Can it cause harm to validate email addresses with a regex?

Question

I\'ve heard that it is a bad thing to validate email addresses with a regex, and that it actually can cause harm. Why is that? I thought it never could be a bad thing to val

Answer 1

It is not inherently bad to validate email addresses.

It is not even inherently bad to validate email addresses using regexes ... though there are arguably better ways to validate them¹.

The real issues are that validation of email addresses (based on the syntax):

• does not tell you if the address corresponds to a valid, working mailbox, and
• does not tell you if it is an address for the correct user (or agent).

Since users accidentally (or deliberately) use incorrect email addresses for various purposes, you need to do something else if you need to know if the address is correct; e.g. send some kind of "activation" email to the address.

So, assuming that you are going to implement the second stage of checking, the first stage of syntax checking the email address is relatively unimportant, and not even strictly necessary.

---

^{1 - Creating a regex that correctly deals with all of the edge-cases in the email syntax is non-trivial. However, it may be acceptable to disallow some of the more abstruse edge-cases, provided it doesn't unduly inconvenience a significant number of users.}