Try it yourself with our free Regex Tester tool — runs entirely in your browser, no signup needed.

How to Validate email addresses with regex for Security

How to Validate Email Addresses with Regex for Security

Validating email addresses is a crucial step in ensuring the security of user data and preventing spam. In this article, we will explore how to use regular expressions (regex) to validate email addresses in a secure manner. We will provide a quick example, cover real-world scenarios, discuss best practices, highlight common mistakes, and answer frequently asked questions.

Quick Example

Here is a minimal example of how to validate an email address using regex in JavaScript:

const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
const email = 'example@example.com';

if (emailRegex.test(email)) {
  console.log('Email is valid');
} else {
  console.log('Email is invalid');
}

This example uses a simple regex pattern to match most common email address formats.

Real-World Scenarios

Scenario 1: Email Validation on User Registration

When a user registers for an account, you want to ensure that their email address is valid before creating the account. Here's an example in TypeScript:

import { validateEmail } from './email-validator';

interface User {
  email: string;
}

const registerUser = (user: User) => {
  if (!validateEmail(user.email)) {
    throw new Error('Invalid email address');
  }
  // Create user account
};

const validateEmail = (email: string) => {
  const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
  return emailRegex.test(email);
};

Scenario 2: Email Validation on Contact Form Submission

When a user submits a contact form, you want to ensure that their email address is valid before sending the email. Here's an example in JavaScript:

const express = require('express');
const app = express();

app.post('/contact', (req, res) => {
  const { email } = req.body;
  const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
  if (!emailRegex.test(email)) {
    return res.status(400).send({ error: 'Invalid email address' });
  }
  // Send email
});

Scenario 3: Email Validation on Password Reset

When a user requests a password reset, you want to ensure that their email address is valid before sending the reset link. Here's an example in JavaScript:

const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
const email = 'example@example.com';

if (!emailRegex.test(email)) {
  throw new Error('Invalid email address');
}
// Send password reset link

Best Practices

  1. Use a secure regex pattern: Use a regex pattern that matches most common email address formats, but also prevents common attacks such as email injection.
  2. Validate email addresses on the server-side: Validate email addresses on the server-side to prevent client-side bypassing of validation.
  3. Use a library or framework: Use a reputable library or framework to validate email addresses, rather than rolling your own solution.
  4. Test thoroughly: Thoroughly test your email validation implementation to ensure it works correctly in all scenarios.
  5. Keep your regex pattern up-to-date: Keep your regex pattern up-to-date with the latest email address formats and security guidelines.

Common Mistakes

Mistake 1: Using an insecure regex pattern

const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+$/; // Insecure

Corrected code:

const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/; // Secure

Mistake 2: Validating email addresses only on the client-side

// Client-side only validation
const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
const email = 'example@example.com';

if (emailRegex.test(email)) {
  console.log('Email is valid');
} else {
  console.log('Email is invalid');
}

Corrected code:

// Server-side validation
const express = require('express');
const app = express();

app.post('/contact', (req, res) => {
  const { email } = req.body;
  const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
  if (!emailRegex.test(email)) {
    return res.status(400).send({ error: 'Invalid email address' });
  }
  // Send email
});

Mistake 3: Not testing thoroughly

const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
const email = 'example@example.com';

if (emailRegex.test(email)) {
  console.log('Email is valid');
} else {
  console.log('Email is invalid');
}

Corrected code:

const emailRegex = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
const emails = [
  'example@example.com',
  'invalid-email',
  'example@example',
  'example@.com',
];

emails.forEach((email) => {
  if (emailRegex.test(email)) {
    console.log(`Email ${email} is valid`);
  } else {
    console.log(`Email ${email} is invalid`);
  }
});

FAQ

Q: What is the most secure regex pattern for email validation?

A: The most secure regex pattern for email validation is one that matches most common email address formats, but also prevents common attacks such as email injection.

Q: Should I validate email addresses on the client-side or server-side?

A: Validate email addresses on the server-side to prevent client-side bypassing of validation.

Q: How often should I update my regex pattern?

A: Keep your regex pattern up-to-date with the latest email address formats and security guidelines.

Q: Can I use a library or framework to validate email addresses?

A: Yes, use a reputable library or framework to validate email addresses, rather than rolling your own solution.

Q: How do I test my email validation implementation?

A: Thoroughly test your email validation implementation to ensure it works correctly in all scenarios.

Related Resources

Regex Tester

Use the interactive regex tester tool

More Regex Tester Examples

See all languages and use cases

All Code Examples

Browse examples for every language and use case

All Developer Tools

50+ free online developer tools

AI agent tools available. The CodeTidy MCP Server gives Claude, Cursor, and other AI agents access to 60+ developer tools. One command: npx @codetidy/mcp