When I had to build tools for this for a big production site, we investigated it pretty intensely. There's really no foolproof way to verify that an email is "valid" in the sense that emails sent to it will not bounce, except by sending an email and seeing if it bounces. The strategy that works for 99% of cases is:

1. does it have a domain after an `@` symbol (note this isn't actually required, but nobody uses the old school kinds of emails that wouldn't require it). Getting deeper than that becomes super complicated since there is a huge range of valid emails, esp with unicode.
2. Is there an MX record for that domain that points to an SMTP server.

If those two check out, it's usually deliverable. There is no reliable way to confirm that the part of the email that comes before the `@` was entered correctly.

You can get a little fancier if you want to pay for it with SendGrid's email validation api.
posted by dis_integration at 2:34 PM on August 14, 2023 [7 favorites]

I have used Viza, and it seems to work well.
posted by Ferrari328 at 2:35 PM on August 14, 2023

You might check out GoodForms, run by some fine folks I know who care about responsible use of email.
posted by hanov3r at 2:43 PM on August 14, 2023

I run the email infrastructure a very big company. My users receive a couple of billion messages annually. What dis_integration says is true. I'll go further and say that a lack of a bounce doesn't prove that the recipient received the message. To that end you actually need the recipient to do something like click a link or enter a code into a web site.

Not to freak you out but even successfully sending messages to aaa@bbb.com is not proof that your future messages to aaa@bbb.com will be received. Most company's anti-spam/malware/phishing/harassment software is very content sensitive and is very machine-learning based.
posted by mmascolino at 6:07 PM on August 14, 2023 [1 favorite]

Btw, as an owner of a firstname@gmail.com email address, please also consider the very frequent scenario where the person entering the email enters the wrong email, which happens to be a valid email address but belongs to someone else.
posted by gakiko at 7:06 AM on August 15, 2023 [1 favorite]

You don't specify what you mean by "validating" an email address. This could mean a couple of things:

• Confirming that the address conforms to the RFC 822 spec.
• Confirming that the address corresponds to a "live" inbox at a live domain that somebody will actually receive.

These are two different things. Likely whatever language you're using has some library or whatever to check the first thing, so I assume you mean the second thing.

The problem is that this is difficult, and there is not a really good general way to test it. Even if you have a completely legitimate reason to want to do this, spammers also want to do this, so most domains block the sorts of requests that can be used to determine whether an address is real.

If you're collecting email addresses directly from users, then you should force them to confirm the address by having them click a link that you send to their email address. If you're just cold-contacting people based on buying mailing lists or whatever else... maybe just don't do that?
posted by number9dream at 6:31 AM on August 16, 2023 [1 favorite]

(I run Buttondown which has to do a whole lot of email address validation.)

Agreed in broad strokes with what dis_integration and number9dream are saying. I think the key question is 'what is valid?' — even as you expand past the trivial regex checks / MX record checks and into the more complicated stuff that third-party vendors might do, you still run into the genre of problem which is "this is a real and valid email address but does not belong to the individual submitting it." This is where double opt-in (that's the magic string to search for) comes in — sending folks an email to their address to _confirm_ that they wanted to actually subscribe.

My personal super-prescriptive advice would be: choose only one of two things:

1. If this is a trivial level of validation (e.g. you just want to confirm that an email address looks roughly safe before sending an opt-in email or adding to a database), use a basic regex + denylist for common typos (gamil.com, yaho.com, that sort of thing)
2. If you need to have a significant level of confidence that the email corresponds with an address who wants to receive your missives, use double-opt-in.
posted by jmduke at 7:40 AM on August 16, 2023