Ben Nadel
On User Experience (UX) Design, JavaScript, ColdFusion, Node.js, Life, and Love.
Ben Nadel at the New York ColdFusion User Group (May. 2009) with: Mark Drew and Gert Franz
Ben Nadel at the New York ColdFusion User Group (May. 2009) with: Mark Drew@markdrew ) and Gert Franz@gert_railo )

ColdFusion Email Validation, IsValid(), And CFMail Errors

By Ben Nadel on
Tags: ColdFusion

Who here hasn't had to validate an email address format at some point? Heck, I do that in practically every application that I build. And why do I do it? The truth is, I don't really care if people mess up entering their own email address. I mean sure, I validate that. But really, my main concern is NOT having the ColdFusion page request crap out. If you attempt to send a CFMail tag with a bad email address format, it will throw an error.

Sometimes, my email validation is not perfect and I end up not allowing some emails that are actually valid. This got me thinking - what is a valid email address? Or rather, what does ColdFusion think a valid email address is? There are two ways to look at this:

  1. What will pass an IsValid() method call?
  2. What will let a CFMail tag execute successfully?

To test this, I set up an array of emails and then tried sending emails out. In the example below, you will notice that I use ".ben" in the email extension a lot. That is because I don't actually want to send emails to valid addresses. I just want to test to see if they send action works (yes, I did get several hundred undeliverable emails).

  • <!--- Set up emails to test format. --->
  • <cfset arrEmails = ArrayNew( 1 ) />
  • <!--- Add emails that we know are totally bunk. --->
  • <cfset ArrayAppend( arrEmails, "" ) />
  • <cfset ArrayAppend( arrEmails, "1" ) />
  • <cfset ArrayAppend( arrEmails, "@" ) />
  • <cfset ArrayAppend( arrEmails, ".ben" ) />
  • <cfset ArrayAppend( arrEmails, "." ) />
  • <cfset ArrayAppend( arrEmails, "..." ) />
  • <cfset ArrayAppend( arrEmails, "-.-.ben" ) />
  • <!--- Add emails that test the NAME part. --->
  • <cfset ArrayAppend( arrEmails, "sarah@hotties.ben" ) />
  • <cfset ArrayAppend( arrEmails, "mary-kate@equinox.ben" ) />
  • <cfset ArrayAppend( arrEmails, "mrs.molly@teacup.ben" ) />
  • <cfset ArrayAppend( arrEmails, "libby_star@blondes.ben" ) />
  • <cfset ArrayAppend( arrEmails, "d.d.busty@domain.ben" ) />
  • <cfset ArrayAppend( arrEmails, "heather..rose@gotglue.ben" ) />
  • <cfset ArrayAppend( arrEmails, "anne--fesekis@hackley.ben" ) />
  • <cfset ArrayAppend( arrEmails, ".anna.cooper.@hockeychicks.ben" ) />
  • <cfset ArrayAppend( arrEmails, "-christina.cox-@hollywoodhotties.ben" ) />
  • <cfset ArrayAppend( arrEmails, "@campuscuties.ben" ) />
  • <cfset ArrayAppend( arrEmails, "-@justlegal.ben" ) />
  • <cfset ArrayAppend( arrEmails, ".@swank.ben" ) />
  • <cfset ArrayAppend( arrEmails, "3@atatime.ben" ) />
  • <cfset ArrayAppend( arrEmails, "/@punctuation.ben" ) />
  • <cfset ArrayAppend( arrEmails, "*@punctuation.ben" ) />
  • <cfset ArrayAppend( arrEmails, "ben&molly@kittens.ben" ) />
  • <!--- Add emails that test the DOMAIN part. --->
  • <cfset ArrayAppend( arrEmails, "sarah@hot-girls.ben" ) />
  • <cfset ArrayAppend( arrEmails, "anne@got----blondes.ben" ) />
  • <cfset ArrayAppend( arrEmails, "jessica@-cool-girl-.ben" ) />
  • <cfset ArrayAppend( arrEmails, "julie@cool.beans.ben" ) />
  • <cfset ArrayAppend( arrEmails, "julia@brazil..buddies.ben" ) />
  • <cfset ArrayAppend( arrEmails, "kate@dorm.-.girls.ben" ) />
  • <cfset ArrayAppend( arrEmails, "lara@-.ben" ) />
  • <cfset ArrayAppend( arrEmails, "michelle@36-24-36.ben" ) />
  • <cfset ArrayAppend( arrEmails, "" ) />
  • <!--- Add emails that test the EXTENSION part. --->
  • <cfset ArrayAppend( arrEmails, "ye@whatwhat" ) />
  • <cfset ArrayAppend( arrEmails, "stacy@largeladies.4" ) />
  • <cfset ArrayAppend( arrEmails, "marci@totality.123" ) />
  • <cfset ArrayAppend( arrEmails, "jen@toocute.z" ) />
  • <cfset ArrayAppend( arrEmails, "jo@cutencurley.xy" ) />
  • <cfset ArrayAppend( arrEmails, "" ) />
  • <cfset ArrayAppend( arrEmails, "gina@cowgirls.a4b" ) />
  • <cfset ArrayAppend( arrEmails, "linda@lumpyladies.abcdef" ) />
  • <cfset ArrayAppend( arrEmails, "jane@ilikeemlarge.abcdefghij" ) />
  • <!--- Create a table to output the results. --->
  • <table border="0" cellspacing="0" cellpadding="0">
  • <tr>
  • <td>
  • Email
  • </td>
  • <td>
  • IsValid()
  • </td>
  • <td>
  • Email Success
  • </td>
  • </tr>
  • <!--- Loop over the emails and validate them. --->
  • <cfloop index="intI" from="1" to="#ArrayLen( arrEmails )#" step="1">
  • <!--- Try sending out email. --->
  • <cftry>
  • <!--- Send mail. --->
  • <cfmail
  • to="#arrEmails[ intI ]#"
  • from="xxx@yyy.zzz"
  • subject="This is a test email">
  • This is a test email.
  • </cfmail>
  • <!--- Set success flag. --->
  • <cfset blnEmailSuccess = true />
  • <!--- Catch email errors. --->
  • <cfcatch>
  • <!--- Email failed. Set success flag. --->
  • <cfset blnEmailSuccess = false />
  • </cfcatch>
  • </cftry>
  • <!--- Check for validity. --->
  • <cfset blnValid = IsValid( "email", arrEmails[ intI ] ) />
  • <tr>
  • <td>
  • #arrEmails[ intI ]#
  • </td>
  • <td>
  • #YesNoFormat( blnValid )#
  • </td>
  • <td>
  • #YesNoFormat( blnEmailSuccess )#
  • </td>
  • </tr>
  • </cfloop>
  • </table>

