principlejavascriptModerate
Do not validate email addresses with regex
Viewed 0 times
email validationregex emailRFC 5321deliverabilityemail confirmation
Problem
Developers reach for complex email regex to validate addresses. Every such regex either rejects valid emails (RFC 5321 allows plus signs, quotes, IP literals, etc.) or is permissive enough to accept junk.
Solution
Use a minimal sanity check regex to reject obvious garbage, then send a confirmation email — the only reliable validation.
// Sanity check only (not RFC-complete)
const rough = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
// Library option
import { validate } from 'email-validator';
// Best: try to deliver and handle bounces
// Sanity check only (not RFC-complete)
const rough = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
// Library option
import { validate } from 'email-validator';
// Best: try to deliver and handle bounces
Why
The RFC 5321/5322 spec is extraordinarily complex. A 100%-correct regex is hundreds of characters long and still cannot verify deliverability. Only sending a message verifies an address.
Gotchas
- Overly strict regex rejects legitimate addresses like user+tag@example.com
- Internationalised domain names require additional handling
- Even a perfectly valid address can bounce — format does not equal deliverability
- Never block sign-up based on regex failure alone
Code Snippets
Email validation strategy
// Rough sanity check
const looksLikeEmail = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
// Valid emails that naive regex often rejects:
// user+filter@example.com
// "quoted"@example.org
// user@[192.0.2.1]
// Real strategy: accept broadly, verify by deliveryRevisions (0)
No revisions yet.