Why email validation is harder than a regex

The pattern /.+@.+\..+/ accepts admin@mailinator.com, test@defunct-domain.io, and notreal@typo.vom. Here's what actually needs to happen before you trust an email address.

Every sign-up form validates email addresses. Most do it with a regex. The regex catches obvious typos — missing @, no domain — but it lets through a much larger class of addresses that will never receive a message. Those addresses quietly inflate your list, skew your open rates, and cost you money on every send.

The four problems a regex can't catch

The domain doesn't exist. A user types alice@gmial.com. The regex passes. The domain has no mail server. Your welcome email bounces. Your sender reputation drops. The domain gmial.com used to be a common typo trap — attackers registered it to harvest credentials from misdirected password resets.

The domain is real but the inbox is disposable. Services like Mailinator, Guerrilla Mail, and a hundred others give anyone a working inbox with no sign-up. The email is valid — it will actually receive your message — but the address belongs to no one in particular. Anyone who knows the address can read it. Users create throwaway accounts to claim trial offers, avoid marketing, or test your app without commitment.