Regex to match email

Question

I need a Regex that matches an email-adress, local@domain with following requirements:

Local-part can contain A-z, 0-9, dot, underscore and dash.

Domain can contain A-z, 0-9, dot and dash. The domain needs to contain at least one dot.

How do I make sure that: The domain can't start with or end with dot or dash. And that that the domain needs to contain at least one dot?

These are the two things that really cause me problems in trying to solve it.

Have tried the following:

Regex.IsMatch(email, @"(?:[^.-])([\w.-])@([\w.-])(?:[.-]$)");

Answer 1

The correct answer is:

ONLY validate that @ is present, the domain portion matches a few simple rules, the local part is <= 64 characters, and the whole thing is <= 254 characters.

Yeah, exclude completely illegal characters, ok. And make sure you use the last @ symbol, not the first. See RFC 1035 for all the goods on valid domain names. Maybe RFC 819 could help.

If you are using HTML, then just use an email input, <input type="email" autocomplete="off" autocorrect="off">, and you'll get most of the right stuff out-of-the-box enforced by the browser itself, with no work on your part. See email input validation at MDN. Though be aware that even this can be too restrictive depending on the browser. See this bug where the proper behavior for browsers is to accept unicode in email addresses (accept IDN labels), then perform translation from a U-label to an A-label, and only then perform the validation.

You can, if you want to, also check if the domain can be found in DNS, but this is an unnecessary and effort-heavy step.

Why am I yelling this in giant print? Because so. Stinking. Many sites get this completely and horribly wrong.

First, read this: I Knew How To Validate An Email Address Until I Read The RFC.

Here, reason with me for a moment.

Given, as the article says, there are basic rules about:

• the @ symbol,
• maximum lengths of the various parts,
• completely forbidden characters,
• and the obvious fact that the ONLY determiner of whether an email address is valid is the issuer of that email address—the domain owner,

Then, the only determiner of whether an email address will actually reach anyone is to send an email to the address, and see if the person gets it, because this is the only way to ask the issuer of that email address if there's an actual user account associated with it.

Think about postal mail. Let's suppose someone gives you a funny address, say, this one:

AAB!129 Thor Circle 1/2 atomized Pile$
Armelioborrigenduliamo, GRICKL, θ-niner *
18957382:90347342;21017900~19127734.6
THE MOON

Since you've likely never sent mail to the moon before, are you SURE you want to judge lunar mail addresses by the standards of the region you're familiar with? How do YOU know that's not a valid address? What if those folks just do it weird? If you were a company planning to do business with your customers—and make piles of money—why do you care if their address is weird just so long as the address works?

In fact, this reality that you can't validate another authority's address is proven by a standard business practice in the U.S.: postal address scrubbing. What that means is, when someone submits a mailing address to you, you send off an API call to the US Postal Service asking if this is a valid address, and furthermore asking for the canonical form of it. That's because only the post office can tell you if the address is valid. And even then, you don't know if your letter will get to anyone until you try sending one!

Why, then, would you be so presumptive as to deny someone from using a perfectly valid email address, known by their email provider to be valid (similar to sending mail to another country or even another planet), just because it has some format you're not used to or that you ignorantly assume is wrong?

If you are just trying to avoid bad email addresses due to typos, you can still do that. Display to the user "Hey, something about your address doesn't look quite right. Are you sure that it contains these characters you've selected? !#$%^&*()"{}[]`~ Remember, if we can't email you, you can't create an account." Then people get the warning, but if they really want to, they can still submit it. (Okay, yeah, exclude completely forbidden characters. The ones I listed are not necessarily valid. Look it up. You should look this up. Really. You shouldn't take the word of some random internet person. Get understanding.)

Go ahead and even make it slightly painful—make them submit twice. Or check a box and submit a second time. Just don't stop them from using whatever they want.

I have personally at times decided NOT to use web sites or services that could not accept email addresses with a plus sign in the local part (before the @). And if I simply must have the account, I grit my teeth, get a little bit angry, and then submit a different address than the one I really want to use.

Unless you really want to reduce the set of customers you can do business with. Then go ahead and be too restrictive...

Okay, at this point, you hate me

You think I'm overreacting. You just want to validate your email addresses! Can it be so hard? In fact, you're just going to ignore me and go ahead and write one that will do the job. It's good enough.

Well fine. If you won't listen to sense or reason, then here's some regex for you that does it right. (Only, I don't actually know if it does it right, but I'm willing to bet it does it a darn sight closer to right than anything anyone here is going to come up with on their own in less than days and days of work.)

