Email Address Validation with Regex (JavaScript, PHP, Python & More)
Email validation regex patterns for JavaScript, PHP, Python, Ruby, and .NET, plus where regex falls short and how to verify deliverability with an email validation API.
Email Address Validation with Regex
Validating email addresses at the point of entry is one of the simplest ways to keep fake users, bounces, and bad data out of your system. A regular expression is the fastest first check: in a single line, it confirms that what a user typed at least looks like an email address. This guide gives you copy-paste regex patterns for the most common languages, then shows where regex stops being enough and what to do about it.
Why validate email addresses
Email is the most common piece of personal information users hand over, and plenty of them would rather not. When a form does not check the input, people enter throwaway text to dodge marketing, and fraudsters enter fake addresses to create bogus accounts. The result is bounced messages, dead leads, and dirty data. A quick format check at submission filters out the most obvious junk before it ever reaches your database.
What email validation regex can and cannot do
A regex checks one thing: format. If a user enters a random string like “xkhalfuagh”, the pattern rejects it because it is not shaped like an email, and that alone catches a surprising amount of garbage. What regex cannot do is tell you whether an address is real. A well-formed but fake address like “axhbdaeiandlayadakceamhauldal@hotmail.com” passes every regex on this page, because it is formatted correctly. Treat regex as the first gate, not the whole system. For a broader checklist, see our email verification best practices guide.
Email validation regex by language
Each pattern below checks for the same basic structure: one or more valid characters, an @ symbol, a domain, and a dot followed by a top-level domain of at least two characters. Note the {2,} on the TLD; older patterns capped it at {2,4}, which now wrongly rejects valid endings like .travel or .technology.
General pattern
|
[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,} |
JavaScript
|
const emailRegex = /^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$/; emailRegex.test(email); // true when the format is valid |
PHP
|
preg_match('/^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$/', $email); |
PHP ships with a validator built for exactly this, so prefer FILTER_VALIDATE_EMAIL over a hand-written pattern in most cases:
|
if (filter_var($email, FILTER_VALIDATE_EMAIL)) { // $email is a valid email address } else { // $email is not a valid email address } |
For a full PHP walkthrough that adds MX-record and API checks on top of the format test, see our guide to validating email addresses with PHP.
Python
|
re.match(r"^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$", email) |
Ruby
|
/\A[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\z/ |
.NET
|
^\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*$ |
You may run across enormous RFC 5322 regex patterns hundreds of characters long. They are technically more complete, but they are nearly impossible to read, debug, or maintain, and they still cannot confirm that an address is real. For thorough validation, lean on your language's built-in validator or an API rather than a hand-rolled mega-pattern.
Take email validation further
Regex confirms an address is shaped correctly. It cannot tell you whether the inbox exists, whether the domain can receive mail, or whether the address has a history of abuse. A real-time email validation API answers all of that. Through the email validation API, you can check a single address or a batch and get back signals such as:
• Whether the address is valid and deliverable
• Whether it is a spam trap or frequent complainer
• Whether it has recently been tied to fraud
• Whether it belongs to a disposable or temporary service used for abuse
• An overall email risk score
That is the difference between confirming an address looks right and knowing you can trust it.
Test an email address
Want to check an address right now? The free email verifier runs these checks through a simple web form, no code required.
Frequently asked questions
What is a good general email validation regex?
A practical pattern is [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}, which checks for a local part, an @, a domain, and a top-level domain of at least two characters.
Can a regex fully validate an email address?
No. Regex checks format only. It cannot confirm that the inbox exists, that the domain accepts mail, or that the address is trustworthy.
Should I use a regex or my language's built-in validator?
For PHP, prefer FILTER_VALIDATE_EMAIL over a hand-written pattern. In general, use a maintained validator or an API for anything beyond a quick format check.
How do I validate an email in JavaScript?
Define the pattern as a RegExp and call .test() on the input, for example emailRegex.test(email), which returns true when the format is valid.
Go beyond format checks
A regex is a good first gate, but real protection means knowing an address is deliverable and trustworthy. Start a free trial with 1,000 free lookups per month, or schedule a demo to see how IPQS validates email, IP, phone, and device risk in real time.
Share this article