The problem with checking a list is that such a list must be kept up to date, so I guess that the filter errs on the side of caution.

Males sense; "tomorrow" is always pretty unpredicatble. It's sure a big hole in validating addresses though. In this particular case it's sort of a social group though - a website for our 50th Reunion and members, so I may take a stab at it anyway. It occurs to me that validating an NS for the TLD might be one answer, but ... something else to learn.

Thanks, Rivet`

actually, FILTER_VALIDATE_EMAIL doesn't enforce a TLD at all. Email addresses without one (e.g., [font=monospace]adrian@localhost[/font]) are perfectly valid; even though they're not typically "useful" to website operators (because they are not resolvable across the web).

If it's important to you, you'll have to check for yourself. Be careful when building your whitelist, however - as laserlight says, you'll have to keep it up-to-date. Don't forget ccTLDs. And unicode. And remember that anyone (with enough money) can apply for arbitrary TLDs nowadays.

My approach is to put the onus on the user: if they want a response, the email address needs to be valid and reachable. I don't do anything important with the email address until after I confirm it (i.e., by getting a response from an emailed "verification" link). That's the only real measure of validity anyway.

edit

Also, using [font=monospace]<input type=email>[/font] will tip off modern browsers, and most will require an email with a TLD before allowing the form to submit.

(this is only a convenience, of course; and not reliable as validation.)

[text] = my responses within the QUOTE

traq;11029213 wrote:

actually, FILTER_VALIDATE_EMAIL doesn't enforce a TLD at all. Email addresses without one (e.g., [font=monospace]adrian@localhost[/font]) are perfectly valid; even though they're not typically "useful" to website operators (because they are not resolvable across the web).

[ So I see. If all the PTB leave it alone, I guess I really should, too. \

If it's important to you, you'll have to check for yourself. Be careful when building your whitelist, however - as laserlight says, you'll have to keep it up-to-date. Don't forget ccTLDs. And unicode. And remember that anyone (with enough money) can apply for arbitrary TLDs nowadays.

[ Hmm, that's something I didn't know about; arbitrary TLDs, that is. I don't think I'd have much of a problem with a white-list, actually. I'm leaning heavily in that direction. As I mentioned, it's a group that isn't likely to be using anything very unique anyway. And I don't mind locking out .biz and a bunch of others. ]

My approach is to put the onus on the user: if they want a response, the email address needs to be valid and reachable. I don't do anything important with the email address until after I confirm it (i.e., by getting a response from an emailed "verification" link). That's the only real measure of validity anyway.

[ Now, that's a great idea, actually. Instead of a Thank You page, I use the account itself to send an automated ack to the visitor that his message was received and he/she would receive a response shortly, after which I only need to look for a bounce before I respond. No bounce, it was most likely received at the address I was given. If that's not enough, then I could just add the "click Reply ... " note and give an address to an account only used for that one purpose. ]

edit

Also, using [font=monospace]<input type=email>[/font] will tip off modern browsers, and most will require an email with a TLD before allowing the form to submit.

(this is only a convenience, of course; and not reliable as validation.)

That's a good point too; thanks!

Regards,

Rivet`

If you want to whitelist, the official database is maintained by the IANA (and ICANN currently have 1,930 gTLD applications pending). You only need to keep it up to date until after your reunion.

Of course, even then "valid" remains ambiguous. The SS ccTLD didn't exist prior to 2011, but even though the IANA have it registered, there is currently no-one maintaining it.

And even then, just checking the TLD isn't enough; there's the job of checking the TLD's own registry to see if the next level is "valid".

Rivet;11029215 wrote:

So I see. If all the PTB leave it alone, I guess I really should, too.

I didn't really mean to imply that; just pointing out the reason [FONT=monospace]FILTER_VALIDATE_EMAIL[/FONT] doesn't enforce TLDs. If you need to (and there are plenty of legitimate needs), then by all means, do so.

Rivet;11029215 wrote:

Hmm, that's something I didn't know about; arbitrary TLDs

Turns out "generic TLD" is the actual thing to call it. It costs $185k to apply for a gTLD, and $25k anually to maintain it (once it is approved).

I usually follow traq's method. I use filter_var() just to make sure a properly formed email was submitted, and then utilize a confirmation email to verify that the email address is actually being used (or at least there's someone waiting on the other end in some form or another).

Bonesnap wrote:

(or at least there's someone waiting on the other end in some form or another)

Not only that, but receiving a verification confirms not only that the address is (a) valid, (b) real, and (c) used, but also (d) belongs to someone who did want to be registered. (Only the first part comes under [man]filter_var[/man]'s terms of reference).

My thanks to all who posted, though I didn't respond a lot myself. With the received inputs I believe I am able to put this to bed.

THANKS ALL!