Advanced Email Validation

Validates email addresses using MX records and lists of free, disposable, or banned email domains with configurable rules.

advanced_email_validation

780 sites

drupal.org

gui api integration

email validation user registration security spam prevention disposable email free email MX records webform

Drupal 9 Drupal 10 Drupal 11

Install

Drupal 11, 10 v2.0.2

composer require 'drupal/advanced_email_validation:^2.0'

Drupal 9 v1.2.0

composer require 'drupal/advanced_email_validation:^1.2'

Overview

Advanced Email Validation provides robust email address validation beyond Drupal's basic format checking. It leverages the open-source stymiee/email-validator library to apply configurable validation rules that can detect and reject emails from free providers (like Gmail), disposable email services (like Mailinator), domains without valid MX records, or custom banned domains.

The module automatically validates user email addresses during registration and when users change their email. It also provides a service for developers to use programmatically, and includes a Webform handler for applying these validation rules to email fields in webforms with per-form configuration overrides.

All error messages are customizable and can be translated using Drupal's Configuration Translation module, making it suitable for multilingual sites.

Features

Validates user account email addresses during registration and email changes with configurable triggers
MX record lookup validation to ensure email domains actually exist and can receive mail
Blocks disposable/temporary email providers (mailinator.com, etc.) using dynamically fetched lists
Blocks free public email providers (gmail.com, outlook.com, etc.) when corporate emails are required
Custom banned domain list with wildcard support (e.g., *.example.org)
Ability to add additional domains to disposable and free provider lists or use local-only lists
Fully customizable and translatable error messages for each validation type
Webform integration with a validation handler that can override site-wide settings per form
Exposes a service for developers to validate emails programmatically with configuration overrides

Use Cases

Preventing Spam Registrations

Enable MX lookup validation to reject emails with non-existent domains. This blocks many spam bots that use randomly generated email addresses with fake domains. Combined with disposable email blocking, this significantly reduces fake account registrations.

Corporate/Enterprise Sites Requiring Work Emails

Enable the 'free email provider' rule to reject registrations from Gmail, Yahoo, Outlook, and other free providers. This ensures users register with their corporate/organizational email addresses, which is useful for B2B sites, intranets, or professional communities.

Blocking Temporary/Disposable Emails

Enable disposable email validation to block services like Mailinator, Guerrilla Mail, and 10MinuteMail. These services are commonly used to create throwaway accounts, bypass email verification, or abuse trial offers.

Custom Domain Blocking

Use the banned domains feature with wildcard support to block specific competitors, known bad actors, or unwanted email providers. For example, block *.competitor.com to prevent competitor employees from registering, or block specific domains that have been sources of abuse.

Webform Contact Forms with Email Validation

Add the Advanced Email Webform Validator Handler to contact forms or lead generation forms. Configure per-form overrides to apply different rules - for example, allow free emails on general contact forms but require corporate emails on enterprise inquiry forms.

Local-Only Domain Lists for Compliance

Use the 'local list only' option to maintain complete control over which domains are blocked. This is useful when compliance requirements mandate that blocking decisions must be based on an auditable internal list rather than dynamically fetched external data.

Tips

Combine multiple validation rules for stronger protection - for example, enable both MX lookup and disposable email blocking
Use wildcards in the banned domains list (*.example.org) to block all subdomains at once
The error messages support full localization - translate them using Configuration Translation for multilingual sites
Test your configuration with known disposable or free email addresses before going live
For webforms, you can have different validation rules per form by enabling 'Override site defaults' in the handler configuration

Dependencies

User Required

Related Projects

Webform

Provides a webform handler that can be added to any webform to validate email and email_confirm fields. The handler allows selecting specific email fields to validate and optionally overriding the site-wide validation configuration with form-specific settings.

Configuration Translation

All error messages can be translated to different languages using Drupal's Configuration Translation module, enabling multilingual error message support.

Technical Details

Advanced email validation settings /admin/config/people/advanced-email-validation

Configure the rules used to validate user email addresses, customize error messages, and manage domain lists for blocking disposable, free, or custom banned email providers.

Administer advanced email validation

Allows users to change configuration for the Advanced email validation module, including validation rules, error messages, and domain lists.

hook_entity_base_field_info_alter

Used internally to add AEVNewEmail and AEVChangedEmail constraints to the User entity's mail field based on the 'validate_account_on' configuration.

MX lookup validation is too slow

MX lookups require DNS queries which can add latency to form submissions. If this is problematic, consider disabling MX lookup and relying on other validation rules, or ensure your server has proper DNS caching configured.

Legitimate emails are being rejected as disposable or free

The domain lists are maintained by the stymiee/email-validator library and fetched from the internet. If you need to allow specific domains, you can either disable the problematic rule or use the 'local list only' option with your own curated list.

Validation not working after changing settings

The module clears entity definition caches when settings are saved. If validation still doesn't work as expected, try clearing all caches with 'drush cr' or through the Performance settings page.

Webform handler not showing email fields

The handler only shows fields of type 'email' or 'webform_email_confirm'. Ensure your form has at least one email field before adding the handler.

This module helps prevent abuse but should be used as part of a defense-in-depth strategy, not as the sole spam prevention measure
MX lookup validation requires network access and could potentially be used for timing attacks or information disclosure about internal infrastructure
Domain lists are fetched from external sources by the underlying library - consider using 'local list only' mode if you need to control exactly which domains are blocked
The module does not validate that an email address actually exists or that the user controls it - it only validates the domain