How to check if an email address exists without sending an email?
Solution 1
There are two methods you can sometimes use to determine if a recipient actually exists:
-
You can connect to the server, and issue a
VRFY
command. Very few servers support this command, but it is intended for exactly this. If the server responds with a 2.0.0 DSN, the user exists.VRFY user
-
You can issue a
RCPT
, and see if the mail is rejected.MAIL FROM:<> RCPT TO:<user@domain>
If the user doesn't exist, you'll get a 5.1.1 DSN. However, just because the email is not rejected, does not mean the user exists. Some server will silently discard requests like this to prevent enumeration of their users. Other servers cannot verify the user and have to accept the message regardless.
There is also an antispam technique called greylisting, which will cause the server to reject the address initially, expecting a real SMTP server would attempt a re-delivery some time later. This will mess up attempts to validate the address.
Honestly, if you're attempting to validate an address the best approach is to use a simple regex to block obviously invalid addresses, and then send an actual email with a link back to your system that will validate the email was received. This also ensures that they user entered their actual email, not a slight typo that happens to belong to somebody else.
Solution 2
Other answers here discuss the various problems with trying to do this. I thought I'd show how you might try this in case you wanted to learn by doing it yourself.
You can connect to an mail server via telnet to ask whether an email address exists. Here's an example of testing an email address for stackoverflow.com
:
C:\>nslookup -q=mx stackoverflow.com Non-authoritative answer: stackoverflow.com MX preference = 40, mail exchanger = STACKOVERFLOW.COM.S9B2.PSMTP.com stackoverflow.com MX preference = 10, mail exchanger = STACKOVERFLOW.COM.S9A1.PSMTP.com stackoverflow.com MX preference = 20, mail exchanger = STACKOVERFLOW.COM.S9A2.PSMTP.com stackoverflow.com MX preference = 30, mail exchanger = STACKOVERFLOW.COM.S9B1.PSMTP.com C:\>telnet STACKOVERFLOW.COM.S9A1.PSMTP.com 25 220 Postini ESMTP 213 y6_35_0c4 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements. helo hi 250 Postini says hello back mail from: <[email protected]> 250 Ok rcpt to: <[email protected]> 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 w41si3198459wfd.71
Lines prefixed with numeric codes are responses from the SMTP server. I added some blank lines to make it more readable.
Many mail servers will not return this information as a means to prevent against email address harvesting by spammers, so you cannot rely on this technique. However you may have some success at cleaning out some obviously bad email addresses by detecting invalid mail servers, or having recipient addresses rejected as above.
Note too that mail servers may blacklist you if you make too many requests of them.
In PHP I believe you can use fsockopen
, fwrite
and fread
to perform the above steps programmatically:
$smtp_server = fsockopen("STACKOVERFLOW.COM.S9A1.PSMTP.com", 25, $errno, $errstr, 30);
fwrite($smtp_server, "helo hi\r\n");
fwrite($smtp_server, "mail from: <[email protected]>\r\n");
fwrite($smtp_server, "rcpt to: <[email protected]>\r\n");
Solution 3
The general answer is that you can not check if an email address exists event if you send an email to it: it could just go into a black hole.
That being said the method described there is quite effective. It is used in production code in ZoneCheck except that it uses RSET instead of QUIT.
Where user interaction with his mailbox is not overcostly many sites actually test that the mail arrive somewhere by sending a secret number that must be sent back to the emitter (either by going to a secret URL or sending back this secret number by email). Most mailing lists work like that.
Solution 4
This will fail (amongst other cases) when the target mailserver uses greylisting.
Greylisting: SMTP server refuses delivery the first time a previously unknown client connects, allows next time(s); this keeps some percentage of spambots out, while allowing legitimate use - as it is expected that a legitimate mail sender will retry, which is what normal mail transfer agents will do.
However, if your code only checks on the server once, a server with greylisting will deny delivery (as your client is connecting for the first time); unless you check again in a little while, you may be incorrectly rejecting valid e-mail addresses.
Solution 5
Not really.....Some server may not check the "rcpt to:"
http://www.freesoft.org/CIE/RFC/1123/92.htm
Doing so is security risk.....
