Now let’s make a php function to automate this task. We can use this type of validation to check for example if a user is using a correct address when registering for a service.

The code is explained.

<?php
/*
email_validation.php
Coded by: Pentest ROMANIA; Dan Catalin VASILE; http://www.pentest.ro
*/

function email_validation($email)
{
 //Some vars we will need later
 $timeout = 5; // how much to wait for MX connection in seconds
 $helo = "helo example.com\r\n"; // helo string, feel free to modify but keep in mind that \r\n are necessary at the end of the string to send CR
 $mailfrom = "mail from: <somemail@example.com>\r\n"; // some mail and the domain used before, preferably a valid one

 //First we'll do a quick string validation
 if(filter_var($email, FILTER_VALIDATE_EMAIL))
  {
   //split the email address by the @ sign
   $email_str = explode ("@",$email); 
   //check for MX records
   if (getmxrr($email_str, $mxhosts)) //you could also check the weights of the MX hosts, some other time for me maybe
    {
    
    //opening sock connection to the forst MX host 
    $sock = fsockopen ( $mxhosts[0], 25, $errno, $errstr, $timeout);
     if (!$sock)
     {
      return "INVALID. COULD NOT OPEN CONNECTION TO MX HOST. ERROR: ".$errstr.$errno;
     }
     else
     {
      //sending commands to the MX host
      fwrite ($sock,$helo);
      fwrite ($sock,$mailfrom);
      $rcpt = "rcpt to: <".$email.">\r\n";
      fwrite ($sock,$rcpt);
      //reading responses
      for($j=0;$j<4;$j++)
       {
        $r[$j] = fgets($sock);
      }
      //exploding the last response line which should contain the answer we're looking for
      $r1=explode(" ",$r[3]);
      if($r1[0]=="250")
       return "VALID"; //according to the RFC "250" means valid
      else
       {
        echo "INVALID. ERROR CODE FROM MX SERVER: ".$r1[0];
       }
     }

    }
   else
    return "INVALID. NO MX RECORDS FOUND"; 
   
  } 
 else 
  return "INVALID EMAIL ADDRESS"; // the string submitted to filter_var is invalid 

} 

?>

For this example we will use bogus@pentest.ro. We first need to check the MX record for pentest.ro. In Linux is as simple as:

> dig MX pentest.ro

; <<>> DiG 9.6-ESV-R4 <<>> MX pentest.ro
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;pentest.ro.                    IN      MX

;; ANSWER SECTION:
pentest.ro.             86400   IN      MX      5 ALT2.ASPMX.L.GOOGLE.COM.
pentest.ro.             86400   IN      MX      10 ASPMX2.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      10 ASPMX3.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      10 ASPMX4.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      10 ASPMX5.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      1 ASPMX.L.GOOGLE.COM.
pentest.ro.             86400   IN      MX      5 ALT1.ASPMX.L.GOOGLE.COM.

;; AUTHORITY SECTION:
pentest.ro.             86400   IN      NS      ns1.pentest.ro.
pentest.ro.             86400   IN      NS      ns2.pentest.ro.
pentest.ro.             86400   IN      NS      ns3.pentest.ro.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul  2 21:48:05 2011
;; MSG SIZE  rcvd: 261

On Windows platforms there is no integrated dig utility. You can use this app, or you can use a free online check like this one:

http://www.mxtoolbox.com/

Either way you will end up with the MX server or servers for the domain. Notice there is a number in front of the MX servers in the list, that indicates priority (smaller means higher priority). We will use the highest priority server available and if this one fails we can try the next one.

It’s time to connect to the server (from the command line in Linux or Windows):

> telnet ASPMX.L.GOOGLE.COM 25
Trying 74.125.39.27...
Connected to ASPMX.L.GOOGLE.COM.
Escape character is '^]'.
220 mx.google.com ESMTP y26si6167249fag.156
helo mydomain.com
250 mx.google.com at your service
mail from: <me@mydomain.com>
250 2.1.0 OK y26si6167249fag.156
rcpt to: <bogus@pentest.ro>
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 y26si6167249fag.156
rcpt to: <somevalidaddress@pentest.ro>
250 2.1.5 OK y26si6167249fag.156
quit
221 2.0.0 closing connection y26si6167249fag.156
Connection closed by foreign host.

The bolded lines are the ones you type, the others are responses from the server.

All servers should abide to RFC 821. Most do, a few don’t. I noticed some servers are accepting all addresses as valid. This is not a standard response but you can check if this occures testing an email like vrWvrtVWRmJU5Jrvrw43t524@domain.com.

The response code you are interested in is 250. This means it’s a valid address. 550 means that the user does not exist. There are other codes as well and you can do further reading in the RFC.

Please note that helo command must be run before anything else. mydomain.com and me@mydomain.com can be changed in anything you please.

To close the connection after validation just type quit.