Recently at work we had a debate about what could be the best way to validate an email address for a user, for handling cases where a user registers with a wrong email (say my email is andrew123#gmail.com and i put in aandrew123#gmail.com). We came up with this solution:
User register an email
An email for the registration is sent through AWS SES. If the mail goes in permanent bounce we set this user mail as "invalid"
When in cart checkout, if the user mail address is invalid an alert is shown, prompting the user to check and change the email address
However i still think that a better (and simpler) approach would be to just include and activation code in the registration email. I want to know your thoughts on this, since is really scratching my head :/
Related
I have a Google Workspace (I think that is what it is called) that I use to manage a private email address for a small business.
Everything has been working fine, and I can see the user (richard) in the admin area with associated email set up. I have sent test emails to and from their email account to make sure it is working okay and everything seems to be working fine.
I have two email addresses associated with the domain, for example:
emma#domain.co.uk (me) and
richard#domain.co.uk (richard)
I use the first email address as an admin account, and they use the second one.
They've had this email account for a long time, and have had no problems, however recently they have stopped receiving emails from one sender (their accountant).
I can still send emails to the account from my own personal email address to them, and they are receiving emails from other businesses, but just this one person is sending emails to them and they aren't being received.
Things I've tried:
Checked the spam/junk folders and no emails are there
Checked to make sure the sender isn't on the blocked list
Looked at the email logs as per this suggested article and don't see any record of the incoming email that has been sent
Sent a test email to account#accountant.co.uk and richard#domain.co.uk from emma#domain.co.uk and they both receive my email. When the accountant presses "reply all" the email only gets received by emma#domain.co.uk and never arrives at richard#domain.co.uk
Sent a test email from richard#domain.co.uk to account#accountant.co.uk and she receives the email. When she replies, he doesn't get the reply.
All I can think of is she has somehow blocked him via her email client, but I need to check out all the possibilities of it being a problem at our end as she's not great with email and not sure how I'm going to navigate that one :)
Any suggestions welcome!
Trying to get a list of my email recipients who have seen my email, and then to use a different medium to address who didn't see (via SMS/Call).
I could get the number of people who saw the email by having a hit counter set up in a web server, looking for a method to get this done now. Any help?
Thanks.
It can't be done reliably. Popular email clients will not do anything to alert the sender that an email was received because this allows spammers to detect if the email address is valid. That's why most email clients block remote images until the user clicks "Show Images" because the images could be used for this purpose.
Email system support something called a "read receipt" that is intended for this use but most clients will never send one.
You can detect if an email bounces but receiving an email and viewing an email are two different things.
I use an email registration and confirmation in my project (yes, I know about OpenID. In my counry, a main email service lacks it).
Sometimes users misspell their email addresses. I know about this due to "message could not be delivered" letters in a mailbox. A misspelled address is absolutely correct, because I check it with a regular expression - say, jon.doe#example.com intstead of john.doe#example.com. And I do not want to duplicate a email field in a registration form (who likes it?).
Request processing routine cannot wait for email delivery - it could take an unpredictable time. So, my script will return to user a confirmation message "An email was sent". And the user will wait for it forever (of cause, not - he/she will turn to an alternative project with a more perfect registration system).
Does someone knows how it can be improved (in any programming language)?
If you cannot wait for a response back from a confirmation e-mail, I would display a yes/no message box confirming their e-mail (i.e Send e-mail to jon.doe#example.com?) before sending the e-mail. While your at it, you can check to see if the e-mail is a duplicate as well.
If no duplicate found and they click "Yes" then send the e-mail. If not, ask them to re-enter the e-mail address.
With this approach you have gone above and beyond validating correct e-mail addresses since there are no services that will explicitly check for correct/valid addresses.
Unfortunately, there's no canonical way to spell anything in an e-mail address and no way to check programmatically whether it's spelled correctly or not. The only tool that can confirm the correctness of a valid e-mail address is Eyeball 1.0, which runs client side.
You can try the SMTP VRFY on the server but most won't reply with anything valuable. Most will simply say "go ahead and try it" because returning something useful would be invaluable to spammers.
You can always check the domain name with a DNS lookup but the only way to check an email address is to send a message.
Try to have the user type his email twice with an email confirmation field (as for the password).
EDIT : Anthony's idea is good too.
For user parts of email the only thing I can think of is using:
MX lookups (if mail provider doesn't block them... since that can be abused to filter email lists)
Requiring user to enter email twice to ensure he doesn't misspell user portion of email
As for domain part of email, take a look at this:
AngularJs directive to offer suggestions for misspelled emails?
It helped me to reduce bounce for misspellings like gmai.com and gmail.con.
At the moment, we are sending an email address verification email each time someone signs up. This email has been causing a number of problems: people don't get it, they just don't click the link in the email or the email gets block by spam or some other method. We are working on resolving the spam issue, although I don't think it's possible to completely resolve it.
I'm wondering what other methods there might be for verifying and email address. Is there any other way to verify an email address without sending an email? Or is there another method of ensuring people aren't signing up with fake information?
I'm not sure if there are other good methods, but sending an email and having them click a link is definitely the simplest and most accurate.
A main feature to sending that email, is for the person to verify that it's actually them that requested it.
The only way to verify someone owns an email address is to have him use it.
As for verifying users don't enter fake information - not even sending an email can help. With so many disposable/temporary email services out there (like GuerrillaMail) , someone can fill up your form with false info, post a temp email address, log to that address and click the link in your email - manually or programatically.
You have to trust your users to come back for your content, and ignore spammers.
strikeiron.com offers a paid web service to verify if an email exists without sending a message to that email. try it out here is the link: strick
http://www.strikeiron.com/Catalog/ProductDetail.aspx?pv=5.0.0&pn=Email+Verification
I'm building a system that allows people to submit text and photos via email in addition to standard access on the website. I'm trying to weight the security advantages of two strategies in particular for verifying submissions from a user. Here they are as follows:
To based auth: Create a secret email address per user and present this to the user for submission. This strategy has the advantage that people can send from multiple devices that might be setup with different mail accounts
From based auth: Only accept emails from addresses that are registered in the user database. The idea being that it is impractical/difficult to impersonate registered users based on the sending address.
Can you think of other possible solutions? Which strategy of the ones proposed makes the most sense to you?
I would suggest that you not use From based authentication, at least not without some additional credentials (a passphrase, etc)
It's way too easy to forge, and certainly not difficult if you know someone's email address.
If you echo the email back to the user for confirmation, you can make things a little more difficult, but realize that your service can end up being used as a sort of spamming relay. (I could send 100 upload requests to you, with a forged FROM address, and you'd go ahead and spam the real person with 100 confirmation requests)
The better option is to check the registered email address but add the need for a code within the email subject known to the user. This way if they forge the email from address, they would still need a key to authenticate the incoming email.
I would go with "from" + confirmation, to avoid forging.
I.e. receive the email, but send a response with auth token in the subject line (or in the body) back to the "from" address. The user either will need reply, or click a link to confirm the submission.
And you post the content only after confirmation.