ColdFusion Email Validation, IsValid(), And CFMail Errors

Posted September 12, 2006 at 2:36 PM

Tags: ColdFusion

Who here hasn't had to validate an email address format at some point? Heck, I do that in practically every application that I build. And why do I do it? The truth is, I don't really care if people mess up entering their own email address. I mean sure, I validate that. But really, my main concern is NOT having the ColdFusion page request crap out. If you attempt to send a CFMail tag with a bad email address format, it will throw an error.

Sometimes, my email validation is not perfect and I end up not allowing some emails that are actually valid. This got me thinking - what is a valid email address? Or rather, what does ColdFusion think a valid email address is? There are two ways to look at this:

1. What will pass an IsValid() method call?
2. What will let a CFMail tag execute successfully?

To test this, I set up an array of emails and then tried sending emails out. In the example below, you will notice that I use ".ben" in the email extension a lot. That is because I don't actually want to send emails to valid addresses. I just want to test to see if they send action works (yes, I did get several hundred undeliverable emails).

 Launch code in new window » Download code as text file »

The results are kind of surprising. I was a bit shocked how many emails actually can get sent through CFMail with completely horrible email addresses. Here are the results (I have modified the table for display):

As you can see, only THREE emails crashed the ColdFusion CFMail tag. It has hardly any issues. The salmon rows are the rows where IsValid() and CFMail disagree as to what is a valid email address. Very interesting indeed. Honestly, I think my email validation can be MUCH MUCH more simple (if only caring about the CFMail tag crashing). But I guess, I can start to use IsValid(). But, and I am no expert on email address formatting, but IsValid() seems very relaxed about some of the stuff above.

Download Code Snippet ZIP File

Post Comment  |  Ask Ben  |  Permalink  |  Other Searches  |  Print Page

• Add To Del.icio.us
• Add To Digg
• Add to Spurl.net
• Add to Wists
• Add to Simpy
• Add to Newsvine
• Add to BlinkList
• Add to Furl
• Add to reddit
• Add to FARK
• Add to BlogMarks
• Add to Yahoo! My Web
• Add to smarking
• Add to Ma.gnolia
• Add to Segnalo

Reader Comments

This one is a good one for Damon Cooper for enhancement to Scorpio. You can contact him or I can file an enhancement if you'd like. Great work by the way.

Sami,

I just emailed Damon. But I am a little fish and I never hear back from anyone. Feel free to get in contact with him if you think it will help things along.

Thanks!

Perhaps more information will help.

The IsValid() function uses the following regular expression to determine if the email is valid:
^[a-zA-Z0-9-'\+~]+(\.[a-zA-Z0-9-'\+~]+)*@([a-zA-Z_0-9-]+\.)+[a-zA-Z]{2,7}$

The CFMail tag uses the Sun Java class javax.mail.internet.InternetAddress parse() function. Since the implementation uses JavaMail, this is how we generate the InternetAddress objects that we pass in for the addresses (to, from, cc, etc).

The "strict" attribute is turned on. The JavaDoc says of this:

"Parse the given sequence of addresses into InternetAddress objects. If strict is false, simple email addresses separated by spaces are also allowed. If strict is true, many (but not all) of the RFC822 syntax rules are enforced. In particular, even if strict is true, addresses composed of simple names (with no "@domain" part) are allowed. Such "illegal" addresses are not uncommon in real messages.

Non-strict parsing is typically used when parsing a list of mail addresses entered by a human. Strict parsing is typically used when parsing address headers in mail messages"

See the JavaDoc at http://java.sun.com/products/javamail/javadocs/javax/mail/internet/InternetAddress.html

Hope that clears it up for you.

i've done some work w/javamail & what tom says is true (of course). even strict parsing passes a lot of addresses some folks would consider "bad", though by the same definition so does the RFC.

i guess complain to sun: http://java.sun.com/products/javamail/index.jsp better yet, if you get on the javamail list you can complain directly to bill shannon.

Hey guys, I really appreciate the information. I am not familiar at all with the javax classes. I see that I can create them using CreateObject(). That is kind of cool.

But please, I don't want to be misunderstood. I wasn't attacking email validation. I DON'T want to complain to anyone. It's not important to me that some emails get through that maybe are not the best. As I said, I don't want the page to crash and from what I can see, I can relax a bit of my email validation. That was really my main point.

