Email Address Validation Guide

Published on


I often get questions on how to do email address validations in web applications. The answer varies depending on how deep you're willing to go down the rabbit hole. In this article, I'll cover all the options I know of, explain the pros and cons of each, and give you a recommendation on what to use in which situation.

The Basics of Email Validation

Most of the time the best thing to do is just to check that you have at sign (@), and there's something before it and after it. This is the bare minimum, and most of the time this is also the most optimal solution. You can check for it using a simple regular expression /.+@.+/, like so:

const emailIsValid = (email: string) => email.match(/.+@.+/) !== null;

This also seems to be the default pattern in HTML5 when used like so:

<input type="email" required />

This solution gives the best bang for the buck, you filter out all the obvious errors. Also it doesn't produce false-negatives, meaning that it is pretty much guaranteed to match any email now and in the future. You won't have to keep up with email address standards, new top level domains, new characters like emoji, etc. Most of the attempts to create a stricter email validation rule will inevitably end up being incomplete and produce false-positives, or require huge initial investment and then constant maintenance.

If that didn't convince you, check out examples of wild, yet valid email addresses.

One Step Further: Domain Part Validation

I don't recommend it, but you could check that domain name has a dot in it with the following regexp: /.+@.+\..+/. A domain name part of the email technically doesn't have to include a dot (admin@localhost), however such addresses are usually not public and used for technical reasons, not really something you'll provide when buying a book online, for example. However, nowadays anyone can buy their own top level domain (TLD) for a reasonable price. And if I would buy .mazurok - I could technically have maxim@mazurok without .com or anything, and it would be a valid public email. So while highly uncommon, you might get some false-positives. Imagine if CEO@google is trying to order a million copies of your software and they can't because of your strict email validation - that could be devastating for your business.

Doing any more complex domain name validations would require quite a bit of maintenance and extensive testing. You can have all sorts of domains, even தீ.இந்தியா or ꓸ.com. Ah, also you can just use IP address instead of a domain name. So... good luck writing a regex or keeping up with newly registered TLDs, I wouldn't recommend it.

This article is a work in progress. I'll be adding more content soon. Stay tuned! 🚀

Also, check out teaser of this article on LinkedIn.