[GH-ISSUE #349] [Bug] Special character email address is displayed/stored incorrectly #288

New issue

Closed

opened 2026-03-01 17:46:20 +03:00 by kerem · 1 comment

kerem commented

2026-03-01 17:46:20 +03:00

Owner

Originally created by @alexaka1 on GitHub (Oct 17, 2022).
Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/349

I was demonstrating to my friends how silly RFC 5322 and 6854 are, because of how wild email addresses can be. And I think I encountered a bug.

I used AnonAddy Android by Stjin to create the following address: #!$%&’*+-/=?^_`{}|~@mydomain.com. I noticed that upon creation the app only showed #!$%&’*@mydomain.com, the address suspiciously got cut off at the + sign. The same occurs in the browser extension. I checked the webapp and strangely #!$%&’*+-/=?^_`{}|~@mydomain.com appears in the alias list. When I click copy, the full address is copied, however when I try to click Send from the address shown there is the cut off variant.

To my understanding, the full address is a valid email address. Now I can't test it, because every email client I have tried tell me it's an invalid address, which is incredibly ironic (email validation is a nice rabbit hole). I suspect that AnonAddy specifically handles + character differently, because of how send-from aliases are constructed.

It's interesting that there is a discrepancy between the webapp's alias list and the actual value the API provides.

(I escaped the backtick correctly in markdown, but just in case here's plaintext: #!$%&’*+-/=?^_`{}|~@mydomain.com which also needed a backslash to escape the single backtick)

Originally created by @alexaka1 on GitHub (Oct 17, 2022). Original GitHub issue: https://github.com/anonaddy/anonaddy/issues/349 I was demonstrating to my friends how silly RFC 5322 and 6854 are, because of how wild email addresses can be. And I think I encountered a bug. I used AnonAddy Android by Stjin to create the following address: ``#!$%&’*+-/=?^_`{}|~@mydomain.com``. I noticed that upon creation the app only showed `#!$%&’*@mydomain.com`, the address suspiciously got cut off at the `+` sign. The same occurs in the browser extension. I checked the webapp and strangely ``#!$%&’*+-/=?^_`{}|~@mydomain.com`` appears in the alias list. When I click copy, the full address is copied, however when I try to click `Send from` the address shown there is the cut off variant. To my understanding, the [full address](https://en.wikipedia.org/wiki/Email_address#Examples) is a *valid* email address. Now I can't test it, because every email client I have tried tell me it's an invalid address, which is incredibly ironic (email validation is a nice rabbit hole). I suspect that AnonAddy specifically handles `+` character differently, because of how send-from aliases are constructed. It's interesting that there is a discrepancy between the webapp's alias list and the actual value the API provides. (I escaped the backtick correctly in markdown, but just in case here's plaintext: #!$%&’*+-/=?^_\`{}|~@mydomain.com which also needed a backslash to escape the single backtick)

kerem closed this issue

2026-03-01 17:46:20 +03:00

kerem commented

2026-03-01 17:46:21 +03:00

Author

Owner

@willbrowningme commented on GitHub (May 20, 2024):

Anything after the + is treated as the plus-extension by addy.io. You are right that addy.io uses plus-extensions for replying/sending from aliases.

In the eyes of addy.io alias+abc@example.com is the same alias as alias+xyz@example.com. The plus extension is stored in a different database column and the web app displays both of these.

However the mobile app and extension must only show the local_part whilst not including the extension.

It doesn't matter what you put after the + it will still arrive and be forwarded by the same alias in the same way that if your email was #!$%&’*@gmail.com you could add any plus extension to that but it would always go to your address.

@willbrowningme commented on GitHub (May 20, 2024): Anything after the `+` is treated as the plus-extension by addy.io. You are right that addy.io uses plus-extensions for replying/sending from aliases. In the eyes of addy.io `alias+abc@example.com` is the same alias as `alias+xyz@example.com`. The plus extension is stored in a different database column and the web app displays both of these. However the mobile app and extension must only show the `local_part` whilst not including the extension. It doesn't matter what you put after the `+` it will still arrive and be forwarded by the same alias in the same way that if your email was `#!$%&’*@gmail.com` you could add any plus extension to that but it would always go to your address.

kerem referenced this issue

2026-03-14 10:41:54 +03:00

[GH-ISSUE #288] [Feature Request] Combination of random+custom alias chunks in a single alias #808

No labels

bug

pull-request

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/anonaddy#288

No description provided.

Rows
Columns