Shay Mishali Shay Mishali - 15 days ago 5
Java Question

How to check if email actually exists

I created a form in which you have to insert an email address.

I already have a validation method. But i need to make sure that the email actually exists.

Is it possible?

Answer

In the general case it is not possible without user interaction.

A few things you can do to validate an email address:

Regular expression

You can use a regex to validate the email address format. It does not guarantee that the address exists, but at least your user input will be well formed. Validating email addresses by a regular expression is not straightforward though, see here for difficulties. You can find guidelines here.

DNS lookup

Once the address is well-formed, you can check with a simple DNS query whether the domain name actually exists and has an associated MX record. If it does not, the email is obviously invalid. If it does, it can still be any valid domain, and there is no proof that there actually is a valid user of the name specified on that domain.

VRFY

If the domain exists, you can issue an SMTP VRFY command to the smtp server read from the MX record of the domain. VRFY will tell you whether the user name (the part before @) is a valid email address on that server. The caveat is that some server will not tell you the truth and deny all usernames or not implement the VRFY command as it is a security risk (in many cases, email accounts are valid usernames for the server, so this would allow username enumeration).

So if a VRFY command tells you the address is valid, there is a good chance that it really is. If it tells you it is not valid or VRFY is not implemented on the SMTP server, you basically gained no info. Because of this, you may not want to do this at all.

More info on this is here and here (among many others).

Sending a confirmation email

Ultimately, you should send a confirmation email with a one-time token to the given email address, and store that token in your database for future reference. If the user can click a link in the email sent (ie. can send the token back), he proves that the email address is valid and it actually belongs to him.

Comments