August 24, 2002
Email addresses with a "+" are VALID

There's a common design flaw on many many websites that require an email address to register; most recently I came across this bug on CNet's download.com site: for some reason they don't accept me when I try to register an email address containing a "+", and they then send me back saying my address is invalid. It isn't!

"+" is a completely valid character in an email address; as defined by the internet messaging standard published in 1982(!) RFC 822 (page 8 & 9)... Any website claiming anything else is wrong by definition, plus they are prohibiting me and many fellow anti-spam activists from tracking where inbound spam comes from:

I usually register at websites with an email address of the form username+sitename+yyyy-mm-dd@domain.com and if I ever receive unsolicited email to this address (see my previous rants on dialpad.com) it's easy not only to track where the spammer got my address from, but also to block this address for future emails.

More information:

  • Mail for my addresses are handled by Qmail; which allows this pretty cool feature (allowing each user an "unlimited" number of individual addresses +++).
  • Jakob Nielsen on Mailing list usability (not covering the above issue)...

Sponsored links
Related Entries
Comments

Additional site that doesn't consider "+" a valid character in email addresses: Yahoo.com...

Posted by: andersja on August 24, 2002 08:15 PM

More problems with the "+": Microsoft NetMeeting :-(

Posted by: andersja on August 27, 2002 02:43 PM

I've used something similar without the pluses, but apparently the spam didn't come to those addresses, but rather to my default one which I later had to abandon completely.
Isn't this ironic?

Posted by: Johanka on September 8, 2002 01:42 PM

As the owner of davidj.org, I do something similar when filling in forms at a domain. at mp3.com I signed up as mp3@davidj.org knowing that since that mailbox isn't configured it would be sent to my main address davidj@davidj.org.

The concern I had on this one is that a bounce would still be sent for mp3@davidj.org. I guess I will have to look into what mail software powweb uses, though I think it is qmail. I would not want the bounce to be generated, just suck up the mail.

Using the domain@davidj.org will alert me in the future to anyone that sold my name against my wishes.

Posted by: davidj on October 4, 2002 05:33 PM

As the owner of davidj.org, I do something similar when filling in forms at a domain. at mp3.com I signed up as mp3@davidj.org knowing that since that mailbox isn't configured it would be sent to my main address davidj@davidj.org.

The concern I had on this one is that a bounce would still be sent for mp3@davidj.org. I guess I will have to look into what mail software powweb uses, though I think it is qmail. I would not want the bounce to be generated, just suck up the mail.

Using the domain@davidj.org will alert me in the future to anyone that sold my name against my wishes.

Posted by: davidj on October 4, 2002 05:33 PM

Hello,
can you explain where you see in the RFC that a + is allowed? I've searched the document for the "+" sign, but did not find any (except in the time notation part of the page)

Greetings,
Stig
You can mail me at blog@hell.be

Posted by: Stig on December 18, 2002 03:43 PM

RFC 822 has these definitions:

~~~~~~~~~~~~~~~~~

CTL =

specials = "(" / ")" / "" / "@" / "," / ";" / ":" / "\" / / "." / "[" / "]" ; where an unquoted "/" means "or"

atom = 1* ; where "1*" means "one or more"

word = atom / quoted-string ; where "/" again means "or"

address = mailbox / group ; ditto

mailbox = addr-spec / phrase route-addr ; ditto

addr-spec = local-part "@" domain ; global address

local-part = word *("." word) ; which means "one or more of 'word' separated by periods"

~~~~~~~~~~~~~~~~~

Note that I have edited the comments (following the semicolons in the above) heavily.

Hence an email address/mailbox/addr-spec is "local-part@domain"; "local-part" is composed of one or more of 'word' and periods; "word" can be an "atom" which can include anything except "specials", control characters or blank/space; and specials (the *only* printable ASCII characters [other than space, if you call space "printable"] *excluded* from being a valid "local-part") are:

()<>@,;:\".[]

Therefore by the official standard for email on the internet, the plus sign is as much a legal character in the local-part of an email address as "a" or "_" or "-" or most any other symbol you see on the main part of a standard keyboard.

Posted by: Jeff Woods on April 17, 2003 06:34 AM

Okay, so does that mean you can have apostrophes in the local-part of an e-mail address?

Would appreciate some comment on this as I can't exactly follow the text above.

Cheers,
Carl

Posted by: Carl Joseph on May 6, 2003 04:31 AM

Need a bit of help on this one...

Is "*" valid in an e-mail address as well? Could this be a valid address:

*david*@domain.se

Thanks in advance!

