0

I have some users entering some email addresses into my system. I want to ensure that their email address is coming from a valid TLD. Based on the list found at [http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains], which TLDs are valid for email addresses? Are they all valid? Or, is it only ones with a certain IDN, DNSSEC, or SLD values?

I'm sorry if this is a dumb question. I'm just trying to understand which TLDs are valid for an email address. Thank you for your help!

JQuery Mobile
  • 139
  • 1
  • 1
  • 4
  • 6
    Why bother? If someone's looking to enter invalid data, they'll just do nobody@yourdomain.com if you block TLDs. – ceejayoz Dec 20 '12 at 21:47
  • 1
    Just for curiousity, what specific problem are you attempting to solve? – mdpc Dec 20 '12 at 21:48
  • 2
    @ceejayoz I'm a fan of `dev@null.net` when forced to enter an email address that's checked against whether or not it could be valid. – HopelessN00b Dec 20 '12 at 21:53
  • @HopelessN00b I feel a little bad for test@test.com for all the stuff I've sent their way. – ceejayoz Dec 20 '12 at 21:54
  • 1
    To explicitly answer the question: You can find any official TLD at the end of email addresses. Might I add that I see no sense in this. – Karma Fusebox Dec 21 '12 at 00:16

3 Answers3

6

Update: I check for two-character TLDs plus com, org, net, edu, gov, and mil. With exceptions for countries that usually send spam, these get accepted. By the time the TLD is checked the domain has been validated for reverse DNS compliance. Invalid TLDs will have failed the rDNS check.

The few new (vanity) TLDs I have seen have been sending spam. Often these domains have been used for snowshoe spam attacks.

Validating only TLDs for email addresses is likely to catch only a minority of errors. Checking for an MX for the domain portion of the address will be much more successful. Verifying the email address other than sending an opt-in email may get you blocked.

Original: The list of valid TLDs is subject to change, so you will need to be able to update the list quickly. It will become very difficult to track once TLDs go up for sale.

Normally in a case like this, I would validate the domain using DNS. You may want to check for an MX record to eliminate domains like www.example.com. While it is valid to only have an A record for a mail domain, most valid e-mail domains will have one or more MX records. Also, many TLD registrars return A records on non-existent subdomains. For valid domains, the responses should be very quick. Invalid or missing domains may take a while to return while the resolver times out. Depending on your resolver, results may be faster if you check for example.com. instead of example.com.

BillThor
  • 27,737
  • 3
  • 37
  • 69
5

A list of the valid TLDs (from ICANN) can be found here. That's about as authoritative as it gets.

# Version 2012122000, Last Updated Thu Dec 20 07:07:02 2012 UTC
AC
AD
AE
AERO
AF
AG
AI
AL
AM
AN
AO
AQ
AR
ARPA
AS
ASIA
AT
AU
AW
AX
AZ
BA
BB
BD
BE
BF
BG
BH
BI
BIZ
BJ
BM
BN
BO
BR
BS
BT
BV
BW
BY
BZ
CA
CAT
CC
CD
CF
CG
CH
CI
CK
CL
CM
CN
CO
COM
COOP
CR
CU
CV
CW
CX
CY
CZ
DE
DJ
DK
DM
DO
DZ
EC
EDU
EE
EG
ER
ES
ET
EU
FI
FJ
FK
FM
FO
FR
GA
GB
GD
GE
GF
GG
GH
GI
GL
GM
GN
GOV
GP
GQ
GR
GS
GT
GU
GW
GY
HK
HM
HN
HR
HT
HU
ID
IE
IL
IM
IN
INFO
INT
IO
IQ
IR
IS
IT
JE
JM
JO
JOBS
JP
KE
KG
KH
KI
KM
KN
KP
KR
KW
KY
KZ
LA
LB
LC
LI
LK
LR
LS
LT
LU
LV
LY
MA
MC
MD
ME
MG
MH
MIL
MK
ML
MM
MN
MO
MOBI
MP
MQ
MR
MS
MT
MU
MUSEUM
MV
MW
MX
MY
MZ
NA
NAME
NC
NE
NET
NF
NG
NI
NL
NO
NP
NR
NU
NZ
OM
ORG
PA
PE
PF
PG
PH
PK
PL
PM
PN
POST
PR
PRO
PS
PT
PW
PY
QA
RE
RO
RS
RU
RW
SA
SB
SC
SD
SE
SG
SH
SI
SJ
SK
SL
SM
SN
SO
SR
ST
SU
SV
SX
SY
SZ
TC
TD
TEL
TF
TG
TH
TJ
TK
TL
TM
TN
TO
TP
TR
TRAVEL
TT
TV
TW
TZ
UA
UG
UK
US
UY
UZ
VA
VC
VE
VG
VI
VN
VU
WF
WS
XN--0ZWM56D
XN--11B5BS3A9AJ6G
XN--3E0B707E
XN--45BRJ9C
XN--80AKHBYKNJ4F
XN--80AO21A
XN--90A3AC
XN--9T4B11YI5A
XN--CLCHC0EA0B2G2A9GCD
XN--DEBA0AD
XN--FIQS8S
XN--FIQZ9S
XN--FPCRJ9C3D
XN--FZC2C9E2C
XN--G6W251D
XN--GECRJ9C
XN--H2BRJ9C
XN--HGBK6AJ7F53BBA
XN--HLCJ6AYA9ESC7A
XN--J6W193G
XN--JXALPDLP
XN--KGBECHTV
XN--KPRW13D
XN--KPRY57D
XN--LGBBAT1AD8J
XN--MGB9AWBF
XN--MGBAAM7A8H
XN--MGBAYH7GPA
XN--MGBBH1A71E
XN--MGBC0A9AZCG
XN--MGBERP4A5D4AR
XN--MGBX4CD0AB
XN--O3CW4H
XN--OGBPF8FL
XN--P1AI
XN--PGBS0DH
XN--S9BRJ9C
XN--WGBH1C
XN--WGBL6A
XN--XKC2AL3HYE2A
XN--XKC2DL3A5EE0H
XN--YFRO4I67O
XN--YGBI2AMMX
XN--ZCKZAH
XXX
YE
YT
ZA
ZM
ZW
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • What are those XN -- entries all about? – mdpc Dec 20 '12 at 21:51
  • @mdpc http://en.wikipedia.org/wiki/Internationalized_domain_name, like http://bücher.ch/ – ceejayoz Dec 20 '12 at 21:53
  • 2
    And that's only this weeks list. How are you going to handle keeping it updated when all the new TLD's are released (.study .newyork .sydney .nike etc)? – fukawi2 Dec 20 '12 at 22:57
  • @fukawi2 Not that I think this is a great idea, but it should be pretty trivial to script up a task to automatically download this at whatever interval, and check to see if it's changed. So, he could keep it updated that way. – HopelessN00b Dec 20 '12 at 23:10
  • 1
    @HopelessN00b Of course; but the whole concept is still a Bad Idea (tm) – fukawi2 Dec 21 '12 at 02:20
3

