diff --git a/src/mail.js b/src/mail.js
index e45eff3c6..a0aea8487 100644
--- a/src/mail.js
+++ b/src/mail.js
@@ -65,6 +65,7 @@ exports = module.exports = {
     TYPE_LIST: 'list',
     TYPE_ALIAS: 'alias',
 
+    _validateName: validateName,
     _delByDomain: delByDomain,
     _updateDomain: updateDomain
 };
@@ -161,8 +162,8 @@ function validateName(name) {
     if (name.length < 1) return new BoxError(BoxError.BAD_FIELD, 'mailbox name must be atleast 1 char');
     if (name.length >= 200) return new BoxError(BoxError.BAD_FIELD, 'mailbox name too long');
 
-    // also need to consider valid LDAP characters here (e.g '+' is reserved)
-    if (/[^a-zA-Z0-9.-_]/.test(name)) return new BoxError(BoxError.BAD_FIELD, 'mailbox name can only contain alphanumerals, dot, hyphen or underscore');
+    // also need to consider valid LDAP characters here (e.g '+' is reserved). keep hyphen at the end so it doesn't become a range.
+    if (/[^a-zA-Z0-9._-]/.test(name)) return new BoxError(BoxError.BAD_FIELD, 'mailbox name can only contain alphanumerals, dot, hyphen or underscore');
 
     return null;
 }
diff --git a/src/test/mail-test.js b/src/test/mail-test.js
index 5051cec6d..9aeb035ef 100644
--- a/src/test/mail-test.js
+++ b/src/test/mail-test.js
@@ -73,6 +73,25 @@ describe('Mail', function () {
         });
     });
 
+    describe('mailbox name', function () {
+        it('allows valid names', function () {
+            expect(mail._validateName('1')).to.be(null); // single char
+            expect(mail._validateName('ap')).to.be(null); // alpha
+            expect(mail._validateName('aP')).to.be(null); // caps
+            expect(mail._validateName('0P')).to.be(null); // number
+            expect(mail._validateName('a.p.x')).to.be(null); // dot
+            expect(mail._validateName('a-p-x')).to.be(null); // hyphen
+            expect(mail._validateName('a-p_x')).to.be(null); // underscore
+        });
+
+        it('disallows invalid names', function () {
+            expect(mail._validateName('@')).to.be.an(Error);
+            expect(mail._validateName('a+p')).to.be.an(Error);
+            expect(mail._validateName('a#p')).to.be.an(Error);
+            expect(mail._validateName('a!')).to.be.an(Error);
+        });
+    });
+
     describe('mailboxes', function () {
         it('add user mailbox succeeds', async function () {
             await mail.addMailbox('girish', domain.domain, { ownerId: 'uid-0', ownerType: mail.OWNERTYPE_USER, active: true }, auditSource);