HomeArticlesHow ToValidate Email Addresses
HOW TO

How to Validate Email Addresses

Learn how to validate email addresses — checking format, MX records, disposable domains, and role-based prefixes. Includes regex and free online validator.

Updated 2026-06-26

Free calculators used in this guide

Email Validator

Sending email to an invalid or undeliverable address is one of the most avoidable causes of poor email deliverability, high bounce rates, and eventual blacklisting. Validation is not a single check — it is a layered process covering format, domain infrastructure, and address hygiene. This guide walks through each layer in order, explains the methodology behind it, and shows you what to do (and what not to do) at each step.

Overview

Email validation is the process of verifying that an email address is correctly formatted, points to an active domain with mail infrastructure, and is not a known throwaway or role-based address. Proper validation before adding an address to any system — registration forms, contact capture, checkout flows — protects your sender reputation and ensures your messages actually reach real people.

A fully validated email address has passed four tests: syntax format (RFC compliance), domain existence (DNS lookup), mail server existence (MX record), and address hygiene (not disposable, not role-based). The Email Validator tool on this site runs all four checks automatically.

What You Need

  • The email address to validate
  • Understanding of which validation layers apply to your use case (simple form? marketing list? transactional system?)
  • For programmatic validation: a regex library and access to DNS resolution (or a third-party validation API)
  • For bulk list cleaning: a CSV of addresses and access to a batch validator

Step 1: Check Email Format

The first check is purely syntactic — does the address conform to the structure defined in RFC 5321 and RFC 5322?

A valid email address has exactly one @ symbol separating a local part and a domain:

local-part@domain.tld

Local part rules (before the @):

  • Maximum 64 characters
  • Valid characters: letters (a–z, A–Z), digits (0–9), and the special characters ., +, -, _, %
  • Cannot start or end with a dot
  • Cannot contain two consecutive dots

Domain rules (after the @):

  • Maximum 255 characters (domain + TLD)
  • Must contain at least one dot
  • Labels (parts between dots) can contain letters, digits, and hyphens
  • Labels cannot start or end with a hyphen
  • TLD must be at least 2 characters (.io, .com, .museum)

Overall length: The complete address must not exceed 254 characters.

A practical regex that covers the common valid cases without being RFC-complete (which would be unreadably complex):

/^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$/

This correctly accepts user+tag@domain.co.uk and firstname.lastname@company.org while rejecting @nodomain, nodomain@, and two@@atsigns.

What format checking does not catch: A syntactically valid address like test@fakedomainthatdoesnotexist.com passes format validation but will bounce on delivery. That is why format checking is only the first step.

Step 2: Validate the Domain and MX Records

Format validation tells you the address is structured correctly. DNS validation tells you whether the domain actually exists and can receive mail.

Two DNS lookups to perform:

  1. A/CNAME record lookup — confirms the domain resolves to a server. nslookup example.com or dig example.com A should return an IP address.

  2. MX record lookup — confirms the domain has a designated mail server. nslookup -type=MX example.com or dig example.com MX should return one or more mail exchanger records with priority values.

If the domain has no MX record, email sent to any address on that domain will bounce with a "550 No MX record" or similar error. A domain can exist as a website without having any email infrastructure — this is common for placeholder domains, parked domains, and single-page websites.

Example of what an MX lookup returns for a valid domain:

example.com    MX preference = 10, mail exchanger = mail1.example.com
example.com    MX preference = 20, mail exchanger = mail2.example.com

Example of what a missing MX record looks like:

*** No MX records found for thisdomain.example

No MX records = cannot receive email = do not add to your list.

The Email Validator performs this DNS lookup automatically so you do not need to run dig commands manually for individual addresses.

Step 3: Check for Disposable Email Domains

Disposable email addresses are temporary inboxes — they accept messages for a short period (minutes to hours) then expire. Users create them specifically to avoid giving out their real email address.

Well-known disposable providers include:

  • mailinator.com
  • tempmail.com and temp-mail.org
  • guerrillamail.com
  • yopmail.com
  • 10minutemail.com
  • throwam.com

There are over 3,000 known disposable providers, and new ones appear regularly. Detection works by checking the domain portion of the submitted address against a continuously updated blocklist.

Why this matters: A user who signs up with a disposable address has no intention of being contacted. Their "inbox" will expire before your welcome email arrives. Adding them to a list inflates your subscriber count, produces hard bounces, and distorts your campaign analytics.