I know this is an old question, but it came up high on google when searching for TLD lists so I figured I would post an updated answer.

Like @BillThor, I'm also a fan of using DNS check (eg is there an MX record for name email.split('@')[1] when validating email.

The goal isn't to force user to enter a real email address...in that case you would usually send a verification email. Rather you are trying to help the user in case there is a typo/etc....do as much verification as possible to make the user's life easier. Any user that doesn't want to give out their real email has many free "disposable email" services available to avoid this.

For general domain validation (as opposed to email validation) when checking TLDs it is important to remember that some TLDs have different rules. This is where the iana list isn't ideal. For instance domain.co.uk is a valid domain. domain.uk is not. uk is on the iana list, co.uk is not.

Update: As if this year .uk is now allowed in addition to .co.uk...but I'll leave it as an example.

This is because each TLD is allocated by iana to a specific "registry" that is responsible for administrating that TLD and they can create their own rules (e.g. the .co.uk example).

The best source I have found for validating TLDs is here: https://publicsuffix.org/ You can quite easily script a daily/weekly/monthly update and then run your code against the list. This list includes public and private TLDs and some basic corresponding rules for each TLD.

For more context you can also see this outdated mozilla wiki page: https://wiki.mozilla.org/TLD_List

Of course, just validating the TLD doesn't mean that the domain is valid or registered or the correct input...but the original question is about determining if a domain has a valid TLD.

aside... should you validate/verify emails?

If you collect emails from the user (e.g. required field in your form) then you really really really should be both validating AND verifying the email belongs to the user (e.g. by sending an email with a short code for the user to enter into your site).

  1. validating that it looks/smells like a correct email address (e.g. is the tld/domain valid and has an MX record). this gives instant feedback to your users if they have a typo in their form.
  2. verifying that email if you intend to store it and use it for logins, marketing, etc.

Email verification is something that many companies don't bother to do. My "honey pot" gmail addresses get huge amounts of marketing and transactional email in a variety of languages from major companies where the user gave them my email address by mistake and the company did not both to verify it. Many of these transactional emails do not include a "this is not me, please delete my email address" link...they say they have a right to email you transactional emails due to your relationship with them (none...they were given the wrong address and didn't verify).

This is not only legally problematic in some jurisdictions, but can be a huge risk to the privacy of their customers. And of course super annoying to me as the recipient. Here are some real examples of what happens when you don't verify emails (a few of many off the top of my head)...

  • honda of america. someone bought a new honda pilot and gave my email address. I get invites from honda to login to their hondacare account to manage online services, enable honda app for unlocking the vehicle, etc.
  • macys. order confirmations including direct (no-login) links to manage and cancel orders. Includes name, address, phone and partial credit card details.
  • Stanbic Bank Tanzania. transaction notifications, balance notifications, personal contact information.
  • SNCF (french railway system) - I get emails allowing me to see, edit, cancel tickets for travelers.
  • tons of marketing I didn't sign up for.

No easy way to get my data deleted without contacting every company's support team, figuring out how to talk to a real person and explaining in length that I am not a customer and they need to remove my email from their customer database. I don't bother anymore. The support people MIGHT delete my email but they don't fix the problem to prevent it from happening to others.

I'm a good Samaritan, but this is a goldmine for id thieves who can signup many common "typo" email addresses with gmail and wait for the data leakage from companies that don't verify emails.

Don't be one of those companies. ALWAYS verify your email addresses. If you can't verify them within a certain short time period (few days), then delete them from your database and don't use them (ie no more email beyond the verification email). If you aren't willing to verify email addresses...don't collect them in the first place.

mattpr
  • 621
  • 4
  • 10