If the server do, you can write a bot to discovery every address on the server....
Admin
Updated on July 08, 2022Comments
-
Admin almost 2 years
I have come across this PHP code to check email address using SMTP without sending an email.
Has anyone tried anything similar or does it work for you? Can you tell if an email customer / user enters is correct & exists?
-
kmkaplan about 15 yearsRegarding the third point, this only happen if you want to use it as a relay. I do not know of any mail exchanger that requires SSL. If any did this they would stop receiving email from many users.
-
Graeme Perrow about 15 yearsSorry, my mistake. If you want to send email using gmail's SMTP server, you must use SSL.
-
David Mårtensson about 13 yearsSome servers will even accept the message but then later send a error message back to the envelope sender, especially if its a large organization with many internal departments with their own mail servers. The border server might not even know all accounts within.
-
Shahriyar Imanov about 13 yearsThen why don't spammers use this method to verify email addies? I mean aside the fact that these methods are supported by very few servers. Or do they?
-
Piskvor left the building almost 13 years(personal experience: I had to argue back and forth with my e-mail provider that yes, I'm aware what I'm doing, and yes, I need the greylisting off - because these checks from a third-party service were failing)
-
sleske almost 12 years@Shehi: Actually spammers may use this method, that's hard to tell. However, because spammers might use it, almost all mail servers disable VRFY, so in practice VRFY is probably useless.
-
Dhruvenkumar Shah over 11 yearshats off! one problem I found is, does port 25 always works with low priority mx record??
-
Drew Noakes over 11 years@DhruvenkumarShah, sorry I don't know. If you find out, please comment again.
-
Dhruvenkumar Shah over 11 yearsHi, I was just trying for my own university account to find out all about MX records but it did not work for 25.. but the online verify-email.org kind of website did work.. how they are doing it.. I will let you know about it if I find it out
-
Papa De Beau about 11 yearsCan you give a code example of how to use a RCPT TO:<user@domain> ? Thanks
-
Janaka R Rajapaksha almost 10 years@DhruvenkumarShah it gives few mail exchange server names. see the answer for mail exchangers. so if one fails, other from the list should works.
-
Janaka R Rajapaksha almost 10 yearsi was thinking about that too :)
-
Janaka R Rajapaksha almost 10 yearsyou can keep a link(for an image etc) in email body and count each load for that link. no need to wait for clicks
-
Mohammed Sufian over 9 yearsreally very help full to mee.. thank you sir..i tried it in putty and works like charms.. thanks..
-
Armel Larcier almost 9 yearsTo VRFY, gmail responds "Send some mail, I'll try my best" ;-)
-
jrosell over 8 yearsport 80 doesn't make sense
-
The Angry Saxon almost 8 yearsI think that's just checking the domain name exists rather than checking the email itself.
-
Admin over 6 yearsThe user is asking for a .Net solution not php.
-
jchook about 6 yearsThis might be more useful:
getmxrr
-
jeanpaul62 almost 4 yearsYou claim this service is open-source. Could you provide a link to the source?
-
Henkealg almost 4 yearsI'm sorry @amaurymartiny I cannot. At the time of writing the Mailgun project was open source if I recall correctly but I am unable to find a link to any repo providing the source after thist time.
-
Chau Giang almost 3 yearsYour code is good but for some emails those I tested, the result is not as expected!
-
tripleee almost 3 yearsIt helps if you don't misspell
RCPT
(abbreviation for "re-ci-pien-t"). -
ThinkTrans about 2 yearsRegex that can satisfy requirement: ^[^@\s]+@[^@\s\.]+\.[^@\s\.]+$ The validation statement is: <anything except whitespaces and "@" sign>@<anything except whitespaces and "@" sign >.<anything except whitespaces, @ sign and dot > Additionally once can also do this: <e-mail localpart >@<domain name > For <e-mail local part > - Follow the guidelines by the "Universal Acceptance Steering Group" - [UASG-026] For <domain name >, follow any domain validation methodology using standard libraries, depending on your language. Additionally follow the document [UASG-018A]