Require addresses to pass the built-in EMAIL_REGEXP

[prognostikos]

We had an address pass the validation of this gem but was subsequently
treated as invalid when using the mail gem in a very odd way - the
Mail::Message#to method returned a String instead of a
Mail::AddressContainer. This commit uses the built-in
URI::MailTo::EMAIL_REGEXP as part of the default validation.

However, adding this breaks another test - allowing non-ascii characters
in the local part of the address. For us this is OK as we use Amazon SES
at the moment which also does not allow non-ascii characters, but I'm
guessing this may be a problem for others given that the test exists in
the first place.

Perhaps it should be a configuration option? Or feel free to tell us that
we'll need to do that as a separate validation in our app.

[koppen]

Thanks a bunch. Just a minor idea for a possible improvement.

[koppen]

I wonder if we could remove the regex-check at line 36 without any regressions. I'd expect URI::MailtTo::EMAIL_REGEXP to handle those cases as well.

[koppen]

I've taken a closer look at this now...

We're definitely seeing email addresses with non-ASCII characters in our datasets. Are they the correct, usable email addresses or typos, who knows 🤷‍♂️ That said, everything I can find seems to indicate that bøb@example.com or josé@example.com are valid email addresses.

The guiding principle for this gem has always been

Don't reject a valid email address realistically in use by a potential user. Err on the side of accepting too much.

and given the above, bøb@example.com could be a valid email address realistically in use by a potential user so we should not reject it. Thus, if adhering to URI::MailTo::EMAIL_REGEXP means we'd reject bøb@example.com, we can't adhere to URI::MailTo::EMAIL_REGEXP.

URI::MailTo::EMAIL_REGEXP was last updated in 2014 (https://bugs.ruby-lang.org/projects/ruby-master/repository/git/revisions/e63ab5d3ad289767eab49787e4e33390b0ce74e1/diff) to "use HTML5 email regexp", seemingly based on RFC 6068.

RFC 6068 "defines the format of Uniform Resource Identifiers (URIs) to identify resources that are reached using Internet mail". It doesn't not specify a valid format for email addresses, merely how they should be represented in a mailto: URI. It even supports non-ASCII characters, although they need to be URL-escaped:

(URI.encode_uri_component("bøb") + "@example.com").match?(URI::MailTo::EMAIL_REGEXP)
 => true

In other words, verifying email adresse formats is out of scope for RFC 6068, and from that follows that URI::MailTo::EMAIL_REGEXP cannot be relied on as a generic validation of email addresses.

If you need stricter validations - ie to comply with your email service provider - you have to add a separate validation in the application, I'm afraid. But be aware that dear "Bøb" is going to be sad when he tries to sign up 😁