How to validate an email in php in a secure way

In this article we will see how to validate an email in PHP in a secure way, preventing them from obtaining the token of our email verification service.
In the examples we will use the email validation service verificaremails.com but the same system works for any email validation service.
Currently there are a multitude of services that allow you to validate emails.
Script-based solutions, although they are a first step, only allow you to validate email through syntax rules or by performing more or less sophisticated domain and MX record checks.
If you need to validate an email reliably, you will have to use a professional email validation service. In addition to the above checks, professional services perform an in-depth simulation of the connection or check the email in their spam trap lists to reliably verify the email.

How email validation works in php

Almost all the services work the same way, through an API we can validate in real time the email, for this a Curl call is usually made, where the service is invoked and the email is transmitted together with the token of the service.
You can find detailed documentation in ”
Documentation verify email“.

In the case of the verificaremails.com service the PHP call is:

$email = “[email protected]”;

$key = “your_api_key”;

$url = “https://app.verificaremails.com/api/verifyEmail?secret=”.$key.”&email=”.$email;

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true );

$response = curl_exec($ch);

echo $response;

curl_close($ch);

As you can see the call is very simple.
If the validation is performed in our BackOffice services, the “key” or token to perform the validation will remain secret throughout the process.
We can modify our script so that when clicking “send” in our registration form the validation of the email is performed.
This mechanism is effective and secure, the only drawback is that the validation is done once the user has completed the form.
Validating emals via API in real time usually takes on average about 2 seconds, although it is a quick verification, it is not immediate.
An improvement of this method would be to validate the email while the user is completing the rest of the form fields.
If we detect that the address is invalid we can indicate it in the form without the need to send it.
Improving the usability of the service and increasing the conversion of records.
From a technical point of view we only need to add a few lines of JavaScript to our PHP code.

Risks of validating an email in PHP with Java Script

Although the previous call is very simple to implement, it involves a risk.
I want to remember that to validate the email we make a Curl call, where we pass to the email validation service the email to verify and the token of the service.
If a user captures that token, he could validate emails.

How to securely validate an email with PHP and JavaScript

At verificaremails.com we have developed a library to avoid this risk.
Although the code examples we will explain are explicitly for Verificaremails, they can also work with any other service.
The library uses 4 files:

Index.html

Verifyemails.php

Verifyemails_encrypt.php

Verifyemails-core.js

What we do is to use an encrypted key in the files where we want to perform the validation in real time via Ajax.
Even if you get this key, it will be of little use because at the time of verification a check of the domain that makes the call is performed.
To generate the encrypted key we execute “verificaremails_encrypt.php” in the fields:

define(‘TOKEN_KEY’, ‘a3_?Kd’);

define(‘TOKEN_IV’, ‘v7$!kh’);

we will indicate the keys to encrypt the token of the service to validate email.
In the index.html file, is the file that contains our form, apart from using it to capture the data, a call is made to verificaremails-core.js.
In this file is where we place the encrypted token and indicate where are the files that perform the validation, verificaremails.php The file verificaremails.php defines 4 important parameters:

define(‘VALID_REFERER’, ‘localhost’);

Indicates from which location we are authorized to perform validations.

define(‘VALIDATE_URL’, ‘https://app.verificaremails.com/’);

Shows where the application is to validate email

define(‘TOKEN_KEY’, ‘a2_?Kd’);

define(‘TOKEN_IV’, ‘v6$!kh’);

These are the values we use to encrypt the key of the verification service.
This encrypted key is the one we will use in the file “verificaremails-core.js”.
The value of these fields must match those defined in “verificaremails_encrypt.php”.
To determine if the call is correct, at the end of the file verifyingemails.php we have an if where we define with which criteria an address is correct:

if ($response == ‘ok’ or $response == ‘ok_for_all’ or $response == ‘accept_all’) {

echo ‘1’;

} else {

echo ‘0’;

The validation value is passed to the file “verificaremails-core.js” which in turn passes it to index.html which contains the form.
Once the user has filled in the email address in the field with id=”email” the Ajax call is made, while the user is filling in the rest of the fields.
In “background” the validation is being done, so that before sending the data we can know if they are valid.
In addition to reducing latencies in the process of verifying email, we also secure the token against theft.
I know it may seem complicated, but once you have the files, using them is very simple, even if you want to port them to other languages such as Ruby, Python or Java.
If you are a client of verificaremails and you want to validate emails via JavaScript please contact our support team to request the files to validate emails in PHP in a secure way.
If you prefer we can also do the implementation.