Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.
I am the chief technical officer at InVision App, Inc - a prototyping and collaboration platform for designers, built by designers. I also rock out in JavaScript and ColdFusion 24x7.
Meanwhile on Twitter
Loading latest tweet...
Ben Nadel at Scotch On The Rock (SOTR) 2010 (London) with:

ColdFusion Email Validation, IsValid(), And CFMail Errors

By Ben Nadel on
Tags: ColdFusion

Who here hasn't had to validate an email address format at some point? Heck, I do that in practically every application that I build. And why do I do it? The truth is, I don't really care if people mess up entering their own email address. I mean sure, I validate that. But really, my main concern is NOT having the ColdFusion page request crap out. If you attempt to send a CFMail tag with a bad email address format, it will throw an error.

Sometimes, my email validation is not perfect and I end up not allowing some emails that are actually valid. This got me thinking - what is a valid email address? Or rather, what does ColdFusion think a valid email address is? There are two ways to look at this:

  1. What will pass an IsValid() method call?
  2. What will let a CFMail tag execute successfully?

To test this, I set up an array of emails and then tried sending emails out. In the example below, you will notice that I use ".ben" in the email extension a lot. That is because I don't actually want to send emails to valid addresses. I just want to test to see if they send action works (yes, I did get several hundred undeliverable emails).