The results are kind of surprising. I was a bit shocked how many emails actually can get sent through CFMail with completely horrible email addresses. Here are the results (I have modified the table for display):


Email Form Errors Using IsValid() and CFMail  

As you can see, only THREE emails crashed the ColdFusion CFMail tag. It has hardly any issues. The salmon rows are the rows where IsValid() and CFMail disagree as to what is a valid email address. Very interesting indeed. Honestly, I think my email validation can be MUCH MUCH more simple (if only caring about the CFMail tag crashing). But I guess, I can start to use IsValid(). But, and I am no expert on email address formatting, but IsValid() seems very relaxed about some of the stuff above.

Reader Comments

This one is a good one for Damon Cooper for enhancement to Scorpio. You can contact him or I can file an enhancement if you'd like. Great work by the way.


I just emailed Damon. But I am a little fish and I never hear back from anyone. Feel free to get in contact with him if you think it will help things along.


Perhaps more information will help.

The IsValid() function uses the following regular expression to determine if the email is valid:

The CFMail tag uses the Sun Java class javax.mail.internet.InternetAddress parse() function. Since the implementation uses JavaMail, this is how we generate the InternetAddress objects that we pass in for the addresses (to, from, cc, etc).

The "strict" attribute is turned on. The JavaDoc says of this:

"Parse the given sequence of addresses into InternetAddress objects. If strict is false, simple email addresses separated by spaces are also allowed. If strict is true, many (but not all) of the RFC822 syntax rules are enforced. In particular, even if strict is true, addresses composed of simple names (with no "@domain" part) are allowed. Such "illegal" addresses are not uncommon in real messages.

Non-strict parsing is typically used when parsing a list of mail addresses entered by a human. Strict parsing is typically used when parsing address headers in mail messages"

See the JavaDoc at

Hope that clears it up for you.

i've done some work w/javamail & what tom says is true (of course). even strict parsing passes a lot of addresses some folks would consider "bad", though by the same definition so does the RFC.

i guess complain to sun: better yet, if you get on the javamail list you can complain directly to bill shannon.

