Falsehoods programmers believe about email addresses

The classic email regex rejects valid addresses and accepts invalid ones. Here's what actually breaks email validation.

Try it — type something other forms reject:

An email address is required.

/^\S+@\S+\.\S+$/ is the regex on a thousand signup forms. It is wrong in both directions — it blocks valid addresses and waves through invalid ones. You cannot truly validate an email without sending one, so the humane approach is to warn, not reject.

The falsehoods

A valid email has exactly one @. Quoted local parts can contain more.
The local part can’t contain +. Subaddressing like you+shopping@example.com is valid and useful.
There’s only one dot. first.last@mail.example.co.uk is fine.
The domain must have a dot. user@localhost and intranet addresses don’t.
Email is ASCII. Internationalized domains like josé@münchen.de exist.
A regex can fully validate an email. It can’t — only a confirmation email can.

How humaneforms handles it

The demo runs the real validateEmail. It accepts plus-tags, multiple dots, and IDN domains; it lowercases only the domain (the local part is case-sensitive); and it warns on the unusual-but-legal instead of blocking. For real deliverability, pair it with a provider — see our note on verification.

npm install @humaneforms/react, or get the Pack.

Get the Pack — $99 Free on GitHub