How to Normalize Email Addresses to Prevent Duplicate Accounts
Have you noticed multiple accounts popping up from what seems to be the same user? Users frequently exploit email aliasing to create numerous accounts, causing headaches in user management, inflating metrics, and increasing risks of abuse. This guide covers exactly how email aliasing works across various popular providers and provides clear steps to effectively normalize email addresses, preventing duplicate account creation.
What is Email Aliasing?
Email aliasing lets users create different email addresses that all forward to a single mailbox. Here's what aliasing typically looks like:
| Alias Type | Example Alias | Normalized Email |
|---|---|---|
| Dot blindness | [email protected] |
[email protected] |
| Plus addressing | [email protected] |
[email protected] |
| Dash addressing | [email protected] |
[email protected] |
| Domain aliases | [email protected] |
[email protected] |
| Subdomain aliasing | [email protected] |
[email protected] |
Each provider has unique rules, so normalization must consider these specifics.
Aliasing Rules by Provider
Here's how aliasing works across major email providers:
Gmail
Gmail has the most extensive aliasing features:
Ignores dots
Dots in the local part of the email address are ignored (official documentation). All of the following emails point to the same mailbox:
Plus addressing
Gmail supports plus addressing, where users can add a plus sign and any text after the username. All emails sent to these variations will be delivered to the main Gmail inbox. For example:
[email protected]delivers to[email protected][email protected]delivers to[email protected][email protected]delivers to[email protected]
Domain aliases
Gmail and Googlemail emails point to the same account. For example:
Microsoft (Outlook/Hotmail/Live)
Consumer Accounts (@outlook.com, @hotmail.com, @live.com)
- Supports plus addressing since 2013:
[email protected]delivers to[email protected] - No dot tricks: Dots are significant and not ignored
Microsoft 365 (Business/Enterprise)
- Plus addressing disabled by default: Must be enabled by administrators (Exchange Online documentation)
- Custom business domains may or may not support plus addressing
Apple (iCloud/me/mac)
Key Features
- Plus addressing:
[email protected]delivers to[email protected](Apple support guide) - Strict dot enforcement:
[email protected]≠[email protected](unlike Gmail) - Legacy domain equivalence: @icloud.com = @me.com = @mac.com (for migrated accounts only)
Three Types of Aliasing
- Subaddressing (
[email protected]) - Automatic, no setup required - Manual aliases - Up to 3 user-created aliases per account (Apple alias documentation)
- Hide My Email - iCloud+ feature generating completely separate addresses (e.g.,
[email protected])
Note: Hide My Email addresses are completely opaque and don't reveal the original username.
FastMail
FastMail offers a unique aliasing method (FastMail documentation):
- If your address is
[email protected] - You can receive mail at
[email protected] - With custom domains:
[email protected] - Useful because some websites incorrectly reject "+" in emails
Yahoo
Yahoo's dash addressing requires manual setup through their disposable email addresses feature. Unlike Gmail's automatic plus addressing, Yahoo will only deliver messages to dash addresses you've explicitly created in your account settings. This makes abuse less common.
Yahoo uses a different approach:
- Dash addressing:
[email protected]delivers to[email protected] - No dot tricks: Dots are significant in Yahoo addresses
- Applies to all Yahoo domains: yahoo.com, yahoo.co.uk, yahoo.fr, etc.
Providers Supporting Standard Plus Addressing
These providers follow the RFC standard for plus addressing:
- ProtonMail:
[email protected]→[email protected] - Mail.com: Standard plus addressing
- Many smaller providers and custom domains
How to Normalize Email Addresses
Here's an example Python code that normalizes email addresses. Keep in mind that this is a simplified example and may not cover all edge cases.
Python Example
def normalize_email(email):
"""
Normalize an email address to detect duplicates.
Removes plus/dash addressing and handles provider-specific rules.
