Email Validator bug

LarsCG · May 23, 2025, 8:30pm

Hi there,

I was just using the email validator and tried to whitelist domains.
However, when using a wrong domain the validator didn’t raise an error.

I had a look to the source code and was a bit confused by the logic:

if domain_part not in self.domain_allowlist and not self.validate_domain_part(
    domain_part
):
    raise ValidationError(self.message, code=self.code, params={"value": value})

Shouldn’t the two statements be connected via or or am I misunderstanding the implementation?
At least it worked as I expected when I changed the and to an or.

If that’s the case, then this might be even be a security vulnerability if one can bypass a wrong domain simply by using a string that matches the standard regex.

KenWhitesell · May 23, 2025, 9:50pm

Welcome @LarsCG !

I think you’re misunderstanding the purpose of the domain_allowlist.

From the docs at EmailValidator.allowlist:

Allowlist of email domains. By default, a regular expression (the domain_regex attribute) is used to validate whatever appears after the @ sign. However, if that string appears in the allowlist , this validation is bypassed.

In other words, the domain is identified as valid if it either passes the regex or is in the allowlist. The purpose of this validator is to allow domains that don’t pass the regex to be considered valid, not to limit the domain to what’s in the allowlist.

LarsCG · May 23, 2025, 9:59pm

Hi @KenWhitesell ,

oh, I see.
I saw someone mention it as a whitelist but that’s not it. Thanks for clearing things up.

Topic		Replies	Views
Domain name validation - inconsistencies? Django Internals	2	335	February 24, 2024
EmailValidator fails for display name Using Django	1	620	May 4, 2020
EmailValidator simplification and international email addresses Django Internals	12	169	May 2, 2025
Django - Built in email validator failing Using Django	2	1881	May 1, 2020
Including domain name in email error report Using Django	1	27	May 22, 2025

Email Validator bug

Related topics