
Stop Validating Email Addresses With Your Complex Regex - master_dee
http://davidcel.is/blog/2012/09/06/stop-validating-email-addresses-with-regex
======
montecarl
Why not have a simple validator that works with 99% of users emails but not
make it mandatory that it passes validation?

"We see that bob@localhost doesn't look like a email address are you sure it's
right?"

That way you can help users that messed up their email but not prevent all the
corner cases. The idea is that most email addresses fall in a very narrow
subset of the RFC: user@domain.tld and most people would have entered their
email wrong if it didn't match that pattern.

------
nostromo
I don't think this is good advice.

From a previous startup we saw a ton of signups like, "john@gmail" and the
like. Obviously this person will not get a validation email -- and in all
likelihood will not be able to log in to his account when he returns. It's
best to catch him when he's entering the information.

~~~
ljd
I hear and understand a lot of the comments on this thread mention that regex
saves the user from a typo and such. So I want to vouch for a github project
called mailcheck[0] by the Kicksend team that's great.

At Ventata, we used to have the same issues you've all described with people
forgetting things like ".com" and "gmial" vs "gmail". Once we started using
mailcheck our bounce rate went way down. Now we only get bounces when people
deliberately give us faulty addresses, but we aren't really concerned with
trying to convert them. They are checking us out and want to stay anonymous, I
don't mind that.

That condition aside, Mailcheck is pretty much all you'll ever need.

[0] <https://github.com/kicksend/mailcheck>

~~~
baudehlo
The only thing mailcheck doesn't do is check if the domain has MX records, so
valid looking domains that you'll never be able to send anything to will pass.

I've tried to help this situation by creating an API for you guys:
<https://www.emailitin.com/email_validator>

~~~
adamzochowski
Domains without MX record can be valid, as mail servers, upon lack of MX
record, will query for A record.

~~~
claudius
Or AAAA records.

------
smackfu
The question is why people are validating the email in the first place.

* to ensure it is deliverable? Well, then you better send them an email.

* to let people know when they misread the labels and put something that was clearly not an email in the email field? A simple check for an at-sign is usually sufficient.

* because some tester opens a ticket saying you can enter an invalid email in the email field? Yeah, that's where most of the complicated regexps come from.

~~~
citricsquid

        to ensure it is deliverable? Well, then you better send them an email.
    

I deal with user support for a site and I'd estimate at least 2% of our new
users (>50 people PER DAY) enter wrong email addresses. Not "I forgot to put
.com at the end" but "I thought my email was john.doe@gmail.com when it's
actually john.doe@yahoo.com" which would pass validation with flying colours.
The only real "solution" is to tell a user if the validation email has been
sent yet (to deal with "well maybe I should wait 5 more minutes") and if it
has and they don't have it allow them to change their email to their real
email address. So many sites (incl. the one I manage) do not allow this, it's
crazy.

~~~
coderdude
>if it has and they don't have it allow them to change their email to their
real email address

Couldn't an unscrupulous individual use that feature to take over non-
activated accounts? An immediate use for that exploit doesn't spring to mind
but this makes my spidey sense tingle. What sites allow this?

~~~
citricsquid
From my experience a user will almost always remember the password they've
just entered, even if they got the email wrong. They should be able to login
to a not-yet activated account and be presented with the option to correct the
email for the activation email to be sent to. There's no potential for abuse
there.

------
blowski
I worked in a lead-generation agency for some time. We were doing competitions
that could produce 50-100K entries per day, where the end result was a
marketing email encouraging you to buy something.

So we did lots of multivariate testing, with permutations of regex patterns,
MX record validation, sending a confirmation email, client-side only, server-
side only, etc.

What we found was that a decent regex pattern (we used
\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,4}\b, taken from <http://www.regular-
expressions.info/email.html>), with MX record validation and common junk
domains blocked (e.g. mailinator.com) produced the largest conversion rates in
the follow-up email.

In other words, less validation produced more entries, but they would have
been lower quality, which affected our sender reputation and cost more. The
confirmation email was awful for conversion. YMMV.

------
pygy_
Oh the irony. His suggested Regex is not even correct.

    
    
        /.+@.+\..+/i
    

A trailing dot is valid at the end of a domain name. These domains are said to
be fully qualified.

<http://www.dns-sd.org/TrailingDotsInDomainNames.html>

This also potentially eschews internal deployment.

His other suggesiton, /@/, at least, is not harmful, but there are validators
based on the RFC that do the job for most platforms.

Validating the address may provide useful feedback to users who accidentally
mistyped something, invalidating the permise of his last paragraph.

.

/someone is wrong on the internet.

------
twistedpair
Amen! Anyone else here use myemail+token@gmail.com when they have to register
with their email to find out who is selling them out and to make spam filters
easier?

It still amazes me that 70% of the places I attempt using foo+bar@gmail.com
call it invalid. And that does not even begin to touch the myriad valid
permutations that are "invalid" out there.

