Ask HN: What is the norm for email validation?
For email validation, what is the norm for mobile apps? Are people making a service call to third-party like Mailgun, or checking on the client side?
I'm trying to come up with the options on the service side and client side, and what options exist in the Rails environment already. I feel like our CTO is more inclined to go with what other tech companies are using on the mobile apps.
17 comments
[ 315 ms ] story [ 74.2 ms ] threadThe following may not work for your use case and I'm no expert in the area, but it could be possible to write a simple shell script to dig the mx records, and fail out if there's no such, and if you wanted to go a step further, you could open SMTP, and fail out if you can't, and if you wanted to go a step further you could even on the mx maybe even do a direct ping or some other lookup of the address part in that session, so long as the server is not a catchall. I feel the total bandwidth outlay would be no more then a small http roundtrip. Tho you might get a bit of hit on the connection time, or retries, as my feeling is not all SMTP hosts are speedy. Thanks
[0] https://en.wikipedia.org/wiki/Greylisting
No, it absolutely doesn't.
If an attacker breaches a user's mailbox, and then uses a 'forgotten password' process to gain access to another system, the user will know about it - their existing long-lived session would be killed, and the password they remember/have saved will no longer work.
If the attacker simply uses the mailbox access to use & delete "login link" emails, they could make use of this to access the victims account for as long as they have access to the mailbox.
"On the Futility of Email Regex Validation"
https://jackfoxy.github.io/FsRegEx/emailregex.html
Just send a verification email...
https://mandrill.zendesk.com/hc/en-us/articles/205583217-Int...
Wouldn't integrating this help solve the issue, as you can possibly check if you received a bounce for that email shortly after the user attempts to register, and then notify them on the screen?
A confirmation email doesn't solve the problem if the user mistyped the address to begin with. You're right, they wait for a confirmation email that never comes.
Using a third party service like BriteVerify's rest api is the only way to get an actual verification that the inbox exists.