Php mail verification and PHP Mailer

Dear experts,
   two points on this question. I am trying to create a verification email system for a registration website. I am using PHP to accomplish this as well as PHP Mailer to actually handle all the send mails. Either way I have two parts on the verification system.
 1) On the registration I am firstly validating the email address using a regular exxpression to see if it is on a proper format and I am using the fuction I am attaching to see that the domain is actually valid. Since i am developing on a windows server I am using a custom CheckDnsrr function. All works great with the exception that for domains like hotmail, yahoo, well basically for most of  the big mail providers either I get a timeout on fsockopen or that it is unable to connect to that domain.(domaines that I tested that do not work with this scrit are: hotmail.com,yahoo.com,otenet.gr,gmail.com) while on most other domain names like(forthenet.gr,dstavros.net,methodico.gr,gmail.net and other it )
Since I am using a verification system sending to that email address a verification code (which is the second part of the verification system) it is imparative to make this work.
2) If I remove this validation code and I am not validating that domain then I assumed that PHPmailer will do its job and send the email properly. But then again emails are not delivered to hotmail, yahoo or some other domains while on others again its working great...

How do I get a workaround on that problem? Is there something wrong on the function I am using or do these domains block such kind of requests?

3) I would really be happy if someone could provide me with a nice tutorial on how to intergrade php with paypal and how to test it before I use it. Or if it is not pay pal some other nice card/bank account  processing system.

Thanks a lot.
<?php
 
function customCheckDnsrr($host,$recType='') {
if(!empty($host)) {
if($recType=='') $recType="MX";
exec("nslookup -type=$recType $host",$output);
foreach($output as $line) {
if(preg_match("/^$host/", $line)) {
return true;
}
}
return false;
}
return false;
} 
 
function checkEmail($email) {
 // checks proper syntax
 if(preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $email)) {
  // gets domain name
  list($username,$domain)=split('@',$email);
  // checks for if MX records in the DNS
  if(!customCheckDnsrr($domain, 'MX')) {
   return false;
  }
  // attempts a socket connection to mail server
  if(!fsockopen($domain,25,$errno,$errstr,30)) {
   return false;
  }
  return true;
 }
 return false;
}

Open in new window

atsalisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Marcus BointonCommented:
I wouldn't bother doing the DNS and connection check, especially to big domains. Yahoo in particular is prone to imposing all kinds of odd constraints on the email system (very keen on greylisting-style delivery deferrals), and for hotmail you're lucky if a message gets through at all - even my bank says that it doesn't expect emails to hotmail to get through! The incoming mail servers for any of these big domains change from moment to moment, so you may end up sending to a completely different IP than the one your check found anyway.

Any spoof/phish/whatever attempt is very likely to come from a valid domain anyway. The best you can do is send and hope it comes back - make sure you expire your verification emails after a suitably short period, say a day or two.

You should implement SPF on your outgoing domains as it can dramatically improve deliverability, and if you have the time and ability, do DKIM.

FWIW, here is a much tighter regex for email addresses that also allows some formats that are valid but rare. A real regex for RFC2822 would stretch to about 6 pages.

Regarding PayPal, they now have a much better PHP toolkit that's downloaded from their developer area. They also have a developer sandbox. Everything starts here: http://www.paypaldeveloper.com/
/**
* Check that a string looks roughly like an email address should
* So we can ignore invalid addresses
* Conforms approximately to RFC2822 (replacement for RFC822)
* @link http://www.hexillion.com/samples/#Regex
* @param string $email
*/
function emailcheck($email) {
	return preg_match('/^(?:[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+\.)*[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+@(?:(?:(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!\.)){0,61}[a-zA-Z0-9_]?\.)+[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!$)){0,61}[a-zA-Z0-9_]?)|(?:\[(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\]))$/', $email);
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
atsalisAuthor Commented:
Ok these are great tips you are giving me...there is no problem if I wait for a couple of days to actully test whatever you just said there.?
I will get back to you again soon I hope. Thanks a lot...
0
atsalisAuthor Commented:
So I managed to do this, altered a bit my verification function by the way...
 Every time my verification function will timeout or return FALSE I will not allow PHP mailer to send any emails, I will just redirect the user to say to him that his/her email address is not accepted by the validation script.
 if it returns true, and what is my main concern, will PHPmailer send the email in all cases?...? Attaching the new version of the function
<?php
function customCheckDnsrr($host,$recType='') {
if(!empty($host)) {
if($recType=='') $recType="MX";
exec("nslookup -type=$recType $host",$output);
foreach($output as $line) {
if(preg_match("/^$host/", $line)) {
return true;
}
}
return false;
}
return false;
} 
 
