[11.x] Document the fluent email Rule validation

[SanderMuller]

Documentation for laravel/framework#54067

[DanielSpravtsev]

Would be great to see some use cases/examples for methods

[taylorotwell]

Yeah, explanation of what "strict" compliance means, or what spoofing means would be great! Please mark as ready for review when the requested changes have been made.

[shaedrich]

Yeah, explanation of what "strict" compliance means, or what spoofing means would be great! Please mark as ready for review when the requested changes have been made.

A good place might be here, where it's already mentioned:

docs/validation.md

Lines 1213 to 1224 in 8c527b5

	The example above will apply the `RFCValidation` and `DNSCheckValidation` validations. Here's a full list of validation styles you can apply:
	<div class="content-list" markdown="1">
	- `rfc`: `RFCValidation`
	- `strict`: `NoRFCWarningsValidation`
	- `dns`: `DNSCheckValidation`
	- `spoof`: `SpoofCheckValidation`
	- `filter`: `FilterEmailValidation`
	- `filter_unicode`: `FilterEmailValidation::unicode()`
	</div>

[shaedrich]

You might want to link this:

- The `filter` validator, which uses PHP's `filter_var` function, ships with Laravel and was Laravel's default email validation behavior prior to Laravel version 5.8.
+ The `filter` validator, which uses PHP's [`filter_var` function](https://www.php.net/manual/en/filter.constants.php#constant.filter-validate-email), ships with Laravel and was Laravel's default email validation behavior prior to Laravel version 5.8.
 
[!WARNING]

[shaedrich]

You could link this:

Suggested change

	> The `dns` and `spoof` validators require the PHP `intl` extension.
	> The `dns` and `spoof` validators require the [PHP `intl` extension](https://www.php.net/manual/de/book.intl.php).

[shaedrich]

Doesn't have #### Defining Default Email Rules an heading level too high? 🤔

[SanderMuller]

Would be great to see some use cases/examples for methods

@DanielSpravtsev I've been working on some improvements, could you have a look?

[shaedrich]

You might have added the - accidentally here:

Suggested change

	- **Addresses that pass `rfcCompliant()` but fail `rfcCompliant(true)`:**
	**Addresses that pass `rfcCompliant()` but fail `rfcCompliant(true)`:**

[shaedrich]

This might alternatively be a table:

Method	Description	Use case	example
rfcCompliant(strict: bool)	Validates the email according to RFC 5322. Passing true enforces stricter RFC checks (e.g., rejects [email protected]).	Use rfcCompliant() if you need standard RFC validation while allowing some unusual formats. Use rfcCompliant(true) if you want to reject less typical but technically valid addresses.	Basic RFC validation Rule::email()->rfcCompliant(); Strict RFC validation Rule::email()->rfcCompliant(true);

…

[DanielSpravtsev]

Should be ; instead of , at the end

[DanielSpravtsev]

Hey @SanderMuller, thanks for adding more detailed docs! I have a few points of feedback after reviewing the latest updates:

1. Clarifying rfcCompliant(true) vs. rfcCompliant(false)

   • The examples show addresses that pass rfcCompliant() but fail rfcCompliant(true). Could you add just one example that explicitly passes or fails both, showing clearly what “less strict” does vs. “strict”? Right now, the bullet points are good, but a quick “this one fails them both” or “this one passes them both” might help clarify even further.

2. Extra Emphasis on validateMxRecord()

   • The doc says “Requires valid MX record,” but some might not realize that DNS lookups can add latency or external calls—maybe add a small note or footnote like “(this relies on DNS lookups and could fail if domain DNS is temporarily down)”. Just an idea so folks understand potential trade-offs.

3. withNativeValidation(true) vs. rfcCompliant(true)

   • You mention withNativeValidation(true) is less strict than RFC. Maybe add an explicit example showing something like "quoted [email protected]" or “[email protected]” that one method would allow or block. That’ll make it super clear to devs which to choose.

Other than that, everything looks good! Let me know what you think!

[shaedrich]

You might want to add a link up there, where the string rule is explained:
#10112 (comment)

[SanderMuller]

Hey @SanderMuller, thanks for adding more detailed docs! I have a few points of feedback after reviewing the latest updates:

1. Clarifying rfcCompliant(true) vs. rfcCompliant(false)

   • The examples show addresses that pass rfcCompliant() but fail rfcCompliant(true). Could you add just one example that explicitly passes or fails both, showing clearly what “less strict” does vs. “strict”? Right now, the bullet points are good, but a quick “this one fails them both” or “this one passes them both” might help clarify even further.