But again, thanks for all the feedback.

This is great information. Thanks for posting this, Ben and Tom.

However, it confirms my fears about using ColdFusion's email address validation (through isValid() or cfparam), since the regex Tom posted is a little crazy, IMO (despite my acceptance that an email validation regex should not follow RFC 822 to the letter). For example, it allows underscores in the hostname (which technically makes it an invalid domain name), and yet there's no support for internationalized domain names (or usernames). And what's with the seemingly arbitrary seven-character top-level domain cap, when the longest official TLDs (.museum and .travel) are six characters? Is it trying to support reserved TLDs like .example and .invalid? If so, what about .localhost, which is eight characters? There are a number of other issues I could point out as well.

In any case, that regex (and any others which control validation provided by isValid/cfparam) should be in the LiveDocs.

Ahh, email validation is not actually correct for many of those entries - http://haacked.com/archive/2007/08/21/i-knew-how-to-validate-an-email-address-until-i.aspx

I recently got a support request for an email that looks like

name&name@domain.com

On research, the "&" actually appears to be valid, although it is though to be not valid.

This is causing some problems.

@Stephen,

I just recently heard of a big problem that was caused by the & characters. It was something bit, like New York Times email addresses or something. Can't remember where I heard it.

Just tried running this:

#IsValid( "email", "name&name@domain.com" )#

... and it returns NOT valid.

One of my e-mail addresses has the domain with format @xx.xxxxxx.com, yet it seems like you might exclude that as an invalid e-mail address (either that or you were checking to see if the system would trip over a perfectly valid e-mail address, I'm not clear what your expected result was). My point is, although validation will help reduce human error and keep out some spam, being too stringent may block out a perfectly valid e-mail. Please exercise caution!

@Ryan,

I am not sure what you are saying. From my testing above, that format of email address IS valid. Notice that the address:

julie@cool.beans.ben

... passed both IsValid() and a successful CFMail execution. Sub-domains clearly work in ColdFusion.

Am I confused about what you are saying?

What is the trick to using cfmail to send an email to an address with a single quote in it?

ie micky.o'flannigan@somedomain.com

@Steve,

Can you even use single quotes in an email address? I am not sure that is even valid.

@Ben Nadel, yes, it's valid according to RFC 2822--the special characters allowed as part of an email address's username are _!#$%&'*+/=?`{|}~^.-. At my last job I ran into single quotes in email addresses a lot. It's unfortunate that a lot of naïve validation (including CF's isValid, etc.) disallows it.

@Steven,

Really?!? Emails can use all of those characters? Bananas!

why cc in cfmail not function if more than 1 cc at the same time, could someone help me?

@She,

It should work as long as the are comma-separated.

I unfortunately discovered the cfmail crashing when I switched from OpenBlueDragon to CF8. Apparently BD doesn't validate the email address. Someone entered an email of http://blah@somewhere.com. This was old code (CF 5) and obviously my validation was faulty. Probably a good thing it crashed and forced me to do a better job.

@Don,

Did this throw a CF error? Or did it just go in the undeliverable folder?

It threw a cf error. Since it was run as a scheduled task I didn't find it until I trolled logs after a couple of subscribers said they weren't getting their email.

@Don,

Ah, gotcha. So, what would have happened with OBD? It must have errored out at some point?

It is entirely possible that the event did not occur in BD as the errant subscriber may not have been present so my assumption that BD didn't fail may be false.
The "phantom processes" disappeared after a day or two.
To avoid any future occurences I have made all tasks run once and then have the task delete the task and regenerate it to start it at the appropriate time. The drawback to that is that if the site is down at the time the task is supposed to run the new task won't be created. I have solved that with a cron job which runs every 30 mins that uses curl to run a cfm that checks for missing tasks and recreates them.

Post Comment  |  Ask Ben

Post A Comment

Please review the following issues:

Author Name:
Author Email:
Author Website:
Comment:	Formatting: <strong>bold</strong> <em>italic<em>
	Remember my information
	Subscribe to entry *
	Send me a copy of this comment (as part of the comment thread)

 

* If you subscribe, any new posts to this thread will be sent to your email address.