As a side note puny code conversion is only defined for the domain name _not_ the local part. Using puny code on the local part will semantically create a different email and at last theoretically a mail provider might support both the puny code and normal version as two different mail addreses and as such using punicode there would potentially open up a different vulnarability.
Now that I think about it as far as I remember the local part of mail is actually not defined as cases insensitive , through all? mail programs treat it as such. The important part her is to always use data from your database for any security relevant parts.
Now that I think about it as far as I remember the local part of mail is actually not defined as cases insensitive , through all? mail programs treat it as such. The important part her is to always use data from your database for any security relevant parts.