"""
# Split email into local and domain parts
try:
local, domain = email.lower().split('@')
except ValueError:
return email.lower()
# Yahoo uses dash addressing
yahoo_domains = ['yahoo.com', 'yahoo.co.uk', 'yahoo.fr', 'yahoo.de',
'yahoo.es', 'yahoo.it', 'yahoo.com.br', 'yahoo.ca',
'yahoo.co.jp', 'yahoo.com.au', 'yahoo.com.mx']
# Apple domains - preserve dots but normalize domain
apple_domains = ['icloud.com', 'me.com', 'mac.com']
# Microsoft consumer domains
microsoft_consumer_domains = ['outlook.com', 'hotmail.com', 'live.com',
'msn.com', 'hotmail.co.uk', 'live.co.uk']
if domain in yahoo_domains and '-' in local:
local = local.split('-')[0]
elif domain in apple_domains:
if '+' in local:
local = local.split('+')[0]
# Normalize legacy domains
domain = 'icloud.com'
elif domain in microsoft_consumer_domains and '+' in local:
local = local.split('+')[0]
elif '+' in local:
# Most other providers use plus addressing
local = local.split('+')[0]
# Gmail-specific: remove dots and normalize domain
if domain in ['gmail.com', 'googlemail.com']:
local = local.replace('.', '')
domain = 'gmail.com'
return f"{local}@{domain}"
# Example usage
emails = [
"[email protected]",
"[email protected]",
"[email protected]",
]
for email in emails:
normalized = normalize_email(email)
print(f"{email} → {normalized}")
# Output:
# [email protected] → [email protected]
# [email protected] → [email protected]
# [email protected] → [email protected]
Best Practices
1. Store Both Versions
Store the original email (for communication) and normalized version (for deduplication):
CREATE TABLE users (
-- ...
email VARCHAR(255) NOT NULL,
email_normalized VARCHAR(255),
-- ...
);
2. Normalize During Signup
Check for duplicates using the normalized version:
def register_user(email, password):
normalized = normalize_email(email)
# Check if normalized email already exists
existing_user = db.query(
"SELECT id FROM users WHERE email_normalized = %s",
[normalized]
)
if existing_user:
raise ValueError("An account with this email already exists")
# Create the new user
db.execute(
"INSERT INTO users (email, email_normalized) VALUES (%s, %s)",
[email, normalized]
)
3. When to Normalize (And When Not To)
DO normalize when:
- Checking for existing accounts during signup
- Enforcing trial limits or promotional restrictions
- Detecting potential abuse or duplicate accounts
DON'T normalize when:
- Sending emails (always use the original address)
- Displaying the email back to the user
- Password reset or authentication flows
Using UserCheck for Complete Email Intelligence
Maintaining provider rules is complex and changes over time. UserCheck's API automates normalization and provides email validation and fraud detection through a simple API.
Additional features beyond normalization:
- Disposable email detection
- Email forwarding detection (Hide My Email, SimpleLogin, etc.)
- Deliverability verification via SMTP validation
- Risk scoring based on multiple factors
Example request:
curl -X GET "https://api.usercheck.com/email/[email protected]" \
-H "Authorization: Bearer <api_key>"
Example response:
{
"status": 200,
"email": "[email protected]",
"normalized_email": "[email protected]",
"domain": "googlemail.com",
"domain_age_in_days": 10894,
"mx": true,
"disposable": false,
"public_domain": true,
"relay_domain": false,
"alias": true,
"role_account": false,
"spam": false,
"did_you_mean": null
}
Conclusion
Proper normalization prevents basic abuse where users exploit these features to create multiple accounts. However, remember that normalization is just one part of a comprehensive anti-fraud strategy.
Key takeaways:
- Always apply provider-specific rules.
- Store both original and normalized emails.
- Consider using automated solutions for maintaining provider-specific normalization rules.
By understanding these details and implementing proper normalization, you can significantly reduce account abuse while still welcoming legitimate users who use these features for valid reasons.
