344

I've read that by standard first part of e-mail is case sensitive, however I've tried to send e-mail to name@example.com, Name@example.com and NAME@example.com - it has arrived in each case.

How do mail servers handles usernames? Is it possible to miss with case and that message wouldn't be delivered? Is it really very important to use exactly same letter case, as was written while registering when giving your e-mail address?

Luke Girvin
  • 12,672
  • 8
  • 57
  • 79
Stalker
  • 3,691
  • 2
  • 17
  • 18

5 Answers5

406

From RFC 5321, section 2.3.11:

The standard mailbox naming convention is defined to be "local-part@domain"; contemporary usage permits a much broader set of applications than simple "user names". Consequently, and due to a long history of problems when intermediate hosts have attempted to optimize transport by modifying them, the local-part MUST be interpreted and assigned semantics only by the host specified in the domain part of the address.

So yes, the part before the "@" could be case-sensitive, since it is entirely under the control of the host system. In practice though, no widely used mail systems distinguish different addresses based on case.

The part after the @ sign however is the domain and according to RFC 1035, section 3.1,

"Name servers and resolvers must compare [domains] in a case-insensitive manner"

In short, you are safe to treat email addresses as case-insensitive.

Daniel
  • 406
  • 1
  • 7
  • 19
Mike E
  • 4,799
  • 1
  • 12
  • 15
  • 90
    'In short, you are safe to treat email addresses as case-insensitive.' I'd phrase it stronger: "you're unsafe to treat email-addresses as case-sensitive manner" Especially when checking for duplicates in user-databases, etc. – Geert-Jan Nov 16 '13 at 23:00
  • 66
    I'd disagree with the conclusion. If you're looking for duplicates in a database - yes, a case insensitive match is probably the best way to go, but I've seen code where the email address is converted to lower case prior to sending. That's not a good idea, since there is a small chance it will not get delivered. So how you treat it depends on what the consequences of error are and what you're doing with the email addresses at that time (collating a list of unique addresses, sending an email, etc). – Peter Bagnall Sep 12 '14 at 09:32
  • 1
    @PeterBagnall this is a great point, and it would be nice to incorporate it into the answer. – o0'. Oct 30 '14 at 08:55
  • 13
    Does anyone know of a list of mail products that will (a) reject a John.Doe@company.com when the user john.doe@company.com is valid, or (b) will allow two distinct mailboxes to be created: John.Doe@company.com and john.doe@company.com? – MSC Mar 04 '15 at 03:48
  • 63
    I work at a large company and there is another person with the same first and last name. I discovered today that his local-part differs from mine only in capitalization. This has been working properly, so I was surprised to see "no widely used mail systems distinguish different addresses based on case". We use MS Exchange which I would call "widely used". – Matthew James Briggs Nov 24 '15 at 20:14
  • 12
    RFC 5321 2.4. General Syntax Principles and Transaction Model - SMTP implementations MUST take care to preserve the case of mailbox local-parts. In particular, for some hosts, the user "smith" is different from the user "Smith". Mailbox domains follow normal DNS rules and are hence not case sensitive. – Adam111p Apr 27 '16 at 10:02
  • 4
    What about abuse? Someone with a long email address could register and verify n~n accounts. – themihai Jun 16 '16 at 16:49
  • 2
    @theminhai Someone with a Gmail account can already register ∞ accounts in the form `username+anythingyouwant@gmail.com`. – BenMorel Nov 03 '20 at 18:03
47

I know this is an old question but I just want to comment here: To any extent email addresses ARE case sensitive, most users would be "very unwise" to actively use an email address that requires capitals. They would soon stop using the address because they'd be missing a lot of their mail. (Unless they have a specific reason to make things difficult, and they expect mail only from specific senders they know.)

That's because imperfect humans as well as imperfect software exist, (Surprise!) which will assume all email is lowercase, and for this reason these humans and software will send messages using a "lower cased version" of the address regardless of how it was provided to them. If the recipient is unable to receive such messages, it won't be long before they notice they're missing a lot, and switch to a lowercase-only email address, or get their server set up to be case-insensitive.

PaulOTron2000
  • 975
  • 1
  • 12
  • 20
  • 14
    This is insightful application of Postel's law http://en.wikipedia.org/wiki/Robustness_principle. It remains wrong to write software that assumes local parts of email addresses are case-insensitive, but yes, given that there is plenty of wrong software out there, it is also less than robust to require case sensitivity if you are the one accepting the mail. – zigg Oct 25 '12 at 17:32
  • 1
    One of the things I'm most frustrated by is sites *forcing* me to write my email in all-lower-case. Just fired off an angry comment to Twitch.tv about that very thing in regards to their support site. They block you from even *entering* upper-case on their site. So while I know my email server treats them as case-insensitive, and I know the RFC states it is case-sensitive, sites should NEVER make any assumptions either way and should simply pass through what the user enters. MAN that is so annoying!!! – Mark A. Donohoe May 03 '20 at 20:31
  • Personally, when I type my email somewhere I prefer to use mixed case just so it's more legible. For example: JamesTKirk@domain.com (Not my real address.) I do this even though I get the email without capitals. – PaulOTron2000 May 10 '20 at 21:10
  • As a software author, though, you would prefer your service to be one of those few that do things right for this person with case-sensitive email. – Klesun Jun 19 '20 at 08:08
34

Way late to this post, but I've got something slightly different to say...