  • <!--- Set up emails to test format. --->
  • <cfset arrEmails = ArrayNew( 1 ) />
  •  
  • <!--- Add emails that we know are totally bunk. --->
  • <cfset ArrayAppend( arrEmails, "" ) />
  • <cfset ArrayAppend( arrEmails, "1" ) />
  • <cfset ArrayAppend( arrEmails, "@" ) />
  • <cfset ArrayAppend( arrEmails, ".ben" ) />
  • <cfset ArrayAppend( arrEmails, "." ) />
  • <cfset ArrayAppend( arrEmails, "..." ) />
  • <cfset ArrayAppend( arrEmails, "-.-.ben" ) />
  •  
  • <!--- Add emails that test the NAME part. --->
  • <cfset ArrayAppend( arrEmails, "sarah@hotties.ben" ) />
  • <cfset ArrayAppend( arrEmails, "mary-kate@equinox.ben" ) />
  • <cfset ArrayAppend( arrEmails, "mrs.molly@teacup.ben" ) />
  • <cfset ArrayAppend( arrEmails, "libby_star@blondes.ben" ) />
  • <cfset ArrayAppend( arrEmails, "d.d.busty@domain.ben" ) />
  • <cfset ArrayAppend( arrEmails, "heather..rose@gotglue.ben" ) />
  • <cfset ArrayAppend( arrEmails, "anne--fesekis@hackley.ben" ) />
  • <cfset ArrayAppend( arrEmails, ".anna.cooper.@hockeychicks.ben" ) />
  • <cfset ArrayAppend( arrEmails, "-christina.cox-@hollywoodhotties.ben" ) />
  • <cfset ArrayAppend( arrEmails, "@campuscuties.ben" ) />
  • <cfset ArrayAppend( arrEmails, "-@justlegal.ben" ) />
  • <cfset ArrayAppend( arrEmails, ".@swank.ben" ) />
  • <cfset ArrayAppend( arrEmails, "3@atatime.ben" ) />
  • <cfset ArrayAppend( arrEmails, "/@punctuation.ben" ) />
  • <cfset ArrayAppend( arrEmails, "*@punctuation.ben" ) />
  • <cfset ArrayAppend( arrEmails, "ben&molly@kittens.ben" ) />
  •  
  • <!--- Add emails that test the DOMAIN part. --->
  • <cfset ArrayAppend( arrEmails, "sarah@hot-girls.ben" ) />
  • <cfset ArrayAppend( arrEmails, "anne@got----blondes.ben" ) />
  • <cfset ArrayAppend( arrEmails, "jessica@-cool-girl-.ben" ) />
  • <cfset ArrayAppend( arrEmails, "julie@cool.beans.ben" ) />
  • <cfset ArrayAppend( arrEmails, "julia@brazil..buddies.ben" ) />
  • <cfset ArrayAppend( arrEmails, "kate@dorm.-.girls.ben" ) />
  • <cfset ArrayAppend( arrEmails, "lara@-.ben" ) />
  • <cfset ArrayAppend( arrEmails, "michelle@36-24-36.ben" ) />
  • <cfset ArrayAppend( arrEmails, "kimmie@ladies.who.smile.ben" ) />
  •  
  • <!--- Add emails that test the EXTENSION part. --->
  • <cfset ArrayAppend( arrEmails, "ye@whatwhat" ) />
  • <cfset ArrayAppend( arrEmails, "stacy@largeladies.4" ) />
  • <cfset ArrayAppend( arrEmails, "marci@totality.123" ) />
  • <cfset ArrayAppend( arrEmails, "jen@toocute.z" ) />
  • <cfset ArrayAppend( arrEmails, "jo@cutencurley.xy" ) />
  • <cfset ArrayAppend( arrEmails, "pam@waycute.xyz" ) />
  • <cfset ArrayAppend( arrEmails, "gina@cowgirls.a4b" ) />
  • <cfset ArrayAppend( arrEmails, "linda@lumpyladies.abcdef" ) />
  • <cfset ArrayAppend( arrEmails, "jane@ilikeemlarge.abcdefghij" ) />
  •  
  •  
  • <!--- Create a table to output the results. --->
  • <table border="0" cellspacing="0" cellpadding="0">
  • <tr>
  • <td>
  • Email
  • </td>
  • <td>
  • IsValid()
  • </td>
  • <td>
  • Email Success
  • </td>
  • </tr>
  •  
  • <!--- Loop over the emails and validate them. --->
  • <cfloop index="intI" from="1" to="#ArrayLen( arrEmails )#" step="1">
  •  
  • <!--- Try sending out email. --->
  • <cftry>
  •  
  • <!--- Send mail. --->
  • <cfmail
  • to="#arrEmails[ intI ]#"
  • from="xxx@yyy.zzz"
  • subject="This is a test email">
  •  
  • This is a test email.
  • </cfmail>
  •  
  • <!--- Set success flag. --->
  • <cfset blnEmailSuccess = true />
  •  
  • <!--- Catch email errors. --->
  • <cfcatch>
  •  
  • <!--- Email failed. Set success flag. --->
  • <cfset blnEmailSuccess = false />
  •  
  • </cfcatch>
  •  
  • </cftry>
  •  
  •  
  • <!--- Check for validity. --->
  • <cfset blnValid = IsValid( "email", arrEmails[ intI ] ) />
  •  
  • <tr>
  • <td>
  • #arrEmails[ intI ]#
  • </td>
  • <td>
  • #YesNoFormat( blnValid )#
  • </td>
  • <td>
  • #YesNoFormat( blnEmailSuccess )#
  • </td>
  • </tr>
  •  
  • </cfloop>
  • </table>

The results are kind of surprising. I was a bit shocked how many emails actually can get sent through CFMail with completely horrible email addresses. Here are the results (I have modified the table for display):


 
 
 

 
Email Form Errors Using IsValid() and CFMail  
 
 
 

As you can see, only THREE emails crashed the ColdFusion CFMail tag. It has hardly any issues. The salmon rows are the rows where IsValid() and CFMail disagree as to what is a valid email address. Very interesting indeed. Honestly, I think my email validation can be MUCH MUCH more simple (if only caring about the CFMail tag crashing). But I guess, I can start to use IsValid(). But, and I am no expert on email address formatting, but IsValid() seems very relaxed about some of the stuff above.




Reader Comments

This one is a good one for Damon Cooper for enhancement to Scorpio. You can contact him or I can file an enhancement if you'd like. Great work by the way.

Reply to this Comment

Sami,

I just emailed Damon. But I am a little fish and I never hear back from anyone. Feel free to get in contact with him if you think it will help things along.

