Email Address Confirmation
Overview
This page contains recommendations for validation and confirmation email addresses.
General
Implement a validation of an email address. Include at least the following:
An email address contains two parts, separated by an
@
symbol.An email address does not contain at least the following characters:
backticks
`
single quotes
'
double quotes
"
null bytes
\x00
new line
\x0A
new page
\x0D
comma
,
semicolon
:
The domain part contains only letters, numbers, hyphens
-
and periods.
.The local part (before the
@
) should be no more than 63 characters.The total length should be no more than 254 characters.
Validate email address is correct and legitimate:
Do not automatically sign in a user after email address confirmation. Once a user confirms the ownership of an email address, send them to a usual login mechanism (with multi-factor authentication, if enabled).
Log successful and failed email address confirmation attempts, see the Logging and Monitoring page.
Comply with requirements from the Error and Exception Handling page.
Email confirmation link
Send a confirmation URL to a user's email and pass a random token in the query string of the URL. For example:
Generate a random token using a cryptographically strong random generator, see the Cryptography: Random Generators page.
Use a random token length of 32+ bytes.
Set a short expiration time for a random token (~ 24 hours).
Use a random token once. Delete a random token or transfer it to a final status that prohibits reusing.
Email confirmation code
Send a One-Time Password (OTP) to a user's email.
Comply with the requirements from the Authentication: One Time Password (OTP) page.
References
Last updated