May 8, 2026·9 min read·Regular Expressions

Regex for Email Validation: The Right Way in 2026

Q: Should I use regex alone to validate emails?

No. Regex should be your first line of defense for format checking, but the only way to truly verify an email address exists is to send a confirmation email. Regex catches typos and formatting errors; email verification confirms deliverability.

Q: Why does my email regex reject valid addresses?

Common reasons: your pattern doesn't allow + in the local part (used by Gmail aliases like user+tag@gmail.com), doesn't support new TLDs longer than 4 characters (.photography, .technology), or doesn't handle subdomains (user@mail.example.com). Use a more permissive pattern.

Q: What is RFC 5322 email format?

RFC 5322 defines the official email address format. It allows characters most developers don't expect: quoted strings, comments, IP address domains, and special characters. A fully compliant regex is over 6,000 characters long, which is why simplified patterns are used in practice.

Learn the correct regex pattern for email validation, why simple patterns fail, and how to implement email validation in JavaScript, Python, and PHP. Test patterns live with our free regex tester.

Test your email regex patterns live

Real-time highlighting, match groups, and code generation.

Open Regex Tester

Why Email Regex Is Harder Than You Think

Email validation seems simple — just check for an @ symbol and a dot, right? In reality, the email address specification (RFC 5322) allows formats that would surprise most developers:

• user+tag@gmail.com — the + sign is valid (Gmail aliases)
• very.unusual.email@example.museum — TLDs can be longer than .com
• user@sub.domain.example.co.uk — multiple subdomains are valid
• "quoted string"@example.com — quoted local parts are technically valid
• admin@[192.168.1.1] — IP address domains are allowed by the spec

A fully RFC 5322 compliant regular expression would be over 6,000 characters long. That is neither practical nor maintainable. The goal is to find the sweet spot: a pattern that accepts all common real-world email addresses while rejecting obviously invalid ones.

The Simple Pattern (And Why It Fails)

Many tutorials suggest this basic pattern:

/^\S+@\S+\.\S+$/

This checks for: something, then @, then something, then ., then something. Simple, but it accepts invalid emails like:

Wrongly Accepted

user@@double.com

Wrongly Accepted

user@.com

Wrongly Accepted

user@domain..com

Wrongly Accepted

@no-local-part.com

It also rejects valid emails in some edge cases. You need a more specific pattern that validates the local part, the domain, and the TLD separately. Test these patterns yourself with our free Regex Tester — paste the pattern and try different email addresses.

The Recommended Pattern for Production Use

After years of real-world testing, this is the pattern used by most major frameworks and libraries:

/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/

Let's break down each part:

^Start of string — ensures nothing comes before the email

[a-zA-Z0-9._%+-]+Local part — letters, numbers, dots, underscores, percent, plus, hyphen (1 or more)

@The @ symbol — exactly one, required

[a-zA-Z0-9.-]+Domain — letters, numbers, dots, hyphens (supports subdomains)

\.[a-zA-Z]{2,}TLD — a dot followed by 2+ letters (.com, .io, .photography)

$End of string — ensures nothing comes after the email

This pattern correctly handles Gmail aliases (user+tag@gmail.com), new TLDs (.technology, .museum), subdomains (mail.example.co.uk), and rejects double dots, missing local parts, and other invalid formats. It covers 99.9% of real-world email addresses.

Testing Your Email Regex

Before deploying any regex pattern, test it thoroughly. Use our Regex Tester to paste the pattern above and test it against these email addresses:

Should Match (Valid)

user@example.com

user.name+tag@domain.co.uk

admin@sub.domain.org

test_email@example.photography

Should NOT Match (Invalid)

@missing-local.com

user@.no-domain.com

user@domain..double-dot.com

plaintext (no @ symbol)

The Regex Tester highlights each match in real time and shows capture groups. You can also use the Replace mode to extract or transform email addresses from text, and the Code generation feature to get ready-to-use code in JavaScript, Python, PHP, or Go.

Email Validation in JavaScript, Python, and PHP

JavaScript Email Validation

function isValidEmail(email) {
  const regex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
  return regex.test(email);
}

// Usage
isValidEmail("user@example.com");     // true
isValidEmail("invalid@.com");         // false
isValidEmail("user+tag@gmail.com");   // true

Python Email Validation

import re

def is_valid_email(email: str) -> bool:
    pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
    return bool(re.match(pattern, email))

# Usage
print(is_valid_email("user@example.com"))    # True
print(is_valid_email("not-an-email"))        # False

PHP Email Validation

<?php
function isValidEmail(string $email): bool {
    // PHP has a built-in filter — prefer this over regex
    return filter_var($email, FILTER_VALIDATE_EMAIL) !== false;
}

// Or with regex:
$pattern = '/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/';
$isValid = preg_match($pattern, $email);

Pro tip for PHP: Use filter_var() with FILTER_VALIDATE_EMAIL instead of regex — it is maintained by the PHP team and handles edge cases better. Generate these code snippets automatically with our Regex Tester's Code Generation feature.

When NOT to Use Regex for Email Validation

Regex alone is never enough to validate an email address. It can only check the format — not whether the address actually exists or can receive mail. Here is the recommended validation stack:

Regex Format Check

Quick client-side check — rejects obvious typos and formatting errors before the form is submitted. Use the pattern from this article.

DNS MX Record Lookup

Server-side — verify the domain has mail exchange records. If example.com has no MX records, no email can be delivered to it.

Confirmation Email

The gold standard — send a verification link. This is the only way to confirm a real person has access to that email address.

For form UX, the regex check should happen on blur (when the user leaves the field) — not on every keystroke. Show a clear error message like "Please enter a valid email address" rather than exposing the regex pattern. Encode form values safely with our HTML Entity Encoder before displaying user input to prevent XSS attacks.

Frequently Asked Questions

What is the best regex for email validation?

For most applications, use: ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ — it covers 99.9% of real-world email addresses. A fully RFC 5322 compliant regex exists but is over 6,000 characters long and impractical for production use.

Should I use regex alone to validate emails?

No. Regex checks the format, but can't verify the email actually exists. Use regex as the first step, then verify with DNS MX record lookup and a confirmation email for critical applications.

Why does my email regex reject valid addresses?

Common causes: not allowing + (Gmail aliases), not supporting TLDs longer than 4 characters (.photography), or not handling subdomains. Use the recommended pattern from this article which handles all these cases.

What is RFC 5322 email format?

RFC 5322 defines the official email address specification. It allows quoted strings, comments, IP address domains, and special characters that most simplified patterns don't support. For practical applications, the simplified pattern in this article is recommended.

Test Your Email Regex Now

Paste any regex pattern, see live match highlighting, capture groups, and auto-generated code for JavaScript, Python, PHP, and Go.

Open Regex Tester

Related Tools & Articles

Regex Tester

Test patterns with live highlighting

String Encoder/Decoder

URL encode, HTML entity, Base64

HTML Entity Encoder

Prevent XSS in form inputs

How to Validate JSON

Complete JSON validation guide