How to validate email address?

For client-side: use HTML5 input type='email' for basic syntax validation, supplemented by a regex for older browsers. For real validation: call a verification API server-side (ZeroBounce, NeverBounce, AbstractAPI) to check MX records, SMTP handshake, and detect disposable/role addresses. Client-side validates format; server-side validates deliverability.

How do I validate an email format in JavaScript?

Use the HTML5 input type='email' attribute which provides built-in browser validation. For JavaScript regex fallback, use a simple permissive pattern like `/^[^\s@]+@[^\s@]+\.[^\s@]+$/`. Don't try to write an RFC 5322-compliant regex — they're impractical and overly strict. For real deliverability checking, call a server-side verification API.

What's the best JavaScript email validation regex?

A simple permissive regex: `/^[^\s@]+@[^\s@]+\.[^\s@]+$/`. This catches obvious typos (missing @, missing domain) without being overly strict. RFC 5322-compliant regexes exist but are impractically long and reject some legitimate addresses. Better approach: simple syntax check client-side, real verification server-side.

Can JavaScript verify if an email actually exists?

No, not from client-side JavaScript alone. Verifying that an address exists requires server-side SMTP probing, which can't be done from a browser. JavaScript can validate format (does the address look valid) but not deliverability (does the mailbox accept mail). For deliverability checking, call a server-side verification API from your backend.

What's the JavaScript code for email validation?

Simplest: `const isValid = /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)`. With HTML5: use input type='email' and check `input.validity.valid`. For production with verification: client-side regex first, then call your backend API which calls a verification service. The frontend code is straightforward; the value is in the verification API call.

JavaScript Email Validation: Beyond a Regex

JavaScript email validation is one of those topics where the simplest answer (a quick regex) is almost adequate, and the "complete" answer (RFC 5322-compliant validation) is impractical. The right answer for production signup forms combines lightweight client-side format checking with server-side API verification for real deliverability.

This guide covers what to actually implement, with honest assessment of the trade-offs.

What email validation actually means

Email validation breaks into three distinct layers:

Layer	What it checks	Where it runs
Format / syntax	Does it look like an email address	Client (browser)
Domain existence	Does the domain have MX records	Server
Mailbox deliverability	Does the mailbox accept mail	Server (via API)

Client-side JavaScript handles layer 1. For layers 2 and 3, you need server-side calls — typically to a verification API like ZeroBounce, NeverBounce, or Kickbox.

Client-side validation in JavaScript

Option 1: HTML5 input type

The simplest approach uses HTML5's built-in input type:

<input type="email" name="email" required>

The browser automatically validates basic format on form submission. JavaScript can check validity:

const input = document.querySelector('input[type="email"]')
if (input.validity.valid) {
  // basic format check passed
}

This catches obvious typos (missing @, missing domain) without custom code.

Option 2: Simple regex

For more control or fallback to older browsers:

function isValidEmailFormat(email) {
  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)
}

This permissive regex catches the common typos:

Missing @: "user.example.com" → fails
Missing domain: "user@" → fails
Missing TLD: "user@example" → fails
Spaces: "user @example.com" → fails

It accepts most things that look like email addresses, including international characters and unusual but valid formats.

Option 3: RFC 5322-compliant regex (don't)

The full RFC 5322-compliant email regex is over 6000 characters long and notoriously hard to debug. Don't try to use it. The permissive regex above plus server-side verification handles the same problems with much less code.

Server-side verification (the real check)

Client-side validation tells you the address looks like an email. It doesn't tell you the address actually exists or can receive mail. For that, call a verification API from your backend.

The standard integration pattern:

// Backend (Node.js example)
async function verifyEmail(email) {
  const response = await fetch('https://api.zerobounce.net/v2/validate', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      email: email,
      api_key: process.env.ZEROBOUNCE_API_KEY
    })
  })
  return response.json()
}

// In your signup handler
async function handleSignup(req, res) {
  const email = req.body.email

  // 1. Basic format check (could also be client-side)
  if (!isValidEmailFormat(email)) {
    return res.status(400).json({ error: 'Invalid email format' })
  }

  // 2. Verification API call
  const result = await verifyEmail(email)
  
  if (result.status === 'invalid' || result.status === 'disposable') {
    return res.status(400).json({ error: 'Email cannot be verified' })
  }
  
  // 3. Add to list
  await addToMailingList(email)
  res.json({ success: true })
}

Verification APIs typically return in 200-800ms. For very high-conversion signup flows, you can accept first and verify async.

