Email ID with dash at the end of local part

19

1

Is it a valid email if the email has a dash (-) at the end of local part of an email? For example,

an.unusual.email-@mydomain.com

Or to generalize, can any of these characters (Characters !#$%&'*+-/=?^_``{|}~ (ASCII: 33, 35-39, 42, 43, 45, 47, 61, 63, 94-96, 123-126)), which are valid to be in local part of the email at the beginning and/or end of the email id?

Google says it is invalid, so for the time being I assume it as invalid too, though RFC excludes only [dot] character from starting with and/or ending local part.

GMail Error for the above case

Note: I'm not concerned about the domain part, because that become more involved due to the way DNS, which complicates the question and answers.

https://social.technet.microsoft.com/Forums/ie/en-US/69f393aa-d555-4f8f-bb16-c636a129fc25/what-are-valid-and-invalid-email-address-characters

Jimson Kannanthara James

Posted 2018-06-18T14:51:20.257

Reputation: 498

Good question. Have you looked at this Stack Overflow question and answer thread? Lots of info—much of it out of date at this point—but still good starting point/

– JakeGould – 2018-06-18T14:56:31.783

good reference link, it seems google treat that email as invalid, while Microsoft don't have any problem. – Jimson Kannanthara James – 2018-06-18T15:00:16.427

1Sharing this since you brought up Google: Gmail ignores any periods in an email address, so if your email was "anunusualemail@gmail.com", you would also receive mail sent to "an.unusual.email@gmail.com". It also ignores pluses at the end of the email address: "anunusualemail+something@gmail.com". – mowwwalker – 2018-06-19T19:12:45.147

1On my own mail service I can ban the letter "u" from usernames. Just because. – Agent_L – 2018-06-20T08:49:50.830

Answers

60

Is it a valid email if the email has a dash (-) at the end of local part of an email? [...] Google says it is invalid, so for the time being I assume it as invalid too, though RFC excludes only [dot] character from starting with and/or ending local part.

It's valid. You're only seeing it rejected by Google because it performs a completely different check – they have their own policies on what the local-part can be, as do many other providers.

Google, or anyone else, would be obligated to accept all possibly valid email addresses only if the form was actually asking for an existing, valid email address (possibly from provider). For example, it would be an error if Gmail's To:/Cc: field rejected a valid address.

But the field you highlighted doesn't ask you for an existing email address; it asks for an account name on Google systems, which will be the basis for an email address only once the account has been created. There is nothing that would forbid Google, or anyone else, from limiting the set of valid account names (or, really, even mailbox names) on their own system.

Or, in other words, defining the allowed characters for 'local-part' only means that mail applications SMTP servers must accept such addresses in RFC 822 headers and SMTP commands – but it doesn't say anything about being able to create such mailboxes. (Indeed, back when the early email RFCs were written and most mailboxes were still tied to OS-level accounts, their names had similar or even stricter limits.)

For example, this part of RFC 5321 (section 4.1.2, below ABNFs) explicitly says that a receiving host is allowed to and indeed should have much stricter limits on how its own mailboxes are named:

While the above definition for Local-part is relatively permissive, for maximum interoperability, a host that expects to receive mail SHOULD avoid defining mailboxes where the Local-part requires (or uses) the Quoted-string form or where the Local-part is case-sensitive.

So, although anunusualemail-@gmail.com is valid syntactically, that alone doesn't mean that Google must allow you to create it.

user1686

Posted 2018-06-18T14:51:20.257

Reputation: 283 655

I perfectly agree. But as you can see gmail is not allowing me to create a valid email address as gmail account, which is the basis of an email and will be my email address (in most cases). or am i missing something here? I agree that they (gmail) might not reject a TO/CC from outlook.com, which allows me to create such one. – Jimson Kannanthara James – 2018-06-18T15:17:47.550

Nice, i get it now. even though i dont find any reason, it is just google specific. I will consider the email anunusualemail-@gmail.com as valid for validations. Thanks. – Jimson Kannanthara James – 2018-06-18T15:50:21.890

6

As an interesting side note, google ignores periods in email addresses (https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-more-from-your.html) , which also isn't specified in the RFC. So, myname@gmail.com goes to the same place as my.name@gmail.com or m.y.n.a.m.e@gmail.com.

