
As developers, we should strive for quality code and be responsible. However, not every developer is given enough time to develop and test their code thoroughly, leading to unexpected behavior. This article aims to address this issue.
The main topic
If you dig deeper, you’ll find that there is no single answer to email validation. People have different approaches — some are strict, some are not. Not being strict means some invalid emails may be accepted. There have been discussions on this topic, such as this GitHub thread.
Is accepting invalid emails good? The answer can be yes or no. Yes, because you can filter out invalid emails and prompt users to enter a valid one. The user might have forgotten an “@” or mistakenly put an invalid character. You prompt the user, and they realize their mistake.
However, accepting invalid emails can also be good. What if the email you filtered out as invalid is actually valid? What if their email provider really gave them that email address? Without being entirely sure, the app may have lost countless possible customers.
Security Risks and Server Validation
It’s important to note that having super flexible validation, or no validation at all, can pose security risks. Your server should have its own validation to ensure the safety and security of your data. Additionally, if you don’t limit the length of email addresses to the maximum of 254 characters, users may send too many characters, resulting in excessively large data.
Conclusion
Having a more flexible regex, rather than a very strict one, is better for sign up, sign in, sending, and other interactions with existing emails. Even if your app accepts an invalid email, you can send a verification link to that email. The user verifies it and your server tags it as valid.
However, if you are an email service provider, you might need strict email validation.
You might want to follow the HTML5 email validation below from mdn docs:
/^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
Convert as needed for iOS and android.
I hope you enjoyed reading this article!
