Here's something I just threw together real quick because I had a need for it. But others might find it useful: <? $split = preg_split('/^(.*)<(.*)>(.*)/', $_REQUEST['email'], -1, PREG_SPLIT_DELIM_CAPTURE|PREG_SPLIT_NO_EMPTY); $email = array_pop ($split); $split = explode ("@", $email); $domain = $split[1]; getmxrr ($domain, $a, $b); if ($a) { foreach ($a as $key => $val) { $c[$b[$key]] = $val; } ksort ($c); } else { $c[0] = $domain; } $fp = fsockopen (array_shift($c), 25, $errno, $errstr, 30); $return = fgets ($fp, 1024); fputs ($fp, "helo none.com\r\n"); $return = fgets ($fp, 1024); fputs ($fp, "mail from:<postmaster@none.com>\r\n"); $return = fgets ($fp, 1024); fputs ($fp, "rcpt to:<" . $email . ">\r\n"); $return = fgets ($fp, 1024); fputs ($fp, "quit"); fclose($fp); if (substr($return, 0, 3) > 250) { echo "Bad email"; } else { echo "Good email"; } ?> PHP: If you pass an email address as an email variable to the script, it will look up the domain's SMTP server, contact it, and see if the email address is legit or not. You should change the none.com domain to your domain and probably will want to use something more useful (like a true/false variable) instead of echoing out Good Email/Bad Email. Some mail servers will not tell you if an address is good or not with the RCPT TO command, so for those mail servers, it wouldn't work all that well, since it would always accept emails for any address.
Those SMTP servers that support Sender Policy Framework (SPF) will not accept your connection at all unless the IP address of your web server is on the list of valid IP addresses that can send mail. And another thing. If someone wanted to exploit your web server, they could run a script against your email address page, going through all possible email addresses (presumably this page will have different output when the address is valid). This way the attacker could harvest a few email addresses and your IP address would eventually be banned. J.D.
Well, it has nothing to do with SPF. Also, the script is not intended to be on a public web server (especially not as a stand alone script). In my case, it's used from the shell only.
I'm not following. The SMTP server you are connecting to will lookup your domain's SPF record and if it exists, it would have to contain the IP address (in one form or another) of your SMTP client (the thing that runs your script in this case). If it doesn't, the connection will be rejected even before you get to the rcpt to part. J.D.
I would guess that VERY few domains use SPF. digitalpoint.com has no SPF record, and it works fine for me. Either way, if someone cared about SPF, they could use it. Still wouldn't affect the script itself if someone chooses to use SPF in their server setup or not.