·5 min read·Blog

How to Validate an Email Address: What Actually Matters

Email validation sounds simple but RFC 5322 allows addresses that most people would reject as invalid. Here's the practical approach to validation — what to check, what to accept, and why perfect validation is a myth.

The minimum viable email validation

For most applications, this is enough:

^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$

This checks that the address has:

  1. A local part before the @ (letters, numbers, dots, underscores, percent, plus, hyphen)
  2. An @ symbol
  3. A domain name
  4. A dot followed by at least 2 letters (TLD)

It will reject clearly invalid addresses and accept all common ones. It will also accept some technically invalid addresses — but that's the right trade-off, as we'll see.

Test this pattern immediately in the free regex tester.

What RFC 5322 actually allows (the problem)

The official email standard (RFC 5322) allows email addresses that look nothing like what most people expect:

  • "john doe"@example.com — quoted local part with a space
  • user+tag@example.com — plus addressing (common, works fine)
  • user.@example.com — trailing dot in local part (technically valid)
  • "very.unusual.@.unusual.com"@example.com — quoted with special chars
  • user@[192.168.1.1] — IP address as domain

If you write a regex strict enough to reject all these edge cases, you'll also reject some legitimate addresses your users actually have. The consensus among email deliverability experts: validate leniently in the regex and validate strictly by sending a confirmation email.

The only real validation: send a confirmation email

Regex validation tells you if an email address is formatted plausibly. It can't tell you:

  • Whether the mailbox exists
  • Whether the person has access to it
  • Whether the domain has working MX records
  • Whether it's a disposable email (10-minute mail)

A confirmation email with a link is the only reliable way to verify that an email address is real and belongs to the person signing up. This is also why you should never block users from continuing past email validation — let them proceed, send the confirmation, and require clicking the link before giving full access.

MX record checking

One step beyond regex: verify that the email's domain has an MX (Mail Exchanger) DNS record — meaning it can receive email at all. Domains without MX records can't receive email.

Check DNS records (including MX) for any domain with the free DNS lookup tool. If a domain has no MX records, the email address is certainly undeliverable.

In code (Node.js):

const dns = require('dns').promises;
const hasMX = await dns.resolveMx('example.com')
  .then(records => records.length > 0)
  .catch(() => false);

Common validation mistakes to avoid

  • Rejecting plus addressing. user+tag@gmail.com is valid and commonly used for filtering. Many strict regex patterns reject the + character — don't.
  • Rejecting long TLDs. New TLDs like .photography, .academy, and .technology are up to 63 characters long. Any validation that limits TLD to 4 characters will reject these legitimate addresses.
  • Rejecting international email. Email addresses can use internationalized domain names and, in some implementations, Unicode local parts. If your system handles international users, be careful with overly restrictive validation.
  • Blocking disposable email services. Maintaining a blocklist of disposable email providers (Mailinator, Temp-Mail, etc.) is a valid anti-abuse measure — but it requires ongoing maintenance and will occasionally block legitimate users using privacy-focused email services.

Client-side vs server-side validation

Always validate on both:

  • Client-side (HTML5 / JavaScript): Immediate feedback to the user before form submission. Use the HTML type="email" input, which provides built-in basic validation in modern browsers. Add JavaScript for custom error messages.
  • Server-side: Never trust client-side validation alone — it can be bypassed. Re-validate the email format and perform MX checks on the server before storing or using the address.

HTML input with built-in email validation:

<input
  type="email"
  required
  placeholder="your@email.com"
  pattern="[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}"
/>

Related tools

Written by Achraf A., founder of TheFreeAITools.

Browse by category

Not sure which tool you need? Start with a category.

Security & Encoding
10 tools
Developer Tools
35 tools
Text & AI Content
30 tools
Image Tools
28 tools
Design & UI
14 tools
SEO & Web
27 tools
Calculators & Converters
20 tools
Random Generators
15 tools
Audio & Media
15 tools
File Tools
13 tools
Accessibility
3 tools
Data & Analytics
3 tools
Engineering & Technical
3 tools

Everything you can do — for free

No software to buy. No account to create. Just open a tool and get it done.

Work with images

Compress photos before sending them by email, resize pictures for social media, remove backgrounds, or pick the perfect color for a design project — all without installing any app.

Edit and format text

Count words and characters in an essay, compare two documents side by side, convert text to different formats, or generate placeholder text for a presentation.

Stay safe online

Create a strong unique password in one click, check how secure a password is, encode or decode data, and generate secure tokens — your data never leaves your device.

Calculate anything

BMI, loan repayments, unit conversions, date differences, and dozens of other everyday calculations — no spreadsheet or formula knowledge required.

The Free AI Tools is a free collection of 221+ online tools that work directly in your web browser — no download, no installation, no account required. Whether you need to compress an image for email, count words in an essay, generate a strong password, create a QR code for your business, or format JSON for development — you will find a simple, free tool here.

Every tool is privacy-first: your files, text, and data never leave your device. Tools cover image editing, text processing, developer utilities, security & encoding, SEO & web, design & CSS, and more.

☕ Support Us