Why Checking Email Validity Matters
Every email you send to an invalid address is a small wound to your sender reputation. Send enough of them, and ISPs like Gmail and Microsoft start throttling or blocking your messages entirely. In 2026, with Google enforcing bounce rates below 0.3% for bulk senders, the margin for error is razor-thin.
Whether you're building a signup form, importing a lead list, or cleaning your CRM before a campaign, you need a reliable way to check if an email address is valid before you hit send. The good news: there are multiple methods available, ranging from a simple line of code to full SMTP-level verification.
This guide walks through five methods in order of increasing accuracy and complexity. Most production email systems use a combination of these approaches.
Method 1: Syntax Validation with Regex
The simplest check is whether the email address follows a valid format. An email must have a local part, an @ symbol, and a domain with at least one dot. Syntax validation catches typos, formatting errors, and obviously fake addresses before they go any further.
Basic Regex Pattern
Here's a practical regex pattern that handles the vast majority of real-world email addresses:
const EMAIL_REGEX = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*\.[a-zA-Z]{2,}$/;
function isValidEmailSyntax(email) {
if (!email || typeof email !== 'string') return false;
if (email.length > 254) return false; // RFC 5321 max length
return EMAIL_REGEX.test(email.trim().toLowerCase());
}
// Examples
isValidEmailSyntax('user@example.com'); // true
isValidEmailSyntax('user@.com'); // false
isValidEmailSyntax('user@example'); // false
isValidEmailSyntax('@example.com'); // false
isValidEmailSyntax('user @example.com'); // false (space)
Python Equivalent
import re
EMAIL_REGEX = re.compile(
r'^[a-zA-Z0-9.!#$%&\'*+/=?^_`{|}~-]+'
r'@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?'
r'(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*'
r'\.[a-zA-Z]{2,}$'
)
def is_valid_email_syntax(email: str) -> bool:
if not email or len(email) > 254:
return False
return bool(EMAIL_REGEX.match(email.strip().lower()))
What Syntax Checks Catch
- Missing @ symbol
- Invalid characters (spaces, commas, semicolons)
- Missing or malformed domain
- Missing top-level domain (TLD)
- Addresses exceeding RFC length limits
What Syntax Checks Miss
A syntactically valid email can still be completely invalid. perfectly.formatted@nonexistent-domain-xyz.com passes every regex check but will bounce immediately. Syntax validation is a necessary first step, but never sufficient on its own.
Method 2: DNS and MX Record Lookup
The next level of validation checks whether the domain in the email address can actually receive mail. This is done by querying the domain's MX records — the DNS entries that specify which mail servers handle email for that domain.
How to Check MX Records
Using Node.js:
const dns = require('dns').promises;
async function hasMxRecords(email) {
const domain = email.split('@')[1];
try {
const records = await dns.resolveMx(domain);
return records && records.length > 0;
} catch (err) {
// ENOTFOUND = domain doesn't exist
// ENODATA = domain exists but no MX records
return false;
}
}
// Usage
await hasMxRecords('user@google.com'); // true (has MX records)
await hasMxRecords('user@fakexyz123.com'); // false (domain doesn't exist)
Using the command line:
# Using dig
dig MX google.com +short
# Using nslookup
nslookup -type=MX google.com
What MX Lookups Tell You
- Whether the domain exists at all
- Whether the domain is configured to receive email
- Which mail provider the domain uses (Google Workspace, Microsoft 365, etc.)
- The priority of mail servers (useful for understanding infrastructure)
Limitations
A domain can have valid MX records but still not accept mail at a specific address. nonexistent-person@google.com has valid MX records but the mailbox doesn't exist. MX validation eliminates dead domains but can't verify individual mailboxes.
Method 3: SMTP Verification
SMTP verification is the gold standard for checking whether a specific mailbox exists. It connects to the recipient's mail server and walks through the first steps of the SMTP protocol — the same steps that happen when you send a real email — but disconnects before actually delivering anything.
How It Works
The SMTP conversation looks like this:
Client: EHLO verify.example.com
Server: 250-mail.google.com at your service
Client: MAIL FROM:<check@verify.example.com>
Server: 250 OK
Client: RCPT TO:<target@gmail.com>
Server: 250 OK ← Mailbox exists
or: 550 5.1.1 User unknown ← Mailbox doesn't exist
Client: QUIT
The critical moment is the RCPT TO command. The server's response tells you whether the mailbox exists (250) or doesn't (550). You never send the actual email body — you hang up after getting your answer.
Why You Shouldn't DIY SMTP Verification
While the concept is straightforward, building reliable SMTP verification is surprisingly difficult:
- IP reputation matters. Mail servers judge you by your sending IP. If your IP isn't properly configured with PTR records, SPF, and warm sending history, many servers will reject or timeout your connections.
- Rate limiting is aggressive. Gmail, Microsoft, and Yahoo all throttle SMTP connections. Send too many verification requests and your IP gets blocked.
- Greylisting delays results. Some servers deliberately reject the first attempt and expect you to retry after a delay. A naive implementation treats this as "invalid."
- Catch-all domains always say yes. About 15-30% of B2B domains accept all email regardless, making the 250 response meaningless for those addresses.
This is why most production systems use a dedicated verification service rather than running their own SMTP checks. Services like SendSure maintain pools of properly configured IPs and handle the edge cases that trip up custom implementations.