~~~
FireBeyond
And likewise, it amazes me that people think that for all their efforts at
combating filters, captchas and the like, that the most nefarious of spammers
aren't stripping off "+token"s from email addresses.

~~~
kstrauser
Spammers tend to be stupid. When I post my email address as
"me+tag@mydomain.com" on a certain popular, well-scraped website, I see lots
of rejected traffic to "tag@mydomain.com".

------
salimmadjd
I wish OP had provided some actual A/B registration fall-off data. For me
client-side validation is more for catching user error than to do any actual
"validation". That's always been the job of confirmation email.

I think there is going to be a very low percentage of users who will register
again if they don't receive a confirmation email, unless you're giving away
free iPhones. Granted regex can not catch most of the user-generated errors,
but it can catch a few which could still increase you registered users.

To that point a better UI/UX (font size, spacing, etc.) might do a better job
in lowering typos in email.

~~~
davidcelis
I wish I'd done that too, in retrospect. I could obviously have done much more
research around my opinions, and there's one use-case in which what I'm
advocating simply does not work: when you are _paying_ to send those emails.
In that case, yeah, you're gonna wanna do some validation.

------
MattBearman
My goto for email validation is /^.+?@.+?\\..+?$/

Incase I've typed it wrong, that should basically work for anything that
contains at least one @ and one dot, in that order, as well as at least one
character at beginning, middle and end. It's served me well thusfar.

Edit for clarification: The reason I prefer this over just checking for an @
is that if you're just checking for @ a common mistake like "me@hotmail,com"
will be considered valid.

~~~
sirn
My favorite: /.\@.*\\../

It should be similar to your version, but only matches just enough parts that
require for email validation (i.e. "o@example.c" part of foo@example.com).

~~~
MattBearman
I like that, much more elegant! My only changes would be to make the middle .*
into .+? as that way it requires at least one char, and the ? is for lazy
repetition.

------
onemorepassword
This has been an issue since the day I started programming for the web, back
somewhere in '95.

It has regularly come up on HN, and pretty much any programming related forum
I've used since the mid-90's.

As an industry at the heart of the information society you have to wonder what
the hell we are doing wrong if we cannot stop this constant regression into
well known bad practices.

~~~
wodow
I understand the argument re validating email addresses passively (regex, no
regex, etc.) vs actively (send an email by SMTP).

What I don't understand with this ever-repeating discussion is why the
complexity has to be visible. e.g.

    
    
        > <LARGE REGEX>
        > Yeesh. Is something that complex really necessary?
    

Many functions are complex - we put those in libraries, pushing them under the
hood, and move on.

What is so special about parsing email addresses that makes everyone invent
their own solution - regex or otherwise?

~~~
baby
Plus a Large Regex for mail validation is not supposed to be heavily used.
It's supposed to be used once at registration for example. So why would it
matter if it's slow/heavy/...

~~~
chris_mahan
Maybe it is less resource-intensive to actually send an email rather than use
a heavy regex to validate the email?

~~~
baby
I really don't think so since you're soliciting an email server while a regex
is just some code that has to be run, and they are run on a tiny string (a
mail is never really long).

Also it's bothering for the user, if you need mail confirmation then do it,
but otherwise it should be a RULE OF THUMB to always avoid annoying user. Thus
avoid mail confirmation.

