Email Syntax Validation: Rules, Regex, and Best Practices

The complete guide to email syntax validation — RFC rules, regex patterns, common mistakes, and why syntax checking alone isn't enough.

V
Written byVijay
Read Time7 min read
PublishedApril 5, 2026
Code editor with syntax highlighting — regex validation

What Is Email Syntax Validation?

Email syntax validation checks whether an address follows the structural rules defined by internet standards — specifically RFC 5321 and RFC 5322. It answers one question: "Is this string formatted like a valid email address?"

Syntax validation is the first line of defense. It catches typos, formatting errors, and obviously invalid input before you spend resources on deeper checks like MX lookups or SMTP verification.

But here's the critical limitation: syntax validation alone catches only about 10% of invalid addresses. An email can be perfectly formatted and still bounce — perfect.syntax@domain-that-doesnt-exist.com passes every regex in the world.

The RFC Rules

Basic Structure

Every email address follows the format: local-part@domain

The @ symbol separates two components, each with its own rules.

Local-Part Rules (Before the @)

According to RFC 5321:

  • Maximum 64 characters
  • Allowed characters: letters (a-z, A-Z), digits (0-9), and special characters: . ! # $ % & ' * + - / = ? ^ _ { } | ~
  • Cannot start or end with a period
  • Cannot have consecutive periods (john..doe@example.com is invalid)
  • Quoted strings allow almost any character: "john doe"@example.com is technically valid

Domain Rules (After the @)

  • Maximum 253 characters total
  • Each label (between dots) maximum 63 characters
  • Allowed characters: letters, digits, hyphens
  • Cannot start or end with a hyphen
  • Must have at least one dot (e.g., user@localhost is not valid for email delivery)
  • Top-level domain must be at least 2 characters

Common Regex Patterns

The Simple Pattern (Good Enough for Most Forms)

const simpleRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;

This catches the basics: something before @, something after @, at least one dot in the domain. It's intentionally loose — it won't reject valid edge cases, but it also won't catch subtle formatting errors.

The Practical Pattern (Recommended)

const practicalRegex = /^[a-zA-Z0-9.!#$%&'*+/=?^_\`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}$/;

This enforces RFC character rules, prevents leading/trailing hyphens in domain labels, and requires a proper TLD. This is what we recommend for client-side validation.

The HTML5 Pattern

If you're using HTML form validation, the browser already has a built-in pattern:

<input type="email" required />

The HTML5 email type uses a specific regex defined in the WHATWG spec. It's less strict than full RFC compliance but catches most user errors.

Common Syntax Mistakes

| Input | Valid? | Issue | |-------|--------|-------| | user@example.com | Yes | Standard format | | user@example | No | Missing TLD | | user@.example.com | No | Domain starts with dot | | user@example..com | No | Consecutive dots in domain | | .user@example.com | No | Local-part starts with dot | | user.@example.com | No | Local-part ends with dot | | user@-example.com | No | Domain label starts with hyphen | | user+tag@example.com | Yes | Plus addressing (Gmail, etc.) | | user@sub.domain.example.com | Yes | Subdomains are valid | | user@123.123.123.123 | Technically yes | IP literal domain (rare, often blocked) |

Edge Cases That Trip Up Regex

Plus Addressing

user+newsletter@gmail.com is valid. Gmail, Microsoft, and many other providers support plus addressing for email filtering. Don't reject these — they're often used by your most engaged subscribers.

International Email Addresses (EAI)

RFC 6531 introduced support for internationalized email addresses:

  • 用户@例え.jp — Unicode local-part and domain
  • user@münchen.de — International domain names (IDN)

Most regex patterns reject these. If you serve an international audience, consider using a library like validator.js or email-validator that handles EAI properly.

Uncommon But Valid

These are valid per RFC but rare in practice:

  • "john doe"@example.com — Quoted local-part with space
  • user!def!xyz@example.com — Bang path notation
  • customer/department=shipping@example.com — Slashes in local-part

Why Syntax Alone Isn't Enough

Syntax validation answers "Is this formatted correctly?" but not:

  • Does the domain exist? — Check MX records
  • Does the mailbox exist? — Requires SMTP handshake
  • Is it a disposable address? — Requires a disposable email database
  • Is it a spam trap? — Requires historical data analysis
  • Will it actually engage? — Requires engagement scoring

A complete verification pipeline layers multiple checks. SendSure's 27-stage engine runs syntax validation as stage 1, then follows with DNS, SMTP, ML catch-all scoring, and engagement analysis — each stage catching what the previous one missed.

Building a Validation Pipeline

Here's how syntax validation fits into a production signup form:

async function validateEmail(email) {
  // Stage 1: Syntax (instant, client-side)
  const syntaxRegex = /^[a-zA-Z0-9.!#$%&'*+/=?^_\`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}$/;

  if (!syntaxRegex.test(email)) {
    return { valid: false, reason: 'Invalid format' };
  }

  // Stage 2: API verification (server-side, comprehensive)
  const response = await fetch('https://api.sendsure.ai/v1/verify', {
    method: 'POST',
    headers: {
      'Authorization': 'Bearer YOUR_API_KEY',
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({ email })
  });

  return response.json();
}

Client-side syntax validation gives instant feedback. Server-side API verification provides the definitive answer. Together, they create a fast, accurate validation experience.

Best Practices

  1. Use syntax validation for instant UI feedback — Show errors as the user types, before form submission
  2. Don't over-validate with regex — A strict regex that rejects valid addresses is worse than a loose one that accepts edge cases
  3. Normalize before validating — Trim whitespace, convert to lowercase
  4. Always follow with deeper verification — Syntax alone misses 90% of invalid addresses
  5. Handle international addresses — Use a library if you serve global users
  6. Keep plus addressing — Don't strip or reject +tag addresses

Syntax validation is the foundation of email verification, not the whole building. Use it as a fast pre-filter, then verify with a comprehensive service for the definitive answer.

Ready to verify your email list?

Start with 100 free credits. No credit card required.

Start Verifying Free
PreviousNext
Keep Reading

Related Articles

Expand your knowledge with these hand-picked posts.

Code on a screen — API development concept
March 20, 2026
Developer

Email Verification API vs. Bulk: Which Should You Choose?

Real-time API verification for signups vs. bulk list cleaning — when to use each approach and how to combine them.

VijayRead more: Email Verification API vs. Bulk: Which Should You Choose?
Analytics dashboard showing data validation metrics
April 1, 2026
Developer

How to Check if an Email Address Is Valid (5 Methods)

From regex to SMTP handshakes — the 5 proven methods to validate email addresses, with code examples and accuracy comparisons.

VijayRead more: How to Check if an Email Address Is Valid (5 Methods)
Network cables and connections — SMTP protocol concept
April 5, 2026
Developer

SMTP Verification: How It Works and Why It Matters

A deep-dive into the SMTP handshake protocol — how email verifiers talk to mail servers to check if an address exists.

VijayRead more: SMTP Verification: How It Works and Why It Matters
Email deliverability dashboard showing inbox placement metrics

Get deliverability intel before your next send.

Join senders and ops teams who read our weekly breakdown of what's landing in inboxes — and what isn't.

Start Verifying FreeSee Pricing