Stick to standards for A2ID max length
Another old issue that arose during review as unresolved.
There are standards that indicate how long strings are. Local part is defined, as well as a domain name. You should use those instead of inventing your own. Please lookup my older comments or, better, find back the standards. Email and DNS define those, IIRC.
You may not even have to enforce a length if you avoid malloc()
completely.