I'm locked out of my 6 year old Chipotle account because they now say my email address is invalid when I login. Here is me asking for their help:

My guess is that it's trying to reduce spam and fake account generation.

Thus preventing the growth of any small providers and further entrenching Microsoft, Google, Apple, and a handful of others as the only "viable" options.

Feels very relevant to the fediverse, with how people tend to compare it to email.

Yeah, that's it pretty much.Like 99% of your legitimate users are going to be standard gmail/yahoo/hotmail/etc. You see a user from ten minute mail, it's probably some shady shit.

What registrar do you use? Last time I checked .io domains where like 4x the price of a .org

Skip the building step and go straight to pulling your hair out over why it’s not working! Efficiency!

*Gasp* the registration is coming from inside the colo!

I think it's fair to prevent users from causing mail sent to your internal systems. It probably won't cause any issues getting mail to the machine inbox for (no domain name), but it reasonably makes security uneasy.

Yes, but no. Pretty much every application that accepts an email address on a form is going to turn around and make an API call to send that email. Guess what that API is going to do when you send it a string for a recipient address without an @ sign? It's going to refuse it with an error.

Therefore the correct amount of validation is that which satisfies whatever format the underlying API requires.

For example, AWS SES requires addresses in the form UserName@[SubDomain.]Domain.TopLevelDomain along with other caveats. If the application is using SES to send emails, I'm not going to allow an input that doesn't meet those requirements.

And this right here is a great example of why simple basic RegEx is rarely adequate

At the very least, should be something like

^[^@\s]+@([^@\s.]+\.)+[^@\s.]+$

I'm like 99% sure I missed at least a few cases there, and will say "please don't use this for anything production"

You gotta put backtick quotes around your password on lemmy, otherwise it is automatically censored. It's a security feature of ActivityPub.

That's exactly what they did. They used something like noaddress@ourbusniess.com to get around the checks we had in place. I've intentionally been vague but most people will give their email address to our customers and won't give a fake one. So under normal situations the amount of bounce backs would be minimal: fat fingering, hearing them incorrectly, or people misremembering their email. Not enough to worry about. Never thought we'd come across a customer intentionally putting in bad email addresses for documentation purposes. They could have just asked us to make the functionality they wanted.

I feel like using a@[IPv6:2001:db8::1] is asking for trouble everywhere online.

But its tempting to try out, not many people would expect this.

Jeez and I feel like I'm tempting fate just by using a custom domain.

Im with the earlier "yeah.. No."

Because

"If people can take case-dependence for passwords"

They cant now do they ? If they could passwords would be a-okay and there wouldn't be any need for stickies on monitors, password managers, biometrics, SSO, MFA and passwordless authentication.

The dumbest idea in computing is assuming everyone is as smart as you.

They aren't. Why isn't *nix any bigger? Here's your answer. People are stupid.

Why did IT only finally took off with windows 3.11? because people could understand that. Barely. Most of us where way to dumb for everything which came before.

Why does ipv6 acception takes so long? Because people are stupid and don't get it. Nobody really gets hex. So they just stay with what they can read and more or less get. Even the hardest part of ip4, subnetting, has an easy way out: just add 255.255.255.0 in there and it works. Doesnt work? Keep replacing 255 with zeros and eventually it will. Subnetting on ipv6? No idea. Let's just disable ipv6 on the internal lan and leave everything on ipv4. Zero migration, zero risk, zero training needed.

Why do so many companies only go half assed into cloud? Because they don't get it.

Powershell? Only half, a third even, of the admins truly get it.

I could go on.

Succes is build on simplicity.

'U' and 'u' are two different symbols. And you have to make such rules for every language a part of your processing logic.

Unicode has standard rules for case folding, which includes the rules for all languages supported by Unicode. Case-insensitive comparisons in all good programming languages uses this data.