Thanks!

Reply to this Comment

Perhaps more information will help.

The IsValid() function uses the following regular expression to determine if the email is valid:
^[a-zA-Z0-9-'\+~]+(\.[a-zA-Z0-9-'\+~]+)*@([a-zA-Z_0-9-]+\.)+[a-zA-Z]{2,7}$

The CFMail tag uses the Sun Java class javax.mail.internet.InternetAddress parse() function. Since the implementation uses JavaMail, this is how we generate the InternetAddress objects that we pass in for the addresses (to, from, cc, etc).

The "strict" attribute is turned on. The JavaDoc says of this:

"Parse the given sequence of addresses into InternetAddress objects. If strict is false, simple email addresses separated by spaces are also allowed. If strict is true, many (but not all) of the RFC822 syntax rules are enforced. In particular, even if strict is true, addresses composed of simple names (with no "@domain" part) are allowed. Such "illegal" addresses are not uncommon in real messages.

Non-strict parsing is typically used when parsing a list of mail addresses entered by a human. Strict parsing is typically used when parsing address headers in mail messages"

See the JavaDoc at http://java.sun.com/products/javamail/javadocs/javax/mail/internet/InternetAddress.html

Hope that clears it up for you.

Reply to this Comment

i've done some work w/javamail & what tom says is true (of course). even strict parsing passes a lot of addresses some folks would consider "bad", though by the same definition so does the RFC.

i guess complain to sun: http://java.sun.com/products/javamail/index.jsp better yet, if you get on the javamail list you can complain directly to bill shannon.

Reply to this Comment

Hey guys, I really appreciate the information. I am not familiar at all with the javax classes. I see that I can create them using CreateObject(). That is kind of cool.

But please, I don't want to be misunderstood. I wasn't attacking email validation. I DON'T want to complain to anyone. It's not important to me that some emails get through that maybe are not the best. As I said, I don't want the page to crash and from what I can see, I can relax a bit of my email validation. That was really my main point.

But again, thanks for all the feedback.

Reply to this Comment

This is great information. Thanks for posting this, Ben and Tom.

However, it confirms my fears about using ColdFusion's email address validation (through isValid() or cfparam), since the regex Tom posted is a little crazy, IMO (despite my acceptance that an email validation regex should not follow RFC 822 to the letter). For example, it allows underscores in the hostname (which technically makes it an invalid domain name), and yet there's no support for internationalized domain names (or usernames). And what's with the seemingly arbitrary seven-character top-level domain cap, when the longest official TLDs (.museum and .travel) are six characters? Is it trying to support reserved TLDs like .example and .invalid? If so, what about .localhost, which is eight characters? There are a number of other issues I could point out as well.

In any case, that regex (and any others which control validation provided by isValid/cfparam) should be in the LiveDocs.

Reply to this Comment

@Stephen,

I just recently heard of a big problem that was caused by the & characters. It was something bit, like New York Times email addresses or something. Can't remember where I heard it.

Just tried running this:

#IsValid( "email", "name&name@domain.com" )#

... and it returns NOT valid.

Reply to this Comment

One of my e-mail addresses has the domain with format @xx.xxxxxx.com, yet it seems like you might exclude that as an invalid e-mail address (either that or you were checking to see if the system would trip over a perfectly valid e-mail address, I'm not clear what your expected result was). My point is, although validation will help reduce human error and keep out some spam, being too stringent may block out a perfectly valid e-mail. Please exercise caution!

Reply to this Comment

@Ryan,

I am not sure what you are saying. From my testing above, that format of email address IS valid. Notice that the address:

julie@cool.beans.ben

... passed both IsValid() and a successful CFMail execution. Sub-domains clearly work in ColdFusion.

Am I confused about what you are saying?

Reply to this Comment

What is the trick to using cfmail to send an email to an address with a single quote in it?

ie micky.o'flannigan@somedomain.com

Reply to this Comment

@Ben Nadel, yes, it's valid according to RFC 2822--the special characters allowed as part of an email address's username are _!#$%&'*+/=?`{|}~^.-. At my last job I ran into single quotes in email addresses a lot. It's unfortunate that a lot of naïve validation (including CF's isValid, etc.) disallows it.