/David Bergkvist

Posted by: David Bergkvist on May 15, 2003 10:48 AM

Yes, a '*' is valid in an email address.

Your address: *david*@domain.se is valid

Posted by: shashank on July 1, 2003 08:42 PM

i can't help but wonder why you don't just relax and change the pluses to hyphens or underscores.

cnet probably did not make a concious effort to not allow plus signs on their website. probably what happened was whoever wrote the regular expression they're using to validate email addresses didn't specify in the reg ex that plus signs are allowed. i would go a step further and say the person who developed the cnet sight took a regular expression they found somewhere at a code site and may not even know how it works (as regular expressions have bit of a learning curve/take some effort to learn).

but anyway, if you weren't so stubborn you would just use a different character that's more common than trying to launch a crusade against the injustices of organizations not allowing plus signs in the email addresses of their members.

Posted by: scott on September 24, 2003 08:15 PM


That isn't the point Scott. They are not following widely accepted standards that were published LONG before they built the site. The value of following these standards lets us use built in functionality of programs like Qmail and Sendmail. Why should the majority of people "following the rules" be forced to change when the web designers aren't?

Posted by: Jericho on October 28, 2003 09:56 PM

are you sure this is correct:
()<>@,;:\".[]

are + sign's not allowed?


mail me at berry@vanthiel.nl or berry.van.thiel@recreatiemedia.nl

thanks

Posted by: on November 8, 2003 11:58 AM

While the RFC allows the use of the + character, is there an RFC that states how the + character should be treated as part of an email address. Who is to decide whether pete+mary@somesite.com should actually go to that address rather than just pete@somesite.com after it drops the + character and the characters following it. I know I have tried this format with a few mail servers who have given a mailbox not found error as they look for everything proceeding the @ symbol.

Posted by: Shay Rickman on November 13, 2003 02:43 PM

Shay - the whole idea is that the whole address (username+something@host.com) is a valid address. By default, no chopping or "ignoring" occurs. How your mailserver parses it is up to how you configure it. Check out Qmail ( http://www.qmail.org/ ) for a great way of allowing each user to set up their own custom mail-aliases, enabling filtering as well as spam-prevention! :-)

Posted by: Anders on November 13, 2003 03:48 PM

Cracking website explaining what characters are valid:

http://www.remote.org/jochen/mail/info/chars.html

Posted by: John Miller on February 13, 2004 04:43 AM

Do you have some clever way of wildcarding those addresses with qmail, or do you after each time you have registered at some new site have to create a new alias for that site?

Basically what I'm asking is do you have only one

~/.andersja+somethingclever+yyyy-mm-dd

file in your home directory, or is it full of forwards like this

~/.andersja+jacobsendotno+2004-02-24
~/.andersja+slashdot+2000-01-01
~/.andersja+nytimes+2001-11-13
~/.andersja+somesite+2003-09-06
~/.andersja+someothersite+2004-01-29
etc..

Posted by: Steff on February 24, 2004 11:37 AM

oh, and prepend .qmail to andersja there, obviously. :)

Posted by: Steff on February 24, 2004 11:39 AM

Steff,

I use a .qmail-default which routes all unknown addresses through a spam filter and then on to my mailbox:

$ cat ~/.qmail-default
|preline procmail -Yf- .procmailrc-spam
./Mailbox

If an address goes bad (stolen, abused, spammed to, I'll set up a .qmail-{something-spesific} to bounce email to that address. As an example, my entry for dialpad looks like this:

$ cat .qmail-dialpad
|bouncesaying 'This address no longer accepts mail. Anders can be reached at www.jacobsen.no'

Posted by: Anders on February 24, 2004 11:57 AM

Does anyone know of a RegEx capable of filtering EXACTLY according to RFC822? I don't seem to find any such thing in the net... been searching all day actually. Would appreciate it greatly if someone could give me a link with that RegEx that lets in EVERYTHING that RFC822 suggests. :-(

TIA

Posted by: Ruman on April 19, 2004 01:14 PM

Good afternoon, I'm not sure I'm in the right place. I have some very old email addresses and I dont know if they are still valid. Is there a site I can go to - for free - to find out ? ? ?
Thanking you in advance for a rapid response.

Posted by: Frenchy Fran on May 9, 2004 09:31 PM

It took me a while to figure out that you need to add a line in /var/qmail/assign like the following

+andersja+:andersja:$(UID):$(GID):/home/andersja:+::

Where $(UID) and $(GID) are your uid and gid.

After you add it, you need to run 'qmail-newu' to rebuild the cdb.
See 'man qmail-users' for more info.