Method 4: API-Based Verification
The most practical approach for production applications is to use a verification API. You send the email address, the API runs syntax checks, MX lookups, SMTP verification, and additional analysis, then returns a comprehensive result.
Example API Call
// Using SendSure's verification API
const response = await fetch('https://api.sendsure.ai/v1/verify', {
method: 'POST',
headers: {
'Authorization': 'Bearer YOUR_API_KEY',
'Content-Type': 'application/json'
},
body: JSON.stringify({ email: 'user@example.com' })
});
const result = await response.json();
// {
// email: "user@example.com",
// status: "valid",
// quality_score: 92,
// risk_band: "low",
// sub_status: null,
// is_disposable: false,
// is_role_account: false,
// mx_found: true,
// smtp_provider: "google"
// }
What API Verification Adds Beyond SMTP
A good verification API doesn't just check if the mailbox exists. It runs additional analysis that individual checks can't provide:
- Disposable email detection — Flags temporary addresses from services like Mailinator, Guerrilla Mail, and 123,000+ other providers
- Role account detection — Identifies addresses like info@, support@, admin@ that have higher complaint rates
- Catch-all resolution — Uses AI and external signals to assess whether catch-all addresses belong to real people
- Risk scoring — Combines all signals into a quality score that predicts deliverability
- Spam trap detection — Identifies addresses planted by ISPs to catch senders with poor list hygiene
Real-Time vs. Bulk
API verification works in two modes:
Real-time (single email): Verify at the point of entry — signup forms, lead imports, checkout flows. Latency is typically 1-3 seconds per address. This prevents bad data from entering your system in the first place.
Bulk (file upload): Upload a CSV or connect your ESP for batch verification of entire lists. Processing speeds vary by provider, but SendSure handles lists at roughly 50,000 addresses per hour.
For a deeper comparison of these approaches, see our guide on API vs. bulk email verification.
Method 5: Manual Google Check (Quick and Dirty)
For one-off checks when you don't need automation, you can use Google's password recovery flow as a quick validation proxy.
How It Works
- Go to accounts.google.com/signin/recovery
- Enter the email address you want to check
- If the address is a valid Gmail or Google Workspace account, Google will offer recovery options
- If the address doesn't exist, Google will say it can't find the account
Important Caveats
- Only works for Google accounts. This won't help with Microsoft, Yahoo, or custom domain addresses.
- Doesn't scale. You can check one address at a time, manually, through a browser.
- Google rate-limits this. Check too many addresses in a row and you'll hit a CAPTCHA or temporary block.
- Privacy concerns. Using recovery flows for verification purposes is a gray area. Don't rely on this for production use.
This method is useful for quickly confirming a single Gmail address, but it's not a substitute for proper verification.
Choosing the Right Method
| Method | Accuracy | Speed | Scale | Cost | |--------|----------|-------|-------|------| | Regex syntax | Low (catches ~10% of bad emails) | Instant | Unlimited | Free | | MX lookup | Medium (catches dead domains) | Fast (<1s) | High | Free | | SMTP verification | High (catches invalid mailboxes) | Slow (1-5s) | Limited by IP rep | Infrastructure cost | | API verification | Highest (multi-signal analysis) | Fast (1-3s) | Unlimited | Per-verification fee | | Manual Google check | Medium (Google only) | Slow (manual) | One at a time | Free |
For most applications, the right answer is to layer methods 1 and 2 as client-side pre-filters, then use method 4 (API verification) for the definitive check. This reduces API costs by filtering out obviously invalid addresses before they hit the verification service.
Building a Validation Pipeline
Here's how these methods fit together in a production signup form:
async function validateEmail(email) {
// Step 1: Syntax check (instant, free)
if (!isValidEmailSyntax(email)) {
return { valid: false, reason: 'Invalid email format' };
}
// Step 2: MX check (fast, free)
const hasMx = await hasMxRecords(email);
if (!hasMx) {
return { valid: false, reason: 'Domain cannot receive email' };
}
// Step 3: API verification (definitive, costs credits)
const result = await verifyWithApi(email);
if (result.status === 'invalid') {
return { valid: false, reason: result.sub_status || 'Mailbox not found' };
}
if (result.is_disposable) {
return { valid: false, reason: 'Disposable email addresses not allowed' };
}
return { valid: true, quality_score: result.quality_score };
}
This layered approach catches 30-40% of invalid addresses before they ever reach the paid API, saving credits while still providing thorough validation for the addresses that make it through.
Common Mistakes to Avoid
Relying only on regex. Syntax validation is necessary but catches less than half of invalid addresses. A perfectly formatted email can point to a dead domain, a non-existent mailbox, or a disposable service.
Verifying once and forgetting. Email lists decay at 2-3% per month. An address that was valid in January may bounce in April. Verify before every major campaign, or set up automated recurring verification.
Treating all invalid results the same. There's a difference between "domain doesn't exist" (permanently invalid) and "mailbox full" (temporarily undeliverable). Good verification tools provide sub-status codes that help you decide whether to remove, retry, or flag.
Blocking all catch-all addresses. Catch-all domains account for 15-30% of B2B lists. Removing them all means losing legitimate contacts. Use quality scores and engagement data to segment them instead.
Try It Yourself
Want to see how email verification works in practice? SendSure offers 100 free verification credits when you sign up — no credit card required. Upload a list or verify individual addresses through the dashboard and see detailed results including quality scores, risk bands, and sub-status codes.
Create your free account and verify your first email in under 60 seconds.
