How to Validate Email Addresses With Regex (The Right Way)

Most email validation regex patterns online are wrong. Some are too strict — they reject valid addresses like user+tag@sub.example.co.uk. Others are too loose — they accept @. as a valid email. Here is the correct approach.

What email validation should actually do

The goal of email validation is not to prove the email address exists — only sending a verification email can do that. The goal is to reject obvious non-emails (empty strings, missing @, no domain) while accepting everything that looks plausibly valid.

Overly strict validation is worse than overly loose: you'll reject real customers.

The practical pattern (JavaScript)

const EMAIL_REGEX = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}$/

function isValidEmail(email: string): boolean {
  return EMAIL_REGEX.test(email.trim())
}

This pattern is based on RFC 5322 simplified — it accepts all common valid addresses including plus-tagged, subdomain, and long TLD addresses, while rejecting addresses with no @, no domain, or no TLD.

What it accepts and rejects

✓ Accepts (valid)

user@example.com

user+tag@example.com

user@sub.example.co.uk

123@example.org

user.name@example.io

✗ Rejects (invalid)

user@

@example.com

user@.com

userexample.com

user @example.com

Python

import re

EMAIL_PATTERN = re.compile(
    r"^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+"
    r"@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?"
    r"(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*"
    r"\.[a-zA-Z]{2,}$"
)

def is_valid_email(email: str) -> bool:
    return bool(EMAIL_PATTERN.match(email.strip()))

Go

package main

import (
    "regexp"
    "strings"
)

var emailRegex = regexp.MustCompile(
    "^[a-zA-Z0-9.!#$%&'*+/=?^_{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\\.[a-zA-Z]{2,}$",
)

func isValidEmail(email string) bool {
    return emailRegex.MatchString(strings.TrimSpace(email))
}

The things regex cannot catch

→Whether the email address actually exists (mailbox check requires sending)
→Whether the domain has valid MX records (requires DNS lookup — use a library like email-validator in Python for this)
→Disposable email addresses (use a service like Kickbox or Abstract API)
→Typos like gmail.con vs gmail.com (use a suggestion library like mailcheck.js)

When to validate

✓Client-side: immediate feedback as user types (debounce 500ms, validate on blur)
✓Server-side: always — never trust client-side validation alone
✓Before sending: deduplicate and validate your list before any email campaign

Need a custom validation pattern for your specific requirements? Describe it in plain English and the AI Regex Generator will build and explain it for you — free, up to 10/day.