2) Lots of people (including the author http://news.ycombinator.com/item?id=4486264) think that you should at least validate that the '@' is somewhere to avoid username / email mixups
3) If your regex fails for foo+tag@something.com lots of people get pissed. I learned you can use that for inbox sorting since foo+tag@something.com goes to foo@something.com.
4) There are other schools of thought that promote validation and telling the user something is wrong like mailcheck.js (https://github.com/Kicksend/mailcheck), but these should not stop users from submitting forms.
One suggestion I would add: Let them in right now, and confirm later. Sites that require you to wait for an email, click a validation link etc... have a higher barrier to entry. Sometimes email is slow, sometimes it ends up in spam, etc...
Just let the users in at first to poke around before forcing them to validate their email. After a day or two (or maybe to access certain features) remind them they need to confirm that email they got if they haven't already. Yes, some people may try your product and you won't have their real email address, the the ROI on spamming these people later is probably not worth the initial friction.
If you've been developing login systems for any length of time, this should be fairly obvious.
Be careful about taking that "it’ll get bounced" attitude too far though. The last time I did so I forgot to trim the email addresses and didn't lowercase them. Failing to trim will probably result in the email going through, but then might cause problems later on when you try to match their login ID to what they enter the next time.
A similar issue arises for case. Email addresses are supposed to be case sensitive but providers don't seem to take advantage of it in practice. Again, the case a user types varies from time to time (I assumed nobody used upper case... it seems silly). And if you switch to case insensitive login IDs down the line, you may have to deal with duplicate accounts (same email but different case).
Regarding upper case: I've taken to typing the first part of my work email address as "JensenS". My wife and I work at the same place, and when I wrote it as "jensens" there were honestly people who assumed that address was a plural and went to both of us.
Following this advice creates a lot of "I never got my activation email" and "Why won't it let me log in" support emails that are a big pain to deal with. It's pretty important to nip that in the bud, hence immediate email address validation.
I couldn't help thinking while reading this that my main concern with registration systems isn't the complicated Regex as much, but rather the really annoying registry bots that sign up phantom accounts. I'm not a huge Captcha fan, but without something (Recaptcha, ghosted fields, etc) you'll get SPAMMED with tons of fake accounts - and they have valid emails, AND the bots click on the links in the confirmation email automatically. It's really sad.
That verifies the domain, but not the actual mailbox.
One possibility would be to lookup the MX, then connect to the remote MTA and ask it directly if the mailbox is valid. But that seems a bit like over-engineering.
Well the link in the previous post had a trailing slash.