What to do with disposable addresses:

  • Reject them at sign-up with a clear message ("Please use a permanent email address")
  • Log the attempt for fraud pattern analysis
  • Do not silently accept and then bounce — this wastes send credits and harms your sender score

Step 4: Check for Role-Based Prefixes

Role-based email addresses are tied to a job function rather than an individual person. Common examples:

Prefix Why it's problematic
admin@ Often shared; high complaint rate
info@ Monitored by multiple staff or auto-responder
support@ Ticketing system; unsubscribes often missed
sales@ CRM routing; personal emails preferred for consent
noreply@ Cannot receive replies; consent unclear
postmaster@ Technical role; not a marketing contact
abuse@ Specifically used to report spam

Role-based addresses are not invalid — they follow RFC format and often have working MX records. But they carry elevated risk for marketing and transactional email because:

  • They are not tied to one consenting individual, creating GDPR and CAN-SPAM issues
  • Shared inboxes mean spam reports can come from staff who never signed up
  • Many ESPs score role-based addresses negatively and may reject them during list import

Best practice: Flag role-based addresses rather than silently accepting them. For B2B lead capture, you may choose to accept info@ and sales@ while blocking noreply@ and abuse@. For consumer sign-up forms, reject all role-based prefixes.

Step 5: Never Validate by Sending a Test Email

A common misconception is that the most reliable way to validate an email is to send a test message and see if it bounces. This approach has serious problems:

SMTP probing is blocked: Connecting to a mail server's SMTP port and going through the handshake (RCPT TO:<address>) without actually sending was historically used for validation. Today, major providers (Google, Microsoft, Yahoo) return a 250 OK to any address to prevent directory harvesting — making the check useless. Others reject the probe outright, flagging your IP as suspicious.

Catch-all domains accept everything: Many corporate domains configure their mail server to accept all addresses (@company.com) and route to a central inbox or discard. A bounce test on these domains always returns success, even for addresses that don't exist.

Negative consequences: Sending probe messages, even without a body, generates SMTP activity from your IP. Repeated probing can get your IP or domain flagged by spam filtering systems, harming deliverability for your legitimate sends.

The right approach: Use MX record validation (Step 2) plus a double opt-in confirmation email. The confirmation email sent to the address is the only reliable end-to-end test, and it doubles as your consent record.

Common Mistakes to Avoid

Accepting typo domains: user@gmail.con, user@hotmial.com, and user@yahooo.com all pass format validation but will bounce. Consider implementing fuzzy matching for common provider typos — suggest the corrected domain rather than silently accepting the mistyped version.

Not checking MX records: Format validation alone passes addresses on non-email domains. Always add the DNS MX lookup step for any system where deliverability matters.

Overly strict regex blocking valid addresses: Plus addressing (user+tag@domain.com) is valid RFC 5321. So are hyphens in the local part, and TLDs longer than 3 characters (.museum, .photography). Custom regex patterns that are too narrow incorrectly reject legitimate addresses — test your regex against a corpus of known-valid edge cases before deploying.

Not normalising before storage: Email addresses should be normalised before saving to a database. At minimum, lowercase the domain part — RFC 5321 specifies that the domain is case-insensitive. User@Domain.COM and user@domain.com are the same address. Storing unnormalised addresses causes duplicate accounts and failed login lookups.

Treating validation as one-time: Addresses that were valid at sign-up can become invalid later — people change jobs, domains expire, providers shut down. Regular list hygiene (removing addresses that hard-bounce or have not opened in 12+ months) is as important as validation at the point of capture.

Formula & Methodology

Email validation follows a layered model, where each layer catches a class of invalid addresses that the previous layer misses:

Layer 1 — Syntax (regex)
  → Catches: malformed addresses, missing @, invalid characters
  → Misses: valid format but non-existent domains

Layer 2 — DNS / MX Lookup
  → Catches: domains with no mail infrastructure
  → Misses: valid domains with catch-all servers

Layer 3 — Blocklist (disposable + role-based)
  → Catches: throwaway providers, functional role addresses
  → Misses: newly created disposable providers

Layer 4 — Double Opt-In
  → Catches: everything else — non-existent local parts, catch-all domains
  → Cannot be bypassed

The regex pattern follows RFC 5321 section 4.1.2 (local-part) and RFC 5322 section 3.4.1 (addr-spec). A simplified but production-suitable pattern:

^[a-zA-Z0-9._%+\-]{1,64}@[a-zA-Z0-9.\-]{1,255}\.[a-zA-Z]{2,}$

For MX validation, the DNS query type is MX (type 15 in DNS protocol). The presence of at least one MX record with a valid priority integer and mail exchanger hostname is sufficient for this layer to pass.

Double opt-in is the definitive validation method — it proves the address is real, accessible, and controlled by the person who submitted it. All other layers are pre-filters that improve list quality before the confirmation email is sent.

Use the Email Validator to run all four layers on any address instantly.

