Why Regex Isn't Enough
Most developers validate emails with a regex pattern. While this catches obvious typos like missing @ signs, it can't tell you if the email actually works. [email protected] passes any regex but will bounce immediately.
Levels of Email Validation
1. Format Validation
Check that the email follows RFC 5322 syntax. This is what regex does.
2. Domain Validation
Verify the domain exists and has MX records configured to receive email. No MX records = the domain can't receive email.
3. Disposable Provider Detection
Flag temporary/throwaway email addresses (mailinator.com, guerrillamail.com, etc.). These are often used for spam signups or abuse.
4. Mailbox Verification
Check if the specific mailbox exists on the mail server (via SMTP VRFY or RCPT TO). This is the most thorough check but not always reliable as many servers disable this for privacy.
Validating Emails via API
curl "https://api.dnstoolkit.io/dns/[email protected]"The DNS Toolkit API performs multi-layer validation in a single call: format check, MX record lookup, disposable provider detection, and returns a confidence score.
Best Practices
- Validate on signup to catch typos immediately
- Block disposable emails for paid services
- Don't rely solely on SMTP verification — many servers give false positives
- Cache validation results (email infrastructure doesn't change often)
- Always send a confirmation email as the final verification step