This article is actually a really bad advice. I don't know why it's upvoted so
much.

~~~
chris_mahan
I'm not completely sure that I get annoyed when a web site sends me a
confirmation email. It helps me know that the site indeed knows my correct
email.

------
ScottWhigham
Don't bother even reading it. His solution is to "Just send your users an
email. The activation email is a practice that’s been in use for years, but
it’s often paired with complex validations that the email is formatted
correctly. If you’re going to send an activation email to users, why bother
using a gigantic regular expression?"

Want to know why it's not more common than the regex "method"? His method has
its own host of problems - what if your mail server is down for six hours -
will people come back to your site six hours later when they get the email?
What flags will get set on your sender account when Gmail gets 100,000 bogus
email sends? Do you force your users to "Look in your inbox and click the
activation link" for every email address change also? There are others but
I've made my point. There's a finite amount of "stuff like this" that users
will put up with - you can either put the onus to "get it right" on the user
(regex validation for emails), or you can put that onus on your system.

An argument for another is always, "If a user can't get their email address
entered correctly, I don't want them as a customer". And you can take that
multiple ways - technical difficult entering emails, "challenging" email
addresses, etc.

~~~
jiggy2011
People are _far_ _far_ more likely to get their email address wrong by
misspelling their own name or putting @hotmail.com when they meant to put
@gmail.com; regex will not protect you from either of these things.

We actually had an email list of ~50k people that had been validated within
nothing other than "check there are at least 3 characters in the string" and
when we looked at which addresses were bouncing when we sent to them there
were approximately zero that failed because they had ommited the @ or because
they were using some weird invalid unicode.

Even the spam bots were submitting valid email addresses.

~~~
ScottWhigham
Spam bots, if there was no check in place to slow them down, would dwarf real
people registrations in all systems always. So let's not confuse these two
topics - they are different. One part of a system that allows users to
register needs to ensure that you have an identifier for a customer and a way
to contact that customer, and other techniques try to ensure that you aren't
allowing the spammers in the door. Whether you use regex or sending an
activation email - neither of those can tell you whether this email address is
or is not a spammer.

~~~
jiggy2011
That's true, but I would posit that you need a registration email anyway
(assuming you even care if the email is valid) because even if your regex is
perfect there's no way to detect people simply mistyping their email address
in a way that is technically valid.

This is going to your dominant type of failure.

------
baby
In PHP you have default functions that can verify emails :

filter_var('bob@example.com', FILTER_VALIDATE_EMAIL)

more info here : <http://php.net/manual/en/function.filter-var.php>

~~~
davidcelis
And that uses a giant regex.

~~~
lucb1e
At least it's a standardized way of doing it. If it turns out to contain an
error, it can be fixed for all websites with an update.

------
lnanek2
The driving force is that you want to correct an invalid email ASAP,
preferably in the client with live feedback coloring, etc.. Most email
services I know don't give you any immediate feedback, and some only give you
a basic check that can bounce later. So claiming you just have to check for an
@ sign and try sending means there is going to be a huge delay before you know
about the error.

Saying the user will just come back and register again is not good. That's
like saying if your page is very slow to load, users will just wait for it to
load. They don't. They leave and never come back most of the time.

If you can't afford to write the code to help the users fill out the form in a
way that will work, fine, that's something you didn't have time for
considering the percentage of users it will help/retain. But don't claim it is
useless.

~~~
darkchasma
Not useless, but validation of the presence of a valid email does not validate
the accuracy of the email. It may be valid and still wrong. Therefore the
return on investment, and the possible exclusions of valid email doesn't
justify the time in most cases. So not useless, but certainly a poor
investment of time.

------
feralmoan
A basic regex is more than enough and you don't even need to deliver a
message, just connect to the MX for their domain and check that A) The domain
resolves an MX and B) That you can handshake for a 250 OK on the rcpt to
header only, then drop the socket. Done! It's not that slow and you're
leveraging the one thing an SMTP server does really well - be RFC822
compliant. It's something that can be delegated out of process anyway (as a
promise or RPC etc) as soon as the email is entered, and resolved when they
submit the form. Problem with the email? Then raise it for correction or pass-
through... its probably the same amount of code and half the time for end-to-
end delivery testing than crafting a bunch of edge case regexes and praying it
works.

