Email Address Confirmation
Last updated
Last updated
This page contains recommendations for validation and confirmation email addresses.
Implement a validation of an email address. Include at least the following:
An email address contains two parts, separated by an @
symbol.
An email address does not contain at least the following characters:
backticks `
single quotes '
double quotes "
null bytes \x00
new line \x0A
new page \x0D
comma ,
semicolon :
The domain part contains only letters, numbers, hyphens -
and periods .
.
The local part (before the @
) should be no more than 63 characters.
The total length should be no more than 254 characters.
Validate email address is correct and legitimate:
Do not automatically sign in a user after email address confirmation. Once a user confirms the ownership of an email address, send them to a usual login mechanism (with multi-factor authentication, if enabled).
Log successful and failed email address confirmation attempts, see the Logging and Monitoring page.
Comply with requirements from the Error and Exception Handling page.
Send a confirmation URL to a user's email and pass a random token in the query string of the URL. For example:
Generate a random token using a cryptographically strong random generator, see the Cryptography: Random Generators page.
Use a random token length of 32+ bytes.
Set a short expiration time for a random token (~ 24 hours).
Use a random token once. Delete a random token or transfer it to a final status that prohibits reusing.
Send a One-Time Password (OTP) to a user's email.
Comply with the requirements from the Authentication: One Time Password (OTP) page.