– childofsoong – 2018-06-18T19:17:02.650

4@JimsonKannantharaJames In general, if you want to check if an email is valid, you should actually send an email to that address and force the user to take action. Any checks just based on the syntax of the address should really just be to catch the user making typos. – Michael Mior – 2018-06-18T23:13:41.870

1@grawity Oh I know - I was commenting to give an example of another thing that's not specified in the RFC but is allowed. – childofsoong – 2018-06-19T17:37:37.627

@MichaelMior You described the perfect way to write yourself a security issue. Just put some control characters in there... – user71659 – 2018-06-19T20:26:49.047

@grawity Your program has no influence over the format and control characters recognized by SMTP. For example, add a newline in your e-mail address and insert your own headers and body. – user71659 – 2018-06-19T21:11:26.943

1@user71659 If you're not properly escaping control characters where necessary, you have a bigger problem. Ultimately the email was input by the user and user input should always be deemed dangerous. Assuming some field in your database is safe because of some validation rules can be pretty dangerous. What happens when a few months later someone else populates that field from another form which doesn't have the same validation? – Michael Mior – 2018-06-20T00:54:28.643

@MichaelMior And now you're exactly saying that you need validation for e-mail addresses! When you need do it, input to the DB or when you read it out is debatable, but you've just said you need to strip a certain class of characters from e-mail addresses! Note that it's even more complicated since Unicode is allowable in both parts of e-mail addresses and when that happens, there's special things to do, see RFC 6530. – user71659 – 2018-06-20T01:48:45.263

2@user71659 you are conflating two different issues and muddying the argument. MichaelMior is perfectly correct to state that to verify that an email address exists, you will have to send an email to that address which requires user action. – kumarharsh – 2018-06-20T06:42:29.843

@kumar_harsh Nope! He said "any checks just based on the syntax of the address should really just be to catch the user making typos". A potential security issue is not a typo. Handling Unicode characters is not a typo. – user71659 – 2018-06-20T15:21:15.933

@grawity You just described percent encoding. This is an encoding scheme where you need to stuff an otherwise valid string into something that is sensitive to it. SMTP, on the other hand, defines a set of valid, unencoded, characters, a set of invalid characters (CR), and a set of characters with special handling (other Unicode). There is no defined encoding scheme for invalid characters, like CR. You need to reject it. Likewise, the international character set requires SMTP level handling. You can't shove it all into a SMTP server and claim it works, which is what MichaelMior wants you to do. – user71659 – 2018-06-20T17:14:52.887

@grawity If you get a CR and percent-encoding it, you're just being lazy and doing something to make somebody else reject it. Nobody said to percent encode anything. That's the best case. The worst case is something goes wrong and now you got a security problem. In either case, you've broken handling of international characters. The original statement "Any checks just based on the syntax of the address should really just be to catch the user making typos" should be "You need to check the syntax of the address to prevent potential security issues and to handle international characters" – user71659 – 2018-06-20T17:18:37.863

7

G Suite (formally Google Apps for Your Domain) does allow hyphens (dashes) within email addresses, even as the last character.

Usernames can contain letters (a-z), numbers (0-9), dashes (-), underscores (_), apostrophes ('), and periods (.).

Source: Name and password guidelines

As you noted, Gmail does not allow hyphens in email addresses.

davidmneedham

Posted 2018-06-18T14:51:20.257

Reputation: 1 724

Asked: 2018-06-18T14:51:20.257

Viewed: 4 610 times

Active: 2018-06-18T19:17:28.067