Posted by: Doug on May 18, 2004 02:24 AM

What about the "'" signs.

The "'" character is very troublesome when you process SQL inserts. This is especially true for irish names like Mc'Gregor.

On my site http://www.myTrashMail.com i just cut it out when any irish dude input his name into the forms.

When writing an application many people are not aware of it. From now on I am always useing Parameterized Queries for my DB Inserts. You even can store double byte email addresses

Posted by: Mr. Fake Email on September 24, 2004 01:21 PM

You can put antislashes before a ' or a "
it works well

Posted by: Glad on November 16, 2004 07:37 PM

According to RFC822, the period "." is a special character, and yet is used in local-parts everywhere. How can you explain this direct violation of the RFC by so many people?

Posted by: on May 25, 2005 03:58 PM

>> According to RFC822, the period "." is a special character...

Yes it is, but look the following RFC 822 definition (posted by Jeff):

local-part = word *("." word) ; which means "one or more of 'word' separated by periods"

So, even if 'word' cannot contain the period because it is a special character, the actual email address can.

Posted by: mms on June 8, 2005 06:24 PM

I'm not sure if I understand the '+' issue in email addresses completely, however, RFC-1642 is an EXPERIMENTAL PROTOCOL (not yet a standard) that uses UTF-7 to encode Unicode characters using 7-bit ASCII characters.

That way, people in Japan could use Japanese characters in their email address (for example). Using RFC-1642, good old 7-bit ASCII addresses would look the same as they always did.

But here's the kicker... RFC-1642 uses the + symbol as a shift character to help encode the Unicode characters.

So maybe sites and/or programs that have issues with + signs in email addresses are following RFC-1642 rules even though it's not a full standard yet? Microsoft and Yahoo cater to a more 'global' market so maybe they are experimenting with RFC-1642? Just a thought.

Posted by: Robert Walsh on September 29, 2005 09:09 PM

So I can see the + addressing thing could be useful for some tasks, but wouldn't email harvesters just drop the + and everything after it to capture your real address? Sure it violates the RFC, but if they're collecting addresses to spam, they probably don't care.

Posted by: Terry on November 9, 2005 11:40 PM

Appending my previous comment, when I say "it violates the RFC" I mean the act of dropping the + and everything after it violates the RFC (violates the directive that only the receiving site may interpet the bit before the @), I don't mean to say that the + violates the RFC.

Posted by: Terry on November 9, 2005 11:43 PM
Post a comment
Name:


Email:
(Will not be displayed if you enter a website below. Otherwise, it will be displayed "spam protected")


Website:
(if you have one)


What do you want to say?
(please don't bother posting "spam" (pornography, viagra-sales etc - I will delete such comments anyway))


Remember info?



Referrers to this page
TrackBack URL for this entry:
http://www.jacobsen.no/cgi-sys/cgiwrap/anders/MT/mt-tb.cgi/235
WORLD IN MOTION: Anti Spam (August 29, 2002 11:50 AM)
"What a cool idea for identifying spam origins. username+sitename+yyyy-mm-dd@domain.com. I always use the site name or some other form of"
Anders Jacobsen's Blog: Internal (and external) mailing list usability (May 20, 2003 07:10 PM)
"''[...]provide an easy way to unsubscribe and explain how in the footer of every single email message[...]''"
Anders Jacobsen's blog: Friendster? (July 17, 2003 08:38 PM)
"According to Wired, Friendster is the hottest thing online since weblogs and sliced bread. If someone makes a similar service that on top of having all the features even is accesible and usable; I'd consider it."
Anders Jacobsen's blog: Using QMail for spam-tracking (February 24, 2004 12:47 PM)
"1.5 years ago (to the day) I posted a rant about email addresses containing a + being valid. I've received a lot of comments and feedback on this posting (including several knowledgeable people posting about the RFC and more). Here is some detail on th..."
Anders Jacobsen's blog: How to allow apostrophes in email addresses? (November 8, 2004 04:43 PM)
"Surprise surprise: apostrophes *are* allowed in email addresses, although not recommended as they may not be treated correctly along the way by mail servers or e.g. SQL-based customer databases etc."
CVD's Weblog: Valid Email addresses (January 3, 2005 11:39 PM)
"I'm a big fan of The Order of the Stick and today the author/artist, Rich Burlew, informed me that finally the first volume of the comic will be in print. I love web-comics, especially when they are a parody of Dungeons & Dragons or other Fantasy RPG..."

18223 visits (42 today, 442 this week)

© Anders Jacobsen
[weblog / photography]