Email Address Validation with Regex (JavaScript, PHP, Python & More)


Email validation regex patterns for JavaScript, PHP, Python, Ruby, and .NET, plus where regex falls short and how to verify deliverability with an email validation API.

Email Address Validation with Regex

Validating email addresses at the point of entry is one of the simplest ways to keep fake users, bounces, and bad data out of your system. A regular expression is the fastest first check: in a single line, it confirms that what a user typed at least looks like an email address. This guide gives you copy-paste regex patterns for the most common languages, then shows where regex stops being enough and what to do about it.

Why validate email addresses

Email is the most common piece of personal information users hand over, and plenty of them would rather not. When a form does not check the input, people enter throwaway text to dodge marketing, and fraudsters enter fake addresses to create bogus accounts. The result is bounced messages, dead leads, and dirty data. A quick format check at submission filters out the most obvious junk before it ever reaches your database.

What email validation regex can and cannot do

A regex checks one thing: format. If a user enters a random string like “xkhalfuagh”, the pattern rejects it because it is not shaped like an email, and that alone catches a surprising amount of garbage. What regex cannot do is tell you whether an address is real. A well-formed but fake address like “axhbdaeiandlayadakceamhauldal@hotmail.com” passes every regex on this page, because it is formatted correctly. Treat regex as the first gate, not the whole system. For a broader checklist, see our email verification best practices guide.

Email validation regex by language

Each pattern below checks for the same basic structure: one or more valid characters, an @ symbol, a domain, and a dot followed by a top-level domain of at least two characters. Note the {2,} on the TLD; older patterns capped it at {2,4}, which now wrongly rejects valid endings like .travel or .technology.

General pattern

[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}

 

JavaScript

const emailRegex = /^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$/;

emailRegex.test(email); // true when the format is valid

 

PHP

preg_match('/^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$/', $email);

 

PHP ships with a validator built for exactly this, so prefer FILTER_VALIDATE_EMAIL over a hand-written pattern in most cases:

if (filter_var($email, FILTER_VALIDATE_EMAIL)) {

    // $email is a valid email address

} else {

    // $email is not a valid email address

}

 

For a full PHP walkthrough that adds MX-record and API checks on top of the format test, see our guide to validating email addresses with PHP.

Python

re.match(r"^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$", email)

 

Ruby

/\A[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\z/

 

.NET

^\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*$

 

You may run across enormous RFC 5322 regex patterns hundreds of characters long. They are technically more complete, but they are nearly impossible to read, debug, or maintain, and they still cannot confirm that an address is real. For thorough validation, lean on your language's built-in validator or an API rather than a hand-rolled mega-pattern.

Take email validation further

Regex confirms an address is shaped correctly. It cannot tell you whether the inbox exists, whether the domain can receive mail, or whether the address has a history of abuse. A real-time email validation API answers all of that. Through the email validation API, you can check a single address or a batch and get back signals such as:

       Whether the address is valid and deliverable

       Whether it is a spam trap or frequent complainer

       Whether it has recently been tied to fraud

       Whether it belongs to a disposable or temporary service used for abuse

       An overall email risk score

That is the difference between confirming an address looks right and knowing you can trust it.

Test an email address

Want to check an address right now? The free email verifier runs these checks through a simple web form, no code required.

Frequently asked questions

What is a good general email validation regex?

A practical pattern is [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}, which checks for a local part, an @, a domain, and a top-level domain of at least two characters.

Can a regex fully validate an email address?

No. Regex checks format only. It cannot confirm that the inbox exists, that the domain accepts mail, or that the address is trustworthy.

Should I use a regex or my language's built-in validator?

For PHP, prefer FILTER_VALIDATE_EMAIL over a hand-written pattern. In general, use a maintained validator or an API for anything beyond a quick format check.

How do I validate an email in JavaScript?

Define the pattern as a RegExp and call .test() on the input, for example emailRegex.test(email), which returns true when the format is valid.

Go beyond format checks

A regex is a good first gate, but real protection means knowing an address is deliverable and trustworthy. Start a free trial with 1,000 free lookups per month, or schedule a demo to see how IPQS validates email, IP, phone, and device risk in real time.

Share this article


Speak with IPQS: (800) 713-2618

Enhance Your Fraud & Risk Signals

Start with 1,000 free lookups or schedule a demo to see how IPQS can enrich fraud scores for IP, email, phone, and device risk across your user journey.