~~~
dcao
How can you validate the MX record for their domain programmatically?

------
jeremysmyth
_If you really want to do checking of email addresses right on the signup
page, include a confirmation field so they have to type it twice._

No. This puts the burden of checking email validity on _every user_ , even
perfectly capable valid users. If you're validating for edge cases (mistakes
or otherwise invalid addresses), treat it as an edge case and don't annoy
users who can type.

~~~
wtbob
> This puts the burden of checking email validity on every user, even
> perfectly capable valid users.

? Whenever I hit a form which wants me to retype my address, I just triple-
click to select the entire address, then middle-click to paste it into the
confirmation field.

~~~
pluies
Meet the airline I booked with yesterday: two email fields, with paste
disallowed _only on the second one_.

:(

~~~
tomjen3
How do you even prevent that? You need some seriously broken code to catch a
system wide short-cut.

------
joshuahedlund
Assuming that running the regex is much faster than sending an email, it would
probably be much less server load to check the regex and never send X% of
emails, unless X is extremely small.

(Looking up and implementing a regex) * 1 + (running the regex) * (every
email) + (sending email) * (every valid email) < (sending email * every email)

Also, this post only considers the signup/activation use case. If you're
getting an email for ecommerce to send an order confirmation, you want to know
if the email might be invalid before the user completes the order and you try
to send it.

~~~
SideburnsOfDoom
This assumes that you get the regex 100% right and never lose a user by
rejecting a valid email address. This is _much_ harder than it seems (
<http://www.ex-parrot.com/~pdw/Mail-RFC822-Address.html> ), and is no
guarantee an valid email address that is in use, as the article makes clear.

After some very basic checks, e.g. "contains at at least 3 chars, one of which
is an @", you should _Just. Send. The. Email._

Who bothers to type in a complex but invalid email address? The overwhelmingly
common failure modes are:

1) Nothing entered at all. The basic check catches this.

2) Deliberate invalid email address. e.g.
_homer.j.simpson@springfieldnuclear.com_ \- a regex will not catch this.

3) Typo in email address. e.g. _john.smith@gmial.com_ \- a regex will not
catch this either.

The regex has downsides and complexity, but essentially no benefit.

~~~
baudehlo
Please don't quote that RFC-822 regexp when arguing this. That's for the
contents of mail headers (which can include comments and so on), not an actual
valid email address.

A regexp for validating RFC-2821 email addresses is actually fairly simple.

~~~
SideburnsOfDoom
Whichever RFC it is, it is not so simple that everyone gets it right. For
innstance, a significant percentage of websites don't let you register email
addresses containing a plus sign in the name, e.g.
_john.smith+foo_bar@host.com_

------
joshuak
The OP and a lot of posters here don't seem to understand the problem or the
purpose of the solution. The whole point of this is to avoid an unrecoverable
error, a bricked account.

You are only trying to catch email addresses that are entered in error at
account creation time so that a user will actually get the confirmation email.

The actual problem is that if they enter an email address incorrectly they
will crate a dead account that they can never log into again. In addition if
they used their favorite user name, or a referral code or any other important
consumable when creating the account then you've effectively blocked that user
from even creating a second account.

The real solution is to use validation email to confirm an email address, but
to allow them to login to the account even if the email is not yet validated.
You won't even have to make them type it in twice. Simply limit them to only
being able to edit account information and settings.

Email is validated, users have a window to correct any issues and you've
eliminated the unrecoverable error altogether... oh and no regex.

------
_fs
HTML5 has you covered. You can use HTML5 input verification with the
following:

    
    
       <input type="email">
    

Of course, if your user is not using an HTML5 compliant browser, then this
will be ignored.

------
nakovet
When the regex is not RFC complaint is the worst case, for example, I want to
use . or + on my mail address and the website don't allow me.

~~~
pyre
... And remember, the password can only be 8-16 characters [A-Za-z0-9] because
we wouldn't want to do accidentally cut yourself on some other 'weird'
character like a space or underscore or something. ;-)

------
saucetenuto
Yeah, and then you wind up sending mail to "joe@hotmailcom" or
"liz@gmailc.om", and your users don't get your messages and are sad. Don't
validate the local part, do validate the domain.