>> "Are email addresses case sensitive?"

Well, "It Depends..." (TM)

Some organizations actually think that's a good idea and their email servers enforce case sensitivity.

So, for those crazy places, "Yes, Emails are case sensitive."

Note: Just because a specification says you can do something does not mean it is a good idea to do so.

The principle of KISS suggests that our systems use case insensitive emails.

Whereas the Robustness principle suggests that we accept case sensitive emails.

Solution:

  • Store emails with case sensitivity
  • Send emails with case sensitivity
  • Perform internal searches with case insensitivity

This would mean that if this email already exists: user@x.com

... and another user comes along and wants to use this email: USER@x.com

... that our case insensitive searching logic would return a "That email already exists" error message.

Now, you have a decision to make: Is that solution adequate in your case?

If not, you could charge a convenience fee to those clients that demand support for their case sensitive emails and implement custom logic that allows the USER@x.com into your system, even if user@x.com already exists.

In which case your email search/validation logic might look like something this pseudocode:

if (user.paidEmailFee) {
   // case sensitive email
   query = "select * from users where email LIKE ?"
} else {
   // case insensitive email
   query = "select * from users where email ILIKE ?"
}

This way, you are mostly enforcing case insensitivity but allowing customers to pay for this support if they are using email systems that support such nonsense.

p.s. ILIKE is a PostgreSQL keyword: http://www.postgresql.org/docs/9.2/static/functions-matching.html

Tom
  • 4,160
  • 2
  • 21
  • 43
l3x
  • 27,652
  • 1
  • 45
  • 35
  • 8
    LIKE/ILIKE for an exact match is an awful idea. Imagine an email containing `%` or more likely `_` – ThiefMaster May 20 '16 at 12:02
  • 21
    Your points are great! But the sql injection in your example kind of ruins it :( – epelc Sep 19 '16 at 17:06
  • 7
    @epelc THIS. Cannot agree more. That kind of query building shouldn't be written anywhere even if it's only an example. – xDaizu Dec 20 '16 at 14:32
  • 1
    @l3x, while I'm not as strongly against the above example code as the others, specifically because you did call it out as pseudocode and it is for illustrative purposes only, perhaps all of the above comments could be addressed by replacing your `query = ...` lines with simple `query = // Insert case-sensitive/insensitive search here` comments as that keeps the conversation away from the SQL injection topic and focuses on what you're trying to show. In other words, keep it on the logic, not the implementation. It will silence the critics. – Mark A. Donohoe May 03 '20 at 20:28
  • I'm against using the term "email" for email addresses. – AmigoJack Feb 15 '21 at 20:04
  • If you're already using PostgreSQL anyway, just use `citext` as the type of the `email_address` column. – jbg Feb 17 '21 at 03:46
10

IETF Open Standards RFC 5321 2.4. General Syntax Principles and Transaction Model

SMTP implementations MUST take care to preserve the case of mailbox local-parts. In particular, for some hosts, the user "smith" is different from the user "Smith".

Mailbox domains follow normal DNS rules and are hence not case sensitive

Klesun
  • 7,746
  • 5
  • 37
  • 41
Adam111p
  • 2,529
  • 1
  • 20
  • 18
4

Per @l3x, it depends.

There are clearly two sets of general situations where the correct answer can be different, along with a third which is not as general:

a) You are a user sending private mails:

Very few modern email systems implement case sensitivity, so you are probably fine to ignore case and choose whatever case you feel like using. There is no guarantee that all your mails will be delivered - but so few mails would be negatively affected that you should not worry about it.

b) You are developing mail software:

See RFC5321 2.4 excerpt at the bottom.

When you are developing mail software, you want to be RFC-compliant. You can make your own users' email addresses case insensitive if you want to (and you probably should). But in order to be RFC compliant, you MUST treat outside addresses as case sensitive.

c) Managing business-owned lists of email addresses as an employee:

It is possible that the same email recipient is added to a list more than once - but using different case. In this situation though the addresses are technically different, it might result in a recipient receiving duplicate emails. How you treat this situation is similar to situation a) in that you are probably fine to treat them as duplicates and to remove a duplicate entry. It is better to treat these as special cases however, by sending a "reminder" mail to both addresses to ask them if the case of the email address is accurate.

From a legal standpoint, if you remove a duplicate without acknowledgement/permission from both addresses, you can be held responsible for leaking private information/authentication to an unauthorised address simply because two actually-separate recipients have the same address with different cases.

Excerpt from RFC5321 2.4:

The local-part of a mailbox MUST BE treated as case sensitive. Therefore, SMTP implementations MUST take care to preserve the case of mailbox local-parts. In particular, for some hosts, the user "smith" is different from the user "Smith". However, exploiting the case sensitivity of mailbox local-parts impedes interoperability and is discouraged.

zaTricky
  • 1,261
  • 13
  • 20