Reply to this Comment

why cc in cfmail not function if more than 1 cc at the same time, could someone help me?

Reply to this Comment

I unfortunately discovered the cfmail crashing when I switched from OpenBlueDragon to CF8. Apparently BD doesn't validate the email address. Someone entered an email of http://blah@somewhere.com. This was old code (CF 5) and obviously my validation was faulty. Probably a good thing it crashed and forced me to do a better job.

Reply to this Comment

It threw a cf error. Since it was run as a scheduled task I didn't find it until I trolled logs after a couple of subscribers said they weren't getting their email.

Reply to this Comment

It is entirely possible that the event did not occur in BD as the errant subscriber may not have been present so my assumption that BD didn't fail may be false.
The "phantom processes" disappeared after a day or two.
To avoid any future occurences I have made all tasks run once and then have the task delete the task and regenerate it to start it at the appropriate time. The drawback to that is that if the site is down at the time the task is supposed to run the new task won't be created. I have solved that with a cron job which runs every 30 mins that uses curl to run a cfm that checks for missing tasks and recreates them.

Reply to this Comment

There have obviously been some changes in CF9. An address with an erroneous trailing period ( e.g. john@keyston.ca.) does not pass the isvalid() check in either CF8 or CF9. However, in CF8 it does not crash CFMAIL, and the mail arrives at the intended destination. In CF9, it crashes CFMAIL, as I found out the hard way! I do not know, however, how extensive the changes in CF9 are.

Reply to this Comment

hi - does anyone have a fix for emails with an ampersand in them eg name&name@domain.com

using isvalid("email","name&name@domain.com") - results in cf (incorrectly) saying that email is invalid - when in reality it is valid (i know coz I've just emailed a customer on their address which contains an ampersand to check and works).

I'm presuming that isvalid uses some regex (somewhere in java?) so maybe one could edit that regex to allow for ampersands?

Anyone know how?

Thanks guys

Nick

Reply to this Comment

@Nick,

There's probably no way to edit the core regular expression that is being used. But, if you scroll up to Tom Jordahl's comment, you'll see the regular expression that ColdFusion is using under the hood. You could create your own UDF (user defined function) that adds the & to the appropriate character class.

Reply to this Comment

@Ben

Thank you very much for your reply, sorry I missed Tom's comment. But you are right, that is exactly what I was looking for so thank you. I'll post our amended expression here when I'm done.

Thanks again for your help Ben

best regards

Nick

Reply to this Comment

ok so i'm not strong on regex but i *think* this works

^[&-&a-zA-Z0-9-'\+~]+(\.[&-&a-zA-Z0-9-'\+~]+)*@([a-zA-Z_0-9-]+\.)+[a-zA-Z]{2,7}$

ie

<cfset temp.myemail = "name&name@domain.com" >

<cfif refind("^[&-&a-zA-Z0-9-'\+~]+(\.[&-&a-zA-Z0-9-'\+~]+)*@([a-zA-Z_0-9-]+\.)+[a-zA-Z]{2,7}$",temp.myemail) eq 1>
email is fine
<cfelse>
bad email
</cfif>

you can see i've just added &-& in 2 locations to the regex Tom posted. I'm sure there is a better way but I post my findings here in case it helps anyone else.

Maybe someone who understands regex better can correct my slightly hacky way of shoehorning the ampersand character into the equation.

Thanks again for your help Tom and Ben

Reply to this Comment

@Nick,

That looks good to me. One small note - in a character class, not everything has to be a range of characters (ie. &-&). If you simply add the literal &, that will be enough. Ranges are are only needed for multi-character ranges; otherwise, literals will suffice.

Reply to this Comment

So, I found what I think is the ultimate EMAIL validation script. It was created using PHP by Dominic Sayers and apparently it's the best one out there. It follows the email spec to a T.

