------------ Original Message ------------ > Date: Saturday, April 30, 2016 11:28:23 -0700 > From: Alice Wonder <alice at domblogger.net> > > I'm working on setting up an e-mail service. > > I've got the e-mail servers working beautifully and am presently > working on re-writing the parts of Roundcube I don't like (e.g. it > uses inline JavaScript in a few places so CSP breaks it) but - > > Is there any advice on characters to allow in usernames? > > I know there are some wacky characters that are legal in e-mail > addresses but are generally frowned upon - like > > "very.(),:;<>[]\".VERY.\"very@\ \"very\".unusual"@example.com > > is apparently a legal address - but I know I don't want to allow > ampersands and brackets etc. in an address. > > I don't think a whitelist alphabet is best approach because of > people with names that are not spelled with Latin characters. > > Is there an existing blacklist of characters that technically legal > but are generally avoided in e-mail addresses? > You should avoid straying from the mail standards (as defined in the IETF RFCs). If you do stray your users will encounter arbitrary/seemingly random failures that will waste everyones time to debug. The wikipedia page: <https://en.wikipedia.org/wiki/Email_address> gives a good summary -- look at the "local part" section and the examples lower down. You'll also want to review the RFCs. Depending on your user community you may also need to look at the RFCs related to the internationalization of email addressing sooner rather than later. Note, that wiki page has some references to non-RFC sources that are basically the authors' views/preferences. In at least one of these cases, many of the recommendations violate the RFCs. If there is doubt, the RFCs should be your guide.