function checkEmail($email) {
 // checks proper syntax
 if(preg_match("/^(?:[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+\.)*[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+@(?:(?:(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!\.)){0,61}[a-zA-Z0-9_]?\.)+[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!$)){0,61}[a-zA-Z0-9_]?)|(?:\[(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\]))$/", $email)) {
  // gets domain name
  list($username,$domain)=split('@',$email);
  // checks for if MX records in the DNS
  if(!customCheckDnsrr($domain, 'MX')) {
   return false;
  }
  
  //setting time out and establishing connection
  $timeout = 15;
  $fp = @fsockopen($domain,25,$errno,$errstr,$timeout);
  $info = @stream_get_meta_data($fp); 
  if ($info['timed_out']){
  	return false;
  }
  // attempts a socket connection to mail server
  if(!$fp) {
   return false;
  }
  return true;
 }
 return false;
}
?>

Open in new window

0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

Marcus BointonCommented:
A domain doesn't have to provide MX records. The RFC says that it should fall back to the domain's A record if no MX records are provided, so that checking for the existence of MX records is not effective.

Also some mail servers use a mechanism called greetdelay in order to weed out servers that attempt to talk SMTP before they have delivered their welcome line (which essentially means spambots). This is often 20-30 sec, which is probably longer than you want to wait in your script.

Really, I wouldn't bother doing this.
0
atsalisAuthor Commented:
So you think the best way of actually doing this is implementing SPF on my outgoing domains....?
0
Marcus BointonCommented:
Well, SPF won't help you spot bad addresses, but it will increase the chances of messages actually arriving.
0
atsalisAuthor Commented:
I kind of need to make a decision then on how to do things?
 Lets suposse that I use SPF, do you thing that validating the user with only a verification email is enough then? Not bother doing the DNS  and connection check?
0
Marcus BointonCommented:
Well, what really matters is that people respond to the verification messages. In that context, sending messages to non-existent addresses doesn't really matter because those submitting bogus addresses don't really want to be on your site anyway. As a defence against abuse you must make sure of a few things:

Make sure that there is no way for the abuser to inject any content at all into the verification message - go heavy on your defence against header injection attacks. That will reduce the incentive for abuse in the first place.

Implement a captcha system to reduce bot submissions.

Limit the number of messages per day/hour that can be sent through the form from a given IP.

In order to be nice to those that mis-enter their address, make sure you display the address the message was sent to on your "thanks" page.

So, that will give you quite a bit of practical protection without needing to rely on DNS lookups or SMTP connections.

On top of this, SPF on your domain will help in two ways. Firstly, other sites will not be able to send mail that says it's from you to any of the major ISPs. Secondly, this means that you'll see better deliverability because large ISPs like those that implement SPF, and also because they're seeing less junk coming from addresses that say they are you.
0
atsalisAuthor Commented:
Those are great tips and of great help. I though by doing the DNS/SMTP check up was all I wanted but it seems there is more to the trick. I am a new proggrammer so...you kind of understand I hope.
Thanks a lot I really appreciate it I split the answer into two parts since both of your answers were helpful. I am getting to see how I am going to implement those things you just said.
 Thanks a lot
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.