~~~
claudius
Especially since this is extremely easy to do, it’s just three DNS queries
away (plus one in case of CNAMEs).

------
cthackers
So what's wrong if you do a full validation (<http://www.ex-
parrot.com/pdw/Mail-RFC822-Address.html>) ? You as developer or site owner or
user don't need to do it by hand or in your head. It is done in a fraction of
a second by the computer even if benefits are not the greatest like validating
the strength of a password but still. Complaining about it because you don't
like it and telling other people not to do it because of your reasons and
spending time writing a blog post about it is overkill - like validating the
email address with a regexp :)

~~~
baudehlo
There's nothing wrong with doing full validation. Just don't use that regexp -
it's for RFC822 email addresses, which is how you might see them in an email
header, including things like comments.

You want an RFC821 (or more specifically RFC5321 now) email address regexp.
See my post here about the email validator I wrote:
<https://www.emailitin.com/email_validator>

------
joshfraser
You'll hurt your email reputation if you send too many emails that bounce.
It's worth checking everything you can before firing off an email. This
includes using a decent regex and doing a lookup on the domain to make sure
they have an MX record. While technically you can have a mail server with no
MX record (it falls back to sending to the A record), you won't find too many
mail servers configured that way in the wild. In many cases such as email
marketing, protecting your email reputation is far more important than
handling the 1 in a million user with an unusual email address or mail server
configuration.

~~~
wtetzner
Also, instead of just failing to allow the email address, you could warn the
user that what they entered doesn't appear to be valid, and that they should
double check the address.

------
ChrisLTD
Glad I'm not the only one just checking for an '@'. I wouldn't want to prevent
users from registering with my sites just because I didn't foresee some funky
email address formatting with my regular expression.

~~~
nkuttler
So you're forcing me to write @localhost :-(

Edit: Oh wait, on your own sites :-) I'm just slightly annoyed that I have to
add a fqdn when doing local development with some apps...

------
moubarak
Discussion from previous post <https://news.ycombinator.com/item?id=4486108>

------
PleaseBeSerious
IF I were to validate by regex, I would put a confirmation for emails that I
couldn't validate that read "We are very sorry but your email doesn't appear
to be valid, however validating emails is very difficult so it may be our
mistake. Can you confirm your email is correct?" And if they don't modify it,
accept it as valid. It is an extra step but seems more friendly.

------
deltaqueue
If you want to maintain a high reputation for your MTA's deliverability,
ignore this post. Attempting to send hundreds, thousands, or tens of thousands
of malformed addresses to domains (some of which will be well-formed) will
result in a higher spam score that will ultimately create more work for
whoever is managing your mail platform.

------
kolya3
I would rather lose a few users through a faulty regexp than lose double digit
percentage through an email activation step.

~~~
gkop
No regexp in the world will tell you if an email address is real.

~~~
kiallmacinnes
Of course - I doubt anyone (smart) has ever claimed that to be the case.

However, they can, if implemented correctly, tell you if the email address is
syntactically valid.

------
tokenizerrr
That seems terrible when combined to a username which needs to be unique. User
registers with username, email and whatever else. Email is incorrect, they
never receive the activation email and cannot register a new account using
their preferred username.

Of course there's plenty of ways around that, but this seems to be the most
common pattern.

------
baudehlo
This has come up so often on Hacker News that I decided to create a very
simple JSON API for checking email addresses. Free to use for anyone. Performs
the right regexp check for email addresses based on RFC-5321 rules (not the
oft-quoted but incorrect RFC-822 rules, which are for mail headers), performs
MX lookups to ensure mail can be delivered, and performs the same "did you
mean" type checks that kicksend's mailcheck performs.

I've included both jQuery and server side example code on the site.

<https://www.emailitin.com/email_validator>