Hey guys, I really appreciate the information. I am not familiar at all with the javax classes. I see that I can create them using CreateObject(). That is kind of cool.

But please, I don't want to be misunderstood. I wasn't attacking email validation. I DON'T want to complain to anyone. It's not important to me that some emails get through that maybe are not the best. As I said, I don't want the page to crash and from what I can see, I can relax a bit of my email validation. That was really my main point.

But again, thanks for all the feedback.

This is great information. Thanks for posting this, Ben and Tom.

However, it confirms my fears about using ColdFusion's email address validation (through isValid() or cfparam), since the regex Tom posted is a little crazy, IMO (despite my acceptance that an email validation regex should not follow RFC 822 to the letter). For example, it allows underscores in the hostname (which technically makes it an invalid domain name), and yet there's no support for internationalized domain names (or usernames). And what's with the seemingly arbitrary seven-character top-level domain cap, when the longest official TLDs (.museum and .travel) are six characters? Is it trying to support reserved TLDs like .example and .invalid? If so, what about .localhost, which is eight characters? There are a number of other issues I could point out as well.

In any case, that regex (and any others which control validation provided by isValid/cfparam) should be in the LiveDocs.


I just recently heard of a big problem that was caused by the & characters. It was something bit, like New York Times email addresses or something. Can't remember where I heard it.

Just tried running this:

#IsValid( "email", "name&" )#

... and it returns NOT valid.

One of my e-mail addresses has the domain with format, yet it seems like you might exclude that as an invalid e-mail address (either that or you were checking to see if the system would trip over a perfectly valid e-mail address, I'm not clear what your expected result was). My point is, although validation will help reduce human error and keep out some spam, being too stringent may block out a perfectly valid e-mail. Please exercise caution!


I am not sure what you are saying. From my testing above, that format of email address IS valid. Notice that the address:


... passed both IsValid() and a successful CFMail execution. Sub-domains clearly work in ColdFusion.

Am I confused about what you are saying?

What is the trick to using cfmail to send an email to an address with a single quote in it?

ie micky.o'

@Ben Nadel, yes, it's valid according to RFC 2822--the special characters allowed as part of an email address's username are _!#$%&'*+/=?`{|}~^.-. At my last job I ran into single quotes in email addresses a lot. It's unfortunate that a lot of naïve validation (including CF's isValid, etc.) disallows it.

I unfortunately discovered the cfmail crashing when I switched from OpenBlueDragon to CF8. Apparently BD doesn't validate the email address. Someone entered an email of This was old code (CF 5) and obviously my validation was faulty. Probably a good thing it crashed and forced me to do a better job.

It threw a cf error. Since it was run as a scheduled task I didn't find it until I trolled logs after a couple of subscribers said they weren't getting their email.

It is entirely possible that the event did not occur in BD as the errant subscriber may not have been present so my assumption that BD didn't fail may be false.
The "phantom processes" disappeared after a day or two.
To avoid any future occurences I have made all tasks run once and then have the task delete the task and regenerate it to start it at the appropriate time. The drawback to that is that if the site is down at the time the task is supposed to run the new task won't be created. I have solved that with a cron job which runs every 30 mins that uses curl to run a cfm that checks for missing tasks and recreates them.

There have obviously been some changes in CF9. An address with an erroneous trailing period ( e.g. does not pass the isvalid() check in either CF8 or CF9. However, in CF8 it does not crash CFMAIL, and the mail arrives at the intended destination. In CF9, it crashes CFMAIL, as I found out the hard way! I do not know, however, how extensive the changes in CF9 are.

hi - does anyone have a fix for emails with an ampersand in them eg name&

using isvalid("email","name&") - results in cf (incorrectly) saying that email is invalid - when in reality it is valid (i know coz I've just emailed a customer on their address which contains an ampersand to check and works).

I'm presuming that isvalid uses some regex (somewhere in java?) so maybe one could edit that regex to allow for ampersands?

Anyone know how?

Thanks guys



There's probably no way to edit the core regular expression that is being used. But, if you scroll up to Tom Jordahl's comment, you'll see the regular expression that ColdFusion is using under the hood. You could create your own UDF (user defined function) that adds the & to the appropriate character class.