Practical implementation patterns

Pattern 1: Simple form (low risk)

For low-stakes newsletter signups:

HTML5 input type='email' for basic check
Accept all syntactically valid addresses
Run periodic batch verification on the list

Pros: simplest, no API costs upfront. Cons: invalid addresses enter the list until batch cleanup.

Pattern 2: Real-time validation (recommended for serious sites)

For account signups or important lead capture:

Client-side regex / HTML5 first
Server-side API verification before adding to list
Reject invalid, disposable, role addresses
Accept catch-all with flag for monitoring

Pros: clean list from day one, better deliverability. Cons: API costs (~$0.005 per signup), small latency.

Pattern 3: Async verification (high-conversion flows)

For signup flows where conversion is critical:

Accept signup immediately
Send confirmation email
Async-verify the address
Update record based on verification result
Suppress if invalid

Pros: zero impact on signup conversion, still catches invalid addresses. Cons: more complex implementation, brief window of invalid addresses on the list.

Common JavaScript email validation mistakes

Over-strict regex

Rejecting legitimate addresses because the regex doesn't account for:

Plus signs in local part ([email protected])
Dots in local part ([email protected])
Subdomains ([email protected])
Newer TLDs (.tech, .email, etc.)
International domains (IDN)

Use the permissive regex above to avoid these false negatives.

Client-side only validation

Trusting browser validation for everything. Determined users can bypass client-side checks; the only real protection is server-side validation.

No validation at all

Accepting any input as an email address. Allows typos like [email protected] (instead of gmail.com) to enter the list and bounce.

Validating syntax instead of deliverability

A syntactically valid address that doesn't exist is still invalid for sending purposes. Syntax check ≠ deliverability check.

Practitioner note: The single most useful enhancement I add to client-side email forms is a "did you mean?" suggestion for common typos. [email protected] → "Did you mean gmail.com?" This catches roughly 1-3% of signups that would otherwise bounce. Libraries like mailcheck.js implement this in 20 lines of JavaScript.

Did-you-mean suggestions

A useful client-side enhancement is checking against known common typos:

const commonTypos = {
  'gnail.com': 'gmail.com',
  'gmial.com': 'gmail.com',
  'yhoo.com': 'yahoo.com',
  'hotmial.com': 'hotmail.com',
  // ...
}

function suggestCorrection(email) {
  const [local, domain] = email.split('@')
  if (commonTypos[domain]) {
    return `${local}@${commonTypos[domain]}`
  }
  return null
}

Show the suggestion to the user: "Did you mean [email protected]?" with a one-click accept. Catches a meaningful percentage of typo signups.

What about email format validation in other languages?

The same patterns apply across languages:

Python: email-validator library or simple regex
PHP: filter_var($email, FILTER_VALIDATE_EMAIL)
Ruby: URI::MailTo::EMAIL_REGEXP
Go: mail.ParseAddress(email) from net/mail
Java: EmailValidator from Apache Commons

All of these handle syntax. For real deliverability checking, call a verification API regardless of backend language.

When you need verification API vs. just JavaScript

Use case	JavaScript only	Need API verification
Newsletter signup, low stakes	OK	Better but optional
Account signup for SaaS	Insufficient	Yes
B2B lead capture	Insufficient	Yes
Ecommerce checkout	Insufficient (use shop platform validation)	Often included in platform
Free content download	Marginal	Recommended
Anything where deliverability matters	Insufficient	Yes

For any production signup where the email address matters (you'll actually email the person, the address represents a paying customer, deliverability impacts revenue), use a verification API. JavaScript-only validation is for casual contexts.

Cost considerations

Verification API costs:

$0.002-$0.008 per address with bulk pricing
$20-$200/month for typical signup volumes
Free tiers (100-1000/month) sufficient for very low-volume

The cost is minor compared to the value of clean signups. See email verification tools compared for vendor selection.

If you need help integrating email validation into your signup flow — client-side, server-side, or both — book a consultation. I work with SaaS teams on signup infrastructure and lead capture.

Sources

v1.0 · May 2026