I'm wondering how far people should take the validation of e-mail address. My field is primarily web-development, but this applies anywhere.
I've seen a few approaches:
- simply checking if there is an "@" present, which is dead simply but of course not that reliable.
- a more complex regex test for standard e-mail formats
- a full regex against RFC 2822 - the problem with this is that often an e-mail address might be valid but it is probably not what the user meant
- DNS validation
- SMTP validation
As many people might know (but many don't), e-mail addresses can have a lot of strange variation that most people don't usually consider (see RFC 2822 3.4.1), but you have to think about the goals of your validation: are you simply trying to ensure that an e-mail address can be sent to an address, or that it is what the user probably meant to put in (which is unlikely in a lot of the more obscure cases of otherwise 'valid' addresses).
An option I've considered is simply giving a warning with a more esoteric address but still allowing the request to go through, but this does add more complexity to a form and most users are likely to be confused.
While DNS validation / SMTP validation seem like no-brainers, I foresee problems where the DNS server/SMTP server is temporarily down and a user is unable to register somewhere, or the user's SMTP server doesn't support the required features.
How might some experienced developers out here handle this? Are there any other approaches than the ones I've listed?
Edit: I completely forgot the most obvious of all, sending a confirmation e-mail! Thanks to answerers for pointing that one out. Yes, this one is pretty foolproof, but it does require extra hassle on the part of everyone involved. The user has to fetch some e-mail, and the developer needs to remember user data before they're even confirmed as valid.