Thank you very much for your reply, sorry I missed Tom's comment. But you are right, that is exactly what I was looking for so thank you. I'll post our amended expression here when I'm done.

Thanks again for your help Ben

best regards


ok so i'm not strong on regex but i *think* this works



<cfset temp.myemail = "name&" >

<cfif refind("^[&-&a-zA-Z0-9-'\+~]+(\.[&-&a-zA-Z0-9-'\+~]+)*@([a-zA-Z_0-9-]+\.)+[a-zA-Z]{2,7}$",temp.myemail) eq 1>
email is fine
bad email

you can see i've just added &-& in 2 locations to the regex Tom posted. I'm sure there is a better way but I post my findings here in case it helps anyone else.

Maybe someone who understands regex better can correct my slightly hacky way of shoehorning the ampersand character into the equation.

Thanks again for your help Tom and Ben


That looks good to me. One small note - in a character class, not everything has to be a range of characters (ie. &-&). If you simply add the literal &, that will be enough. Ranges are are only needed for multi-character ranges; otherwise, literals will suffice.

So, I found what I think is the ultimate EMAIL validation script. It was created using PHP by Dominic Sayers and apparently it's the best one out there. It follows the email spec to a T.

I began to convert it into a nice CFFUNCTION, but then I ran across your post here.

So just to clarify something, are you saying that no matter what, even if you validate an email address (using this script or whatever), that it might not matter because CFMAIL may still reject the address based on it own regexp? If that's the case, that really really sucks.

Sorry if I'm misunderstanding this, but I didn't want to go through all this work and then find out that it didn't matter. Is it possible you could clarify?


p.s. Dominic's script can be found here. It's worth a look... (Project HOME) (CODE)


I think just the opposite; it appears that the CFMail tag is *much* more relaxed than the isValid(email) method. If you put your own validation in place, I am sure you will get fine results.

Ok, so it's just the isValid function that is using that simple regexp. That makes sense then. Cool.

As always, thank for the informative response! (And on a Sunday to boot!)



Yeah, from what I can tell, isValid() is more limited than CFMail. And no worries on the response - I'm trying to "chunk" my responses in my free time.

Note that domain names can use foreign characters in the meanwhile like ö ü ä in German for example... I think they are not covered by the regex mentioned in this thread!


I had to Google that when you mentioned it. Looks like this is a very new thing for domain registration. It will be interesting to deal with.

I am a German living in NewYork now for quite some time and asking myself if these special letters are valid internationally. Especially if Germans are VERY comfortable writing 'ö' as 'oe', 'ü' as 'ue' and 'ä' as 'ae'.
Where does it end. How about some chinese or japanese symbols? It is getting a bit to specific for me at this point.


It's definitely gonna be interesting to navigate to such domains. I don't know how to type in foreign characters, so I would only be able to Google for these sites. Although, maybe that's not a problem??? After all, so much of navigation is done via Google these days anyway.


If I interpret the RFC2822 spec (, section 3.2.4) correctly, the underscore should be accepted in the 'name' part of an email address - just like these characters: !#$%&'*+-/=?^`{|}~

Domain names (RFC1034 and RFC1035) seem less strictly defined, because those standards write about a "preferred name syntax". That syntax includes only letters, numbers and the hyphen.

I suppose the newer internationalized domain names are subject to certain rules as weel, but my admittedly cursory search hasn't turned them up.

Anyway, even if 'isValid()' could use enhancements, it's better than nothing!

>>I don't know how to type in foreign characters

You are a genius at CF yet you can't add another keyboard layout through the Control Panel? I am sure you are not being serious here.

So glad i found this post. Im developing an intranet app for a client, and they seem to enjoy typing the emails incorrectly.

Im glad , as now i can validate them when they input the emails and ensure the DB does not end up with a load of false ones.

I will still have to check bounce mails to ensure they do exist.

which one is better?

<cfset temp.myemail = "" >

REFind("^[a-zA-Z][\w\.-]*[a-zA-Z0-9]@[a-zA-Z][\w\.-]*[a-zA-Z0-9]\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z]$", Trim(temp.myemail), 1) gt 0>

---- or ---

refind("^[&-&a-zA-Z0-9-'\+~]+(\.[&-&a-zA-Z0-9-'\+~]+)*@([a-zA-Z_0-9-]+\.)+[a-zA-Z]{2,7}$",temp.myemail) eq 1>