2. Extra Emphasis on validateMxRecord()

   • The doc says “Requires valid MX record,” but some might not realize that DNS lookups can add latency or external calls—maybe add a small note or footnote like “(this relies on DNS lookups and could fail if domain DNS is temporarily down)”. Just an idea so folks understand potential trade-offs.

3. withNativeValidation(true) vs. rfcCompliant(true)

   • You mention withNativeValidation(true) is less strict than RFC. Maybe add an explicit example showing something like "quoted [email protected]" or “[email protected]” that one method would allow or block. That’ll make it super clear to devs which to choose.

Other than that, everything looks good! Let me know what you think!

Thanks, I've been working on your feedback/suggestions, can you have a new look?

[shaedrich]

Hey @SanderMuller, thanks for adding more detailed docs! I have a few points of feedback after reviewing the latest updates:

1. Clarifying rfcCompliant(true) vs. rfcCompliant(false)

   • The examples show addresses that pass rfcCompliant() but fail rfcCompliant(true). Could you add just one example that explicitly passes or fails both, showing clearly what “less strict” does vs. “strict”? Right now, the bullet points are good, but a quick “this one fails them both” or “this one passes them both” might help clarify even further.

2. Extra Emphasis on validateMxRecord()

   • The doc says “Requires valid MX record,” but some might not realize that DNS lookups can add latency or external calls—maybe add a small note or footnote like “(this relies on DNS lookups and could fail if domain DNS is temporarily down)”. Just an idea so folks understand potential trade-offs.

3. withNativeValidation(true) vs. rfcCompliant(true)

   • You mention withNativeValidation(true) is less strict than RFC. Maybe add an explicit example showing something like "quoted [email protected]" or “[email protected]” that one method would allow or block. That’ll make it super clear to devs which to choose.

Other than that, everything looks good! Let me know what you think!

Thanks, I've been working on your feedback/suggestions, can you have a new look?

Wow, I have to say: Congrats! The table is massively informative 👍🏻

[DanielSpravtsev]

I think it would be helpful to clarify why admin@examрle.com (with Cyrillic р) passes rfcCompliant(strict: true) but fails preventSpoofing(). Since it’s a potentially deceptive address

[SanderMuller]

Because it's a valid email address, just deceptive so potentially unwanted. So the RFC has nothing to do with how. I am not sure how to add these kind of details without making the docs for email validation a book on itself 😄

[DanielSpravtsev]

Similarly, user@üñîçødé.com is marked as failing withNativeValidation(allowUnicode: true), which seems counterintuitive—shouldn't it pass if Unicode is explicitly allowed?

[SanderMuller]

Similarly, user@üñîçødé.com is marked as failing withNativeValidation(allowUnicode: true), which seems counterintuitive—shouldn't it pass if Unicode is explicitly allowed?

I would've expected it to, but it doesn't. These docs don't determine the behavior but describe it. The table shows why IMO rfcCompliant(strict: true) is a much better choice than withNativeValidation(allowUnicode: true) and I think withNativeValidation all together shouldn't be used, but thats an opinion

[shaedrich]

I think withNativeValidation all together shouldn't be used, but thats an opinion

There's probably a reason, why this isn't the default anymore.

[DanielSpravtsev]

Hey @SanderMuller, thanks for adding more detailed docs! I have a few points of feedback after reviewing the latest updates:

1. Clarifying rfcCompliant(true) vs. rfcCompliant(false)

   • The examples show addresses that pass rfcCompliant() but fail rfcCompliant(true). Could you add just one example that explicitly passes or fails both, showing clearly what “less strict” does vs. “strict”? Right now, the bullet points are good, but a quick “this one fails them both” or “this one passes them both” might help clarify even further.

2. Extra Emphasis on validateMxRecord()

   • The doc says “Requires valid MX record,” but some might not realize that DNS lookups can add latency or external calls—maybe add a small note or footnote like “(this relies on DNS lookups and could fail if domain DNS is temporarily down)”. Just an idea so folks understand potential trade-offs.

3. withNativeValidation(true) vs. rfcCompliant(true)

   • You mention withNativeValidation(true) is less strict than RFC. Maybe add an explicit example showing something like "quoted [email protected]" or “[email protected]” that one method would allow or block. That’ll make it super clear to devs which to choose.

Other than that, everything looks good! Let me know what you think!

Thanks, I've been working on your feedback/suggestions, can you have a new look?

Great improvements, thanks for the updates! I’ve left a couple of comments in the review for clarification.

[SanderMuller]

Hi @taylorotwell,

The details for this PR have really been sweated.

Testing the differences between email validation methods and building the matrix required significant testing effort in the framework test suite. These additions have been contributed via laravel/framework#54226.

Let me know if there’s anything else you’d like adjusted or clarified!

[taylorotwell]

I got this documented. Thanks.