views:

391

answers:

3

I noticed that most scripts for e-mail validation do not use DNS information to ensure the given domain actually exists.

What are the reasons why one might not use DNS checks?

Does it actually reduce the number of fake e-mails or make a form more usable?

Example snippet:

$host = explode('@', $email);
if(checkdnsrr($host[1].'.', 'MX') ) return true;
if(checkdnsrr($host[1].'.', 'A') ) return true;
if(checkdnsrr($host[1].'.', 'CNAME') ) return true;
+3  A: 

It might be slow to do so. If you do DNS validation in a form, it would be wise to use AJAX in some way to start validating before the form is submitted.

Other than that, your check would fail on addresses with literal IP addresses, but personally I wouldn't want to accept those on my web form anyway. I don't care if they're RFC822 compliant ;)

Thorarin
+2  A: 

It makes DOS attacks on your mail server really easy to pull off.

Spencer Ruport
Good point. If some spammer keeps submitting the form, my server will have too much to handle.
Alex L
Caching the results might go some way in alleviating that pressure
rojoca
Not really. If they're spammers they won't be using the same domain name twice.
Spencer Ruport
+3  A: 

Most sites, especially ones that retain login information, send confirmation emails after you sign up. This not only confirms the email address is valid but also confirms that the email address belongs to the submitter. Having a DNS lookup would be redundant unless you wanted to tip off the user that they misspelled their email address.

And if I wanted to put in a fake email address, [email protected] (AAA, the auto club) and [email protected] (from RFC 2606) would both pass. I don't think a DNS lookup would catch as many fake addresses as you think.

pjabbott
+1. The email spec is complicated. The best way to validate an email address is to send an email to it.
Frank Farmer