I began to convert it into a nice CFFUNCTION, but then I ran across your post here.

So just to clarify something, are you saying that no matter what, even if you validate an email address (using this script or whatever), that it might not matter because CFMAIL may still reject the address based on it own regexp? If that's the case, that really really sucks.

Sorry if I'm misunderstanding this, but I didn't want to go through all this work and then find out that it didn't matter. Is it possible you could clarify?

Thanks

p.s. Dominic's script can be found here. It's worth a look...
http://code.google.com/p/isemail/ (Project HOME)
http://code.google.com/p/isemail/source/browse/trunk/is_email.php (CODE)

Reply to this Comment

@Doug,

I think just the opposite; it appears that the CFMail tag is *much* more relaxed than the isValid(email) method. If you put your own validation in place, I am sure you will get fine results.

Reply to this Comment

Ok, so it's just the isValid function that is using that simple regexp. That makes sense then. Cool.

As always, thank for the informative response! (And on a Sunday to boot!)

-Doug

Reply to this Comment

@Doug,

Yeah, from what I can tell, isValid() is more limited than CFMail. And no worries on the response - I'm trying to "chunk" my responses in my free time.

Reply to this Comment

Note that domain names can use foreign characters in the meanwhile like ö ü ä in German for example... I think they are not covered by the regex mentioned in this thread!

Reply to this Comment

@Guest,

I had to Google that when you mentioned it. Looks like this is a very new thing for domain registration. It will be interesting to deal with.

Reply to this Comment

I am a German living in NewYork now for quite some time and asking myself if these special letters are valid internationally. Especially if Germans are VERY comfortable writing 'ö' as 'oe', 'ü' as 'ue' and 'ä' as 'ae'.
Where does it end. How about some chinese or japanese symbols? It is getting a bit to specific for me at this point.

Reply to this Comment

@PixelGrinch,

It's definitely gonna be interesting to navigate to such domains. I don't know how to type in foreign characters, so I would only be able to Google for these sites. Although, maybe that's not a problem??? After all, so much of navigation is done via Google these days anyway.

Reply to this Comment

@Art,

If I interpret the RFC2822 spec (http://tools.ietf.org/html/rfc2822, section 3.2.4) correctly, the underscore should be accepted in the 'name' part of an email address - just like these characters: !#$%&'*+-/=?^`{|}~

Domain names (RFC1034 and RFC1035) seem less strictly defined, because those standards write about a "preferred name syntax". That syntax includes only letters, numbers and the hyphen.

I suppose the newer internationalized domain names are subject to certain rules as weel, but my admittedly cursory search hasn't turned them up.

Anyway, even if 'isValid()' could use enhancements, it's better than nothing!

Reply to this Comment

>>I don't know how to type in foreign characters

You are a genius at CF yet you can't add another keyboard layout through the Control Panel? I am sure you are not being serious here.

Reply to this Comment

So glad i found this post. Im developing an intranet app for a client, and they seem to enjoy typing the emails incorrectly.

Im glad , as now i can validate them when they input the emails and ensure the DB does not end up with a load of false ones.

I will still have to check bounce mails to ensure they do exist.

Reply to this Comment

which one is better?

<cfset temp.myemail = "#form.email#" >

REFind("^[a-zA-Z][\w\.-]*[a-zA-Z0-9]@[a-zA-Z][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z]$", Trim(temp.myemail), 1) gt 0>

---- or ---

refind("^[&-&a-zA-Z0-9-'\+~]+(\.[&-&a-zA-Z0-9-'\+~]+)*@([a-zA-Z_0-9-]+\.)+[a-zA-Z]{2,7}$",temp.myemail) eq 1>

Reply to this Comment

Post A Comment

You — Get Out Of My Dreams, Get Into My Comments
Live in the Now
Oops!
Comment Etiquette: Please do not post spam. Please keep the comments on-topic. Please do not post unrelated questions or large chunks of code. And, above all, please be nice to each other - we're trying to have a good conversation here.