Email Validation Regex — Test Patterns Online and See What Really Matches
Table of Contents
- Why a single "correct" email regex doesn't exist
- Tier 1: Simple email regex for web forms
- Tier 2: Balanced email regex for API validation
- Tier 3: Strict email patterns for controlled systems
- Testing edge cases that catch you in production
- Language-specific email validation notes
- Frequently Asked Questions
Email regex validation is one of the most-searched regex topics — and one of the most misunderstood. The "correct" email regex depends entirely on what you're trying to accomplish: reject obviously invalid formats, enforce your system's constraints, or comply with RFC 5321. Those three goals require very different patterns, and the "validate email with regex" advice online mixes them all together.
The free regex tester at WildandFree Tools lets you paste any email pattern, test it against real addresses, and see exactly what it matches and misses. This guide covers the three tiers of email patterns and when to use each.
Why a Single 'Correct' Email Regex Doesn't Exist
Email addresses are more complex than most developers expect. RFC 5321 allows addresses like [email protected], "user name"@domain.com, and even user@[192.168.1.1] (IP literal domain). No reasonably concise regex covers all valid cases.
More importantly: the goal of email validation in a web form isn't RFC compliance — it's catching typos and obvious format errors before someone hits submit. For that purpose, a simple, readable pattern outperforms a 1,000-character RFC-compliant monster that still misses edge cases.
Three tiers, three different use cases:
- Tier 1 (simple) — Fast, readable, catches most user input errors. Use for web forms.
- Tier 2 (balanced) — Covers most real-world formats including subdomains and plus-addressing. Use for API input validation.
- Tier 3 (strict) — Rejects uncommon but technically valid formats. Use when you need predictable behavior for downstream processing.
Tier 1: Simple Email Regex for Web Forms
Pattern: [^@\s]+@[^@\s]+\.[^@\s]+
Paste this into the browser tester and test it against:
- [email protected] — matches (correct)
- [email protected] — matches (correct)
- user @domain.com — no match (catches space typo)
- @domain.com — no match (catches missing local part)
- user@domain — matches (allows, even without TLD)
The tradeoff: user@domain matches because the pattern only requires an @ and a dot somewhere after it. For most form validation, this is acceptable — the real validation is the confirmation email that has to actually deliver.
When to use this: any client-side form validation where you want to catch obvious mistakes without being overly strict. Pair it with an email deliverability check (send a verification email) for actual validation.
Tier 2: Balanced Email Regex for API Validation
Pattern: ^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$
Test this in the browser tester with the pattern anchored (^ and $) and no global flag. What it catches vs allows:
| Input | Result | Why |
|---|---|---|
| [email protected] | Match | Standard format |
| [email protected] | Match | Plus sign allowed in local part |
| [email protected] | Match | Dots and subdomains allowed |
| [email protected] | No match | TLD must be 2+ chars |
| user @domain.com | No match | Space not in allowed chars |
| "user"@domain.com | No match | Quoted local parts excluded |
| user@domain | No match | Requires dot in domain |
This pattern rejects technically valid RFC addresses like "quoted user"@domain.com — but those are rare in practice. For server-side API validation where you're storing emails in a database, this tier catches problematic inputs without being so strict it rejects real users.
Tier 3: Strict Email Patterns for Controlled Systems
When you control both the sender and recipient — internal systems, employee directories, API keys sent to email — you can enforce stricter formats:
Lowercase only, no plus addressing: ^[a-z0-9.\-]+@[a-z0-9.\-]+\.[a-z]{2,}$
Company domain only: ^[a-zA-Z0-9._%+\-]+@yourcompany\.com$
Exclude disposable email domains (pattern-based): ^(?!.*@(mailinator|guerrillamail|tempmail|throwam)\.)[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$
Test the disposable domain pattern in the browser tester with the i flag. Note that this lookahead-based approach works in JavaScript, Python, and most PCRE engines — but not in Go (RE2 doesn't support lookaheads).
For Go or other RE2 environments, split the validation: one regex for format, then a separate string-contains check against a blocklist for disposable domains.
Testing Edge Cases That Catch You in Production
Before shipping any email validation, test these strings in the browser tester — each has caused production bugs at least once:
[email protected]— Gmail plus addressing. Block it and you lose Gmail users who use filtering.[email protected]— Multi-level TLD. Many patterns incorrectly reject this.[email protected]— Long TLD. Patterns with{2,4}TLD limit break on.museum,.photography, etc. Use{2,}with no upper bound.[email protected]— All-caps. Most patterns need the i flag or explicit uppercase ranges to match this.[email protected]— Trailing dot in local part. Technically invalid but commonly typed. Your pattern should reject it.[email protected]— Double dot in domain. Also invalid — confirm your pattern rejects it.
Use the browser tester to build a checklist of these inputs and run each one. If a pattern misses any edge case, adjust and re-test until all pass and fail correctly.
Language-Specific Email Validation Notes
The browser tester validates pattern behavior — copy to your target language with these notes:
- JavaScript — Use
/pattern/iflags directly. HTML5<input type="email">has its own built-in validation; for custom validation, use the regex approach. - Python — The
remodule uses PCRE. Addre.IGNORECASEfor case insensitivity. Theemail-validatorPyPI library handles full RFC validation if you need it. - Java — Use
Pattern.compilewithPattern.CASE_INSENSITIVE. The Apache Commons Validator library'sEmailValidatorclass is a well-tested alternative. - Go — Use RE2-compatible patterns only (no lookaheads). The Tier 1 and Tier 2 patterns both work directly with
regexp.MustCompile. - PHP —
filter_var($email, FILTER_VALIDATE_EMAIL)handles most cases without custom regex.
Try It Free — No Signup Required
Runs 100% in your browser. No data is collected, stored, or sent anywhere.
Open Free Regex TesterFrequently Asked Questions
Should I use regex or a library to validate email addresses?
Regex for format checks, a library or deliverability API for real validation. A regex that rejects "[email protected]" when it has a typo helps users fix it immediately. But regex cannot tell you if the mailbox actually exists or if the domain's MX records are configured. For signups that matter, send a verification email.
Why do some email regex patterns allow invalid formats?
Most email patterns prioritize not rejecting valid addresses over blocking invalid ones. It's worse to tell a real user their valid address is invalid than to let through a slightly malformed address. Overly strict regex patterns cause real users to abandon forms.
Does the browser tester support the full email pattern I found online?
Yes — paste any JavaScript-compatible email pattern into the tester. Some patterns found online use PCRE-specific syntax that JavaScript doesn't support; if the pattern field shows a red error indicator, the pattern contains unsupported syntax. Simplify or convert it.