Webform (Drupal) and email address validation

Is the foo@bar email ok?

One day I noticed that foo@bar email addresses - without a top level domain like .cz - are passing validation, which brings later problems. I was quite surprised that webform didn't have this handled, so I started looking into it. Turns out it's a bit more complicated than that.

The webform itself uses the email.validator service, specifically \Drupal::service('email.validator')->isValid($value); And this service it uses is defined according to the "2.3.5 Domain Names of RFC 5321" definition. To my surprise, it turns out that the address foo@bar is fine by definition, as such addresses might have use in local networks,, e.g. test@localhost

What to do about it

The problem is discussed e.g. in the webform ticket Add optional routable email check for email address element https://www.drupal.org/project/webform/issues/3173490 Here is a patch for webform that validates email including the top level domain.

Another discussion is directly in Drupal Core: Drupal email.Validator service isValid accepts emails with no domain https://www.drupal.org/project/drupal/issues/2822142 The solution described here is also using a custom class for email validation.

RegExp solution

For me, so far it has worked well to set a custom validation using a regular expression [a-z0-9._%+-]+@[a-z0-9.-]+$[a-z]{2,}$

Conclusion

Man is always learning, and today proved it again. Even an email address doesn't have to be just the one we commonly know and use.