------------ Original Message ------------> Date: Saturday, April 30, 2016 11:28:23 -0700
> From: Alice Wonder <alice at domblogger.net>
>
> I'm working on setting up an e-mail service.
>
> I've got the e-mail servers working beautifully and am presently
> working on re-writing the parts of Roundcube I don't like (e.g. it
> uses inline JavaScript in a few places so CSP breaks it) but -
>
> Is there any advice on characters to allow in usernames?
>
> I know there are some wacky characters that are legal in e-mail
> addresses but are generally frowned upon - like
>
> "very.(),:;<>[]\".VERY.\"very@\
\"very\".unusual"@example.com
>
> is apparently a legal address - but I know I don't want to allow
> ampersands and brackets etc. in an address.
>
> I don't think a whitelist alphabet is best approach because of
> people with names that are not spelled with Latin characters.
>
> Is there an existing blacklist of characters that technically legal
> but are generally avoided in e-mail addresses?
>
You should avoid straying from the mail standards (as defined in the
IETF RFCs). If you do stray your users will encounter
arbitrary/seemingly random failures that will waste everyones time to
debug.
The wikipedia page:
<https://en.wikipedia.org/wiki/Email_address>
gives a good summary -- look at the "local part" section and the
examples lower down. You'll also want to review the RFCs.
Depending on your user community you may also need to look at the
RFCs related to the internationalization of email addressing sooner
rather than later.
Note, that wiki page has some references to non-RFC sources that are
basically the authors' views/preferences. In at least one of these
cases, many of the recommendations violate the RFCs. If there is
doubt, the RFCs should be your guide.