PHPMailer Blog

by Andy Prevost
Posted to General
on June 26 2025 at 11:39 am

Home

Handling email addresses

I am in process of writing a new email address handling module for a new project that will eventually end up in PHPMailer Pro.

The process is underway with a good portion of the code written and testing underway. Just as this is ongoing, I received an email questioning a previous article about email address security. You can read two articles I wrote about security at https://blog.phpmailer.pro/post/8 and  https://blog.phpmailer.pro/post/9  ... the issue the sender pointed out is achieving 99.9% security was "off-putting". Hey, it's a result of hosting providers disabling security features in their own servers.

Which brings up a sore point with me. If you look at the most basic of email transports, PHP's own mail() function, there is absolutely no security there at all. If you create the code to support even a basic file attachment, PHP's mail() has no facility to validate that file attachment, it's source location, or exploits (or pay loads). 

It's the same with this email security concern that I received, all the security features are disabled by the hosting provider but software I wrote is considered "off-putting". 

In one aspect, the sender of the security concern email has got me thinking about this. I am always one to handle the issue at my end and make the programmer's job easier. And, it is the same with this.

I always thought of email address handling as a convenience. You can input an email address as a string, as an indexed array, as an associative array, even as a multi-dimensional array with elements of indexed and associative arrays. My new code handles all easily and provides the ability to add to the "TO" field, "CC" and "BCC" field -- plus return an RFC formed email address list to match the user's input type.

My thought process now is to add a directive to not process the email addresses at all ... that will provide the user the ability to do their own email address security handling and keep the transport clean and respectful of the user's intent. Just build the headers and body, handle the transport and report back on the result. 

Seems the right thing to do, doesn't it?


Add a comment