~~~
korg250
If I type name@outlok.com instead of name@outlook.com, it says the email is
valid - when in fact it is not.

~~~
baudehlo
The domain outlok.com has an A record which points to 208.87.35.108 which I
can even connect to on port 25 (though I don't perform that test). Until you
actually mail that address there's no way to distinguish this from a valid
email.

------
DanBC
You collect their email because you wish to send email to them at some point.

Thus, you must send a confirmation email, with a "click to confirm" link in
it.

This keeps your email address list clean; it also validates all the email
addresses.

------
spc476
I would think the following would be best practice:

1) use LPeg or something similar to validate the actual text of the email
(here's some LPeg that parses the headers of an email, certain one can pull
out the email address portion: <https://github.com/spc476/LPeg-
Parsers/blob/master/email.lua>).

2) Take the domain part and do a DNS MX lookup on it (to be pedantic, if that
fails, then one should do a DNS A lookup). That will check if the domain is at
least valid.

------
5teev
It's an interesting intellectual exercise to build THE email validation regex,
but it's shortsighted to inflict your experiment on the public.

While I definitely enjoyed how Friedl's book (<http://regex.info/book.html>)
builds over several chapters to an ever more complex solution, maybe a page
long, my takeaway was: don't bother. A friendly UI will help users avoid an
obvious mistake, but as other posters have pointed out, the only real
validation is, does an email get there?

------
Tactic
I wish more sites would use a validation email. I get a good number of emails
for people that have my (real) name but use my email address on gmail (since I
have the same name) to sign up when they don't want to recieve emails from the
site. Thus I get to enjoy them. When the site sends a validation email I just
ignore it and never hear from them again.

As a side note, be cautious of using such a tactic. I have recieved their
logins, CC and Physcial Address information because of this.

------
raawlls
How about this: Add a mailto link that sets the subject to some type of token,
they click the link, hit send, app catches the email, sets the correct address
accordingly.

~~~
cthackers
This is actually a very good idea. But most users have a throw away email
address for registrations and one for personal use. And for me for example, if
i click a mailto link it will open the mail client with my personal email so
I'll have to copy paste all that into my gmail throwaway email that may not
even be opened. So I'll have to open the browser, click on........ But is
indeed a good workflow alternative to consider for email verification.

~~~
raawlls
Valid points. I hate mailto links in general, and can totally see the workflow
getting messed up by not having your default mail client set to what you
actually want.

However, I think most people know how to at least access their email (always
logged in), so provided you could get them into their client, with a token,
quickly, with a small number of clicks, might be interesting. Of course, it
could be spam central.

------
jstanley
A good reason to validate email addresses is to prevent SMTP injection.

Depending on how you're sending the mail, it may be possible to insert
arbitrary headers and body after a \r\n in the email address field. I know
I've built at least one system that is vulnerable to this. Then you can put
the body after your special headers and hide the rest of the message (either
as an attachment or an HTML comment).

This then makes your signup form into what is effectively an open relay.

------
MarkHarmon
I'm against all of the complex regex as well, having learned through trial and
error that it is usually way more trouble than it's worth. That being said,
there are many cases where the email address being verified is not the user's
email, but maybe someone they are doing business with, and they don't want the
system sending a verification email to every email address they are saving
with your software.

------
prawks
Is a decent regex with dynamic yellow field coloration (and bolding for
accessibility) accompanied by a message like "Your email address is of an
unfamiliar format or may contain a typo" too intrusive? Then just allow the
user to submit with that email without any automated validation.

It's not 100% idiot-proof, but I'd imagine it would be pretty effective for
laypeople and hackers alike.

------
oakwhiz
I don't understand why sites don't just warn the user with a confirmation
dialog if their regex doesn't match (e.g. "Your email address looks wrong, are
you sure") and allow users to use their potentially invalid email anyway. This
avoids the problem of users making obvious mistakes and the problem of users
with strange RFC-compliant email addresses being denied.

------
pardner
OP is right about not using regex, but wrong about the "just send it" solution
(for reasons outlined by several other posters).

We use this clever (and well-explained) solution from [http://my.rails-
royce.org/2010/07/21/email-validation-in-rub...](http://my.rails-
royce.org/2010/07/21/email-validation-in-ruby-on-rails-without-regexp/)

------
hippich
I believe that he is right that you should not rely on regexps to validate
emails, but I disagree that you should stop it completely.

First of all - less incorrect emails sent - less chances to get marked as spam
host. Second - it is very easy to catch obvious errors user can do on front
end and ask user to correct it. These two is big ones imho

------
Kiro
I don't validate emails at all. If you want to enter 'a' that's fine but you
won't get any emails.