Note that you can't simply convert both strings to uppercase or lowercase to compare them, as then you'll run into the Turkish i problem: https://haacked.com/archive/2012/07/05/turkish-i-problem-and-why-you-should-care.aspx/

But then you run into the issue of incredibly trivial impersonation on any email service which doesn't reserve all variants of registered names

I know at least one bank that has case-insensitive password in their app 🌚

I'm with you, and I agree that is technically correct, but I believe the sheer number of people who might accidentally write "gmail" instead of "gmail.com" compared to people using an IPv6 address (seems like a spam bot) or using a TLD like "admin@com" make requiring the dot worthwhile.

The full email address syntax described in the RFC cannot be precisely matched with a mere regular expression due to the support for nested comments. The need to track arbitrarily deep nesting state makes it a non-regular language.

If you remove the comments first the remainder can be parsed with a very complex regex, but it will be about a kilobyte long.

when there are well designed and vetted ones available?

I'm not convinced of this, tbh. IIRC the RFC can't be described in a regex at all.

You should put up an informational website to let people know, at https://info.info/

That's not what AI is though.

An AI is pretty good and doing whatever it's programmed to do it's just you have to check that the thing it's programmed to do is actually the thing you want it to do. Things like chatGPT our general purpose AI and essentially exist more or lesses a product demonstration than an actual industry implementation.

When companies use AI they use their own version on their own trained data sets.

“I wont respond to that”

“You just did you dumb bitch!”

“I won’t respond to that”

::aneurism::

DON'T TELL ME HOW TO ELECTRONIC MY MAIL

Could be a Tld without a domain in front.

Mmm... That doesn't seem right, it's usually gotta be fully expanded to at least a particular A record/MX.

How would you tie the tld itself to an MX?

A lot of providers support plus‑aliasing, although it‌'‌s usually in a company‌'‌s best interest to block plus‑aliases.

You're not going to get code injection via an email address field. Just make sure you're using prepared statements (if you're using a SQL database) and that you properly escape the email if you output it to a HTML page.

I think emailregex.com offers best of both worlds.

Yeah mate you're talking out of your ass. A bunch of if statements can, in fact, constitute an AI depending on the context. You don't know what you're talking about, stop trying to pretend you do.

AI is a broad concept, a pathfinding algorithm can be considered AI, a machine learning image generator can be considered AI, a shitty chatbot with predefined responses (like this one) can be considered AI. Reducing something to a stupid sentence like "just a bunch of if statements" to try to make it seem absurd is. I can reduce something like ChatGPT the same way and it'd be pretty much as accurate as your take.

You can draw any AI as a predefined flowchart, that's literally the point, they just make decisions based off of data. Large NLP algorithms like ChatGPT are no exception, they're just very large involving incomparably heavier mathematics.

Here is a good stackoverflow answer to it that actually gives credible sources (including from the people who pioneered AI themselves): https://stackoverflow.com/a/54793198

AI is very broad. You can use many different definitions of varying specificity to describe AI which can all be correct, even a shitty chatbot counts as AI despite being so basic. There's no bottom limit for the complexity of AI.

Problem with that is that you can very easily strip off the + and any bit after it to get your “normal” email address. Then again, when they find out mine is a catch-all, they can spam me as well… I guess you never win.

In what sense do you think this isn't following the email standard? The plus sign is a valid character in the local part, and the standard doesn't say how it should be interpreted (it could be a significant part of the name; it's not proper to strip it out) or preclude multiple addresses from delivering to the same mailbox.

Unfortunately the feature is too well-known, and the mapping from the tagged address to the plain address is too transparent. Spammers will just remove the label. You need either a custom domain so you can use a different separator ('+' is the default but you can generally choose something else for your own server) or a way to generate random, opaque temporary addresses.

If you want to talk about non-compliant address handing, aside from not accepting valid addresses, the one that always bothers me is sites that capitalize or lowercase the local part of the address. Domain names are not case-sensitive, but the local part is. Changing the case could result in non-delivery or delivery to the wrong mailbox. Most servers are case-insensitive but senders shouldn't assume that is always true.