Frequently Asked Questions

According to RFC 5321, the total length of an email address must not exceed 254 characters. The local part (before the @) can be up to 64 characters, and the domain (after the @) can be up to 255 characters. In practice, most email providers enforce shorter limits — Gmail local parts max out at 30 characters, for example. Validating against the 254-character overall limit catches edge cases that shorter UI limits may miss.
No. Passing a regex check means the format is syntactically correct, but it says nothing about whether the address actually exists or can receive mail. An address like test@thisdomain-does-not-exist-at-all.com passes format validation but will hard-bounce when you try to send to it. Real deliverability validation requires MX record lookup at the DNS level and, ultimately, a double opt-in confirmation from the recipient.
Role-based addresses are tied to a function rather than a person — examples include admin@, info@, support@, sales@, noreply@, postmaster@, and abuse@. These addresses are typically monitored by multiple people or automated systems and are far more likely to generate spam complaints or bounces when added to a marketing list. Most email service providers (ESPs) like Mailchimp and SendGrid automatically flag or reject role-based addresses at list import. Filtering them at the point of capture improves your sender reputation and deliverability rates.
Yes. The plus sign (+) is a valid character in the local part of an email address under RFC 5321. This is called subaddressing or plus addressing, and it is supported by Gmail, Fastmail, Protonmail, and many other providers. user+newsletter@gmail.com and user@gmail.com both deliver to the same inbox. Overly strict regex patterns that reject the plus sign will incorrectly block valid addresses — this is a common mistake in custom validation implementations.
An MX (Mail Exchanger) record is a DNS record that specifies which mail server is responsible for receiving email for a domain. If a domain has no MX record, it cannot receive email — any message sent to an address on that domain will bounce. Checking MX records during validation catches addresses on domains that are registered but not set up for email, which format checking alone misses entirely. This lookup adds a network call but significantly reduces your hard-bounce rate.
Disposable email domains provide temporary inboxes that self-destruct after minutes or hours — examples include mailinator.com, tempmail.com, guerrillamail.com, yopmail.com, and 10minutemail.com. There are over 3,000 known disposable providers. Detection works by checking the email's domain against a blocklist of known disposable providers, which services like the [Email Validator](/email-validator/) maintain and update regularly. Blocking disposable addresses at sign-up reduces fake registrations and protects your email list quality.
A production-safe basic regex for email format is: `/^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$/`. This allows letters, numbers, dots, percent, plus, hyphens, and underscores in the local part; a domain with dots and hyphens; and a TLD of at least two characters. More precise RFC 5322-compliant patterns exist but are notoriously complex (spanning hundreds of characters) and are rarely worth the added complexity in a production context. Pair this simple regex with MX record validation for sufficient accuracy.
SMTP probing — connecting to the receiving mail server and running through the SMTP dialogue without actually sending a message — was once used for validation, but it is now widely blocked. Most major mail servers reject SMTP probing to prevent directory harvesting attacks. Even when it works, catch-all domains accept any address regardless of whether it exists. SMTP probing also creates deliverability risks by marking your IP as suspicious. Use DNS MX lookup plus format validation instead; reserve actual delivery for the double opt-in email.
Syntax validation checks that the email conforms to the RFC-defined format rules — correct characters, proper placement of @, valid domain structure. Semantic validation checks whether the email is actually useful — does the domain have MX records, is the provider known to exist, is the address disposable or role-based. Both layers are needed for production systems. Syntax validation alone gives you a false sense of security; semantic validation without syntax validation will produce inconsistent results.
Both, for different reasons. Client-side validation (in the browser, using JavaScript) catches typos immediately and improves user experience — it should not be the final check. Server-side validation is mandatory because client-side checks can be bypassed entirely with browser developer tools or direct API calls. For applications where email quality matters (e-commerce, SaaS, newsletters), also add server-side MX lookup and disposable domain checking. Never trust client-side validation as your only line of defence.
Double opt-in is the process of sending a confirmation email to a newly registered address and requiring the user to click a link in that email before being activated. It is the only method that guarantees the address exists, is accessible, and belongs to the person who signed up. Double opt-in reduces fake sign-ups by over 90%, dramatically lowers bounce and complaint rates, and satisfies GDPR and CAN-SPAM consent requirements. Every serious email marketing program and ESP recommends double opt-in as the default for new list acquisition.
Sending to unvalidated lists causes hard bounces (addresses that don't exist) and spam complaints (role-based or purchased addresses). A hard-bounce rate above 2% and a complaint rate above 0.1% will trigger warnings or suspensions from ESPs like Mailchimp, SendGrid, and Amazon SES. Sustained poor list hygiene leads to your sender domain and IP being blacklisted — which means even your legitimate emails stop reaching inboxes. Cleaning a badly contaminated list and rebuilding sender reputation can take 3–6 months.

Related Articles

BEST OF

Best Free Online Validators for Developers 2026

HOW TO

How to Validate OpenAPI / Swagger Specs

GUIDE

Data Format Validators: IPs, MAC Addresses, ISBNs & More

HOW TO

How to Format JSON Data

HOW TO

How to Generate a UUID