How to validate email with PHP

validate email with PHP“How to validate email with PHP” is conceptually part of a bigger problem: accurately validating web forms including emails without sacrificing good UX. I’ll blog about that some other time.

This post presents and dissects PHP code to validate email. The explanations and my reasoning should allow you to adjust the code to your needs if necessary.

First, let me give you some context.

Why I need to validate email with PHP start has been up for little over a year now and maintaining it has really been a smooth ride so far. Even though the cloud service is churning out way over a thousand NodeMCU firmware builds per week manual intervention is rarely need. It’s all fully automated and extremely reliable.

The only thing that bugs me are those “Delivery Status Notification” messages the mail server sends me when it can’t deliver build status emails to users. That happens a few times every day. Since the site does not require registration it’s important users enter valid non-bogus (existing) email addresses. My strategies to fend off bot-triggered form SPAM seem really good. However, I don’t do anything against users who deliberately enter syntactically correct but non-existing email addresses. I’m clueless as to why someone would actually do that but I can confirm it does happen.

Hence, I’ve been thinking and reading a lot about how to validate email with PHP to filter out users who enter non-existing email addresses. Even though I’m really satisfied with the PHP code presented below I won’t integrate it into for the reasons explained in the last chapter.

Characteristics of a valid email address

When is an email address valid? Let’s try… It’s valid when

  • it contains exactly one @
  • it is made up of two parts separated by that @
  • the substring on the right side of the @ represents a hostname
  • yadayada…

That won’t get us anywhere. And don’t add a regular expression to the list as it’s by definition impossible to verify email addresses with regular expressions 100% accurately.

It’s a lot simpler: an email address is valid if you can send an email to it and it does not bounce back.

How to validate email with PHP

As we learned you need to send an email to an address to be 100% sure it’s valid. The second best option is to connect to the responsible mail server (MX host, MX = mail exchange) but to stop short of actually sending the message. Of course that won’t give you 100% accuracy but sometimes that’s good enough. A telnet session with the required commands to verify the email address looks something like this:

Response code 250 for the RCPT TO command means the recipient address is accepted but that doesn’t necessarily mean it’s also valid. For explanations please refer to e.g.

Without further ado let’s dive into code.

Extract the FQDN

The first step is to extract the fully qualified domain name (FQDN) from the email address.

function extractFullyQualifiedDomainFromEmail($email)
$mailSegments = explode("@", $email);
$domain = $mailSegments[1];
// fully qualified domain names should end with a '.', DNS resolution may otherwise take a very long time
if (substr($domain, -1) != ".") {
return $domain . ".";
return $domain;
view raw validate-email.php hosted with ❤ by GitHub

Find the preferred MX host

Using the extracted FQDN you can now lookup the registered MX hosts for that domain. DNS will give you a weighted list of hosts. They’re copied to an associative array and then sorted by weight. Only the host with the highest priority (i.e. the primary MX host) is used.

function findPreferredMxHostForDomain($domain)
$mxRecordsAvailable = getmxrr($domain, $mxRecords, $mxWeight);
if ($mxRecordsAvailable) {
// copy mx records and weight into array $mxHosts
$mxHosts = array();
for ($i = 0; $i < count($mxRecords); $i++) {
$mxHosts[$mxRecords[$i]] = $mxWeight[$i];
asort($mxHosts, SORT_NUMERIC);
return array_keys($mxHosts)[0];
} else {
return null;
view raw validate-email.php hosted with ❤ by GitHub

Open socket to MX host and send commands

The only tricky part is sending the SMTP commands EHLO, MAIL FROM, RCPT TO and reading the server response correctly. You can send a command terminated by carriage return and line feed and the server will, or might, respond. It’s just that the server doesn’t explicitly announce when it’s done with its response and that’s a bit of a problem.

If you read just a single response line and continue sending the next command you’ll completely garble the logic. Since the remaining lines of the previous response have not yet been read you’d interpret the 2nd line of the 1st response as the 1st line of the 2nd response. The output of my initial example would look like so:

See how the “response” to the RCPT TO command is actually the 3rd line of response to the initial EHLO command. AND since it happens to start with 250 you’d interpret this as “all good, address accepted”.

Ok, reading a single line is not a good idea. What if you attempted to read all response lines in a loop until there’s no more data? That won’t work either as it will block once all responses have been read. Your client is simply waiting for more and doesn’t know the server is already done. Therefore, you need to set a timeout on the socket after which the client should stop waiting for a server response. The reading is interrupted and your client can continue.

There’s one serious problem with that approach, though. It may happen that the server takes a little longer than the timeout you defined. In that case you’d return an empty response – only to read the actual but delayed response after the next command was sent!

The only feasible approach that worked for all my test cases was to run the whole socket reading while-loop nested inside another loop and to check whether the response after the timeout was empty.

fwrite($mxSocket, $command . "\r\n");
$response = "";
stream_set_timeout($mxSocket, 1);
// Wait at most 10 * timeout for the server to respond.
// In most cases the response arrives within timeout time and, therefore, there's no need to wait any longer in such
// cases (i.e. keep timeout short). However, there are cases when a server is slow to respond and that for-loop will
// give it some slack. See for the whole story.
for ($i = 0; $i < 10; $i++) {
while ($line = fgets($mxSocket)) {
$response .= $line;
// Only continue the for-loop if the server hasn't sent anything yet.
if ($response != "") {
view raw validate-email.php hosted with ❤ by GitHub

So, if the server takes 5s to respond the client waits 5 x 1s (timeout) until it completes. If the server hasn’t returned anything in 10 x 1s it simply returns an empty response. You don’t want to increase the stream timeout to 10s because then you’d wait 10s after every command, regardless of whether the server sent all data within a few 100 milliseconds or within several seconds.

RFC 822

Since this is about how to validate email with PHP there’s more thing we should talk about. PHP has got a built in email syntax filter

That statement verifies the email address against RFC 822 and returns a boolean. RFC 822 is from 1982, defines the Internet email message format and is updated and obsoleted by newer RFCs. I don’t use filter_var because it validates only the format and because it validates against a rather old format definition.

Full code

A number of caveats

I took the code above to a number of thorough test runs. My disappointing conclusion is that I eventually won’t validate email with PHP, at least not for Here’s why this all is still not reliable enough:

  • Mail servers may simply accept all recipient addresses, they’d return 250 to the RCPT TO command even for invalid addresses.
  • If you run the script on a host which is connected to an ISP that has had troubles with spammers in the past the mail server may refuse connection:

    Or the server rejects you for some other reason:
  • The mail server may allow you to connect but then it could reject the RCPT TO command:
  • A number of other “errors” may occur.

If you simply assume email addresses to be invalid until proven otherwise you may turn down perfectly legit users. Needless to say that this is the worst you can do.

Leave a Reply