~~~
Kequc
I'm the same. An email address isn't an identity.

Some people use many email addresses and so could create many accounts. With
one email address they can still use the '+blahblah' method to sign up
unlimited times, unless you prevent that which would annoy people who use it
legitimately for filtering.

Some people have a garbage or throwaway email account that they sign up for
everything with, and only ever look at to find the confirmation emails.

If people don't want to give you a valid email then there's no reason to be
sending them anything.

~~~
Kequc
If you own any domain you can forward <anything>@yourdomain.com to the same
inbox. Then sign up for unlimited accounts that way.´

------
dutchbrit
For those that use PHP, use the following: filter_var($email,
FILTER_VALIDATE_EMAIL);

Regex from the source: [https://github.com/php/php-
src/blob/master/ext/filter/logica...](https://github.com/php/php-
src/blob/master/ext/filter/logical_filters.c#L533)

~~~
ramy_d
yes, there's a good page here about the different regexs:

[http://fightingforalostcause.net/misc/2006/compare-email-
reg...](http://fightingforalostcause.net/misc/2006/compare-email-regex.php)

------
ambiate
Indeed. I was installing Crunchbang. Our local proxy knows to route our local
username to our email addresses in our VPN. Yet, the validation required an @
symbol. It is against our standards to use our @ email internally. Sigh.

------
sschueller
In PHP land you can use this handy built in function (
<http://php.net/manual/en/filter.examples.validation.php> ) which works well
enough.

------
darkarmani
So we should be using a recursive descent parser? The email address format is
a context-free grammar, so the "regexes" that would work are using features
not included in true regular expressions anyway.

------
pbreit
I like the "don't regex emails" but don't like the "unnecessary email
validation emails". If you're requiring email validation unnecessarily (ie,
you're not PayPal), you're losing a lot of business.

------
S4M
I agree with the author of this blog, but he doesn't address the problem where
you want to scrap all the email addresses in a text file. For this situation,
I don't see what to use except regexp.

~~~
arkitaip
First you verify the email, then you process the emails. What good is a list
of email addresses if you haven't verified their authenticity?

~~~
S4M
Yeah, but it you want to get all the emails in a text like "Please contact me
at myfakemail@gmail.com. I already sent an email to contact@mycompany.com, but
no one replied...", then you would have to use regexp.

------
vpeters25
I would like to make a plea to anybody coding email verifications to please
include the ip address of the request, this way we get a sort of warning
somebody is trying to impersonate us.

------
Alex3917
"Feeling ambitious? Then check for the dot too: /.+@.+\\..+/i. Anything more
is overkill."

I personally prefer: /[^@]+@[^@]+\\.[^@]+/

Basically the same except that it will throw an error if someone enters an
extra at sign.

~~~
prothid
Yeah, I basically check for one @ sign and some very basic sanity checking on
the right side.

/^[^@]+@[^@]+\\.[^@.]+$/

~~~
claudius
As I just noticed, @ is valid in the local part of an email, too, it just has
to be properly quoted (using \ or " "). You can send me email at

    
    
        "a# b.@c"@[IPv6:2001:4dd0:fc8c::1]
        a#\ b.\@c@[IPv6:2001:4dd0:fc8c::1]
    

now :-)

------
bjhoops1
For what it's worth, sending a confirmation email is a great way to stop bots
as well, skirting the whole Captcha thing.

------
hna0002
Out of curiousity, why would you not use input type="email" instead?

------
racl101
I'd rather let the Regex do the job than the email server .

That's just me.

~~~
lucb1e
Good point considering security, but I still disagree. You're much more likely
to get it wrong by validating than a mailserver is.

------
gregjor
Agree, but this is not an example of a regex problem.

------
roozbeh18
my favorite is google chrome built in email check which is enabled with a
required tag.

------
dmourati
Proof is in the pudding...

------
seivan
Actually monolithic regex are bad in general.

------
_pmf_
I read sections about email validation in 1998 in moldy thrift store PHP
hardcovers. Why is an article that is slightly worse than these historic
artifacts on the front page?

