1. Articles
  2. How to Validate Email Addresses with PHP (Syntax, MX & API)

How to Validate Email Addresses with PHP (Syntax, MX & API)

Validate email addresses in PHP: check syntax with FILTER_VALIDATE_EMAIL, confirm the domain's MX record, and use an API to catch disposable and high-risk emails.

How to Validate Email Addresses with PHP

If your site handles sign-ups, payments, or any user input, sooner or later you will need to validate email addresses. PHP can handle the basics in just a few milliseconds, confirming that an address is formatted correctly and that its domain can actually receive mail. Those local checks are fast and free, but they only go so far. This guide covers both: the built-in PHP checks for syntax and MX records, and an API approach that catches the disposable and high-risk addresses simple checks miss.

Why validate email addresses

The average person juggles several email addresses, and with thousands of disposable email services that hand out a throwaway inbox in one click, fake addresses are easy to come by at sign-up. Honest users also fumble: a mistyped address means a bounced confirmation and a lost customer. Validating email at the point of entry keeps your lists clean, improves deliverability, and is a first line of defense against fake registrations and abuse.

Validate email syntax with PHP

The fastest check is built right into PHP. The FILTER_VALIDATE_EMAIL filter confirms an address is properly formatted, and a short regular expression makes sure the domain includes a dot, which the filter alone does not always require.

// Quick syntax check with PHP's built-in email filter

if (filter_var($email_address, FILTER_VALIDATE_EMAIL) === false || !preg_match('/@.+\./', $email_address)) {

    // Email address does not have valid syntax

}

 

FILTER_VALIDATE_EMAIL runs its own RFC-based pattern checks, so you do not need to write your own. If you prefer a pure regular-expression approach, or want to understand what the filter is doing under the hood, see our walkthrough of email validation with regex.

Check the domain's MX record with PHP

Valid syntax does not mean the domain can receive mail. To confirm that, look up the domain's MX (mail exchange) record, which tells sending servers where to deliver messages for that domain. If a domain has no MX record, nothing can be delivered to it.

// Capture the domain portion after the last @

$email_host = strtolower(substr(strrchr($email_address, '@'), 1));

 

// Convert internationalized domains to ASCII (requires the intl extension)

if (function_exists('idn_to_ascii')) {

    $ascii_host = idn_to_ascii($email_host, IDNA_DEFAULT, INTL_IDNA_VARIANT_UTS46);

    if ($ascii_host !== false) {

        $email_host = $ascii_host;

    }

}

 

// Confirm the domain publishes an MX record

if (!checkdnsrr($email_host, 'MX')) {

    // Domain has no MX record, so it cannot receive email

}

 

Checking the MX record filters out a meaningful share of invalid and mistyped domains before they ever reach your database. It is the most thorough validation PHP can perform on its own.

Where local PHP checks fall short

Syntax and MX checks confirm an address could exist, not that it is real, active, or trustworthy. The address example@gmail.com passes both tests, yet it could be a typo, an abandoned inbox, a disposable address, or one tied to past abuse. Local checks simply cannot see any of that. Closing the gap means asking a service that tracks email risk and reputation across a large network in real time. The richest services go a step further, tying an address to known accounts and identities through a reverse email lookup.

Validate emails with the IPQS API in PHP

A validation API confirms whether an inbox is actually deliverable and whether the address has a history of abuse. The IPQS email validation API returns more than 25 data points per address, including whether it is valid, disposable, recently linked to abuse, and an overall fraud score. Adding it to an existing PHP flow takes only a few minutes.

$key     = 'YOUR_API_KEY';

$email   = 'test@example.com';

$timeout = 5; // seconds

 

$url = sprintf(

    'https://www.ipqualityscore.com/api/json/email/%s/%s?timeout=%d',

    $key,

    rawurlencode($email),

    $timeout

);

 

$response = file_get_contents($url);

$result   = $response !== false ? json_decode($response, true) : null;

 

if ($result !== null && !empty($result['success'])) {

    if (!empty($result['disposable'])) {

        // Email is from a temporary or disposable service

    } elseif (!empty($result['recent_abuse'])) {

        // Email was recently tied to abuse across the IPQS network

    } elseif (!empty($result['valid'])) {

        // Email passed validation and can receive mail

    } else {

        // Email failed one or more validation checks

    }

} else {

    // Request failed or the API returned an error

}

 

The full set of response fields is covered in the email validation API documentation. Blocklists refresh every few minutes as new disposable domains and high-risk addresses appear, and you can validate addresses one at a time through the API or upload existing lists in bulk. If you just want to spot-check a few addresses first, the free email verifier runs these same checks in your browser.

Layer local checks with the API

The strongest setup uses both. Run the free PHP syntax and MX checks first to reject obviously broken addresses, then call the API on the ones that pass to catch disposable, fake, and high-risk emails. The same pattern works for other signals too: if you validate users at sign-up, our guide to detecting proxies with PHP shows how to add IP checks alongside email validation.

Frequently asked questions

How do you validate an email address in PHP?

Use filter_var() with FILTER_VALIDATE_EMAIL to check the syntax, then checkdnsrr() to confirm the domain has an MX record. For deliverability and risk, call a validation API on top of those local checks.

Does FILTER_VALIDATE_EMAIL check whether an email exists?

No. It only confirms the address is correctly formatted. It cannot tell you whether the inbox is real or able to receive mail.

How do I check MX records in PHP?

Extract the domain after the @ symbol and pass it to checkdnsrr($domain, 'MX'), which returns true when the domain publishes a mail record.

Can PHP detect disposable email addresses?

Not on its own. Detecting disposable and high-risk addresses requires an up-to-date reputation source, which is where a validation API comes in.

Validate email addresses in real time

Catch what local checks miss. Create a free account for 1,000 free lookups per month, or schedule a demo to see how IPQS scores email, IP, phone, and device risk across your user journey.

Share this article

Related Articles

View All News & Articles
15 Jul 2017
How to Detect Proxies with PHP: Code Examples & API
How to Detect Proxies with PHP If your site or app takes sign-ups, payments, or any user input, ...
27 Jun 2019
Email Verification Best Practice, an Email Validation Guide
Your mailing list is the lifeline of your digital marketing campaigns. But if your car regularly ne...
28 Apr 2019
Email Address Validation with Regex (JavaScript, PHP, Python & More)
Email Address Validation with Regex Validating email addresses at the point of entry is one of t...
Speak with IPQS: (800) 713-2618

Enhance Your Fraud & Risk Signals

Start with 1,000 free lookups or schedule a demo to see how IPQS can enrich fraud scores for IP, email, phone, and device risk across your user journey.

Start Your Free Trial Schedule a Demo