The magic email-validating regex

(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t]
)+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:
\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(
?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ 
\t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\0
31]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\
](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+
(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:
(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z
|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)
?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\
r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[
 \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)
?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t]
)*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[
 \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*
)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t]
)+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)
*:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+
|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r
\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:
\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t
]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031
]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](
?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?
:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?
:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*)|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?
:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?
[ \t]))*"(?:(?:\r\n)?[ \t])*)*:(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] 
\000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|
\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>
@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"
(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t]
)*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\
".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?
:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[
\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-
\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(
?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;
:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([
^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\"
.\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\
]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\
[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\
r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] 
\000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]
|\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \0
00-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\
.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,
;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?
:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*
(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".
\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[
^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]
]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*)(?:,\s*(
?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\
".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(
?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[
\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t
])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t
])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?
:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|
\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:
[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\
]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)
?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["
()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)
?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>
@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[
 \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,
;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t]
)*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\
".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?
(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".
\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:
\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\[
"()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])
*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])
+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\
.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z
|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(
?:\r\n)?[ \t])*))*)?;\s*)

Of course, it's been line-broken. Remove the newlines.

Answer 2

EDIT

I think this would work:

Regex regex = new Regex(@"^([\w\.\-]+)@((?!\.|\-)[\w\-]+)((\.(\w){2,3})+)$");

NOTE: domain names cannot have dots and spaces

However, instead of using a regex you can try using Mail Address Class. This way you don't have to break your head over understanding someone else's regex

public bool IsEmailValid(string address)
{
    try
    {
        MailAddress m = new MailAddress(address);
        return true;
    }
    catch (FormatException)
    {
       return false;
    }
}

Answer 3

In a fit of dark and self-destructive insanity, I have decided to answer your question.

Your exact requirements:

• Local-part can contain A-z, 0-9, dot, underscore and dash.
• Domain can contain A-z, 0-9, dot and dash.
• The domain needs to contain at least one dot.
• The domain can't start with or end with dot or dash.

Your RegEx that meets these exact requirements and no more (case-insensitive match):

^[\w.-]+@(?=[a-z\d][^.]*\.)[a-z\d.-]*[^.]$

Try it out at regex101.com

I took some care to make sure this does almost no backtracking. At regex101.com you can see how many steps it took. Good addresses validate in 13 steps, which is pretty good. Addresses with a dot at the end are the worst performance because this causes backtracking one character at a time over the whole domain portion, but they are probably rare.

Please vote down this post as much as you vote down the other posts attempting to answer the question as given.

Then, see my other answer on this page and vote it up.

Breakdown:

Regex       Explanation
##########  #######################################################
         ^  start of string anchor, zero-width match

##########  "local" part
   [\w.-]+  character class, one or more of: word character, dot, or dash

##########  "@"
         @  literal @ character

##########  "domain" part
       (?=  begin positive lookahead group, zero-width match
   [a-z\d]  must begin with a letter or digit
     [^.]*  match zero or more characters that aren't literal .
        \.  match one literal . character
         )  end positive lookahead group
[a-z\d.-]*  match zero or more: letters, digits, dot, or dash
      [^.]  match one or more characters that aren't literal .
         $  end of string anchor, zero-width match

Notes:

The positive lookahead is what does the job of asserting that the domain portion begins with a non-dot, and contains at least one dot after that. Lookaheads like this (and zero-width matches in general) can help avoid excess complexity in other parts of a regex. Multiple lookaheads can actually be used one after the other to assert different things about the remainder of the regex. This helps a regex address multiple concerns that would otherwise, if matched together in normal character-consuming patterns, would create extremely complex regexes.

It is best to avoid lookbehinds if possible, in part because some RegEx flavors do not support them, and the ones that do mostly don't support variable-width lookbehinds. (A possible workaround is to use a lookahead followed by a more liberal character-consuming match that ends at the same position as the lookahead does, and if doing replacement, replace the literally matched characters with themselves.)

In C#, \w includes a wide range of Unicode characters. This may or may not be what you're looking for. If not, you can leave the Regex as is and use ECMAScript-compliant mode. Or, you can just change it to a-z0-9_ (inside square brackets). But \w is shorter.

\d also includes some additional numeric characters:

\d matches any decimal digit. It is equivalent to the \p{Nd} regular expression pattern, which includes the standard decimal digits 0-9 as well as the decimal digits of a number of other character sets.

You can again use ECMAScript-compliant mode, or just change it to 0-9. But \d is shorter.

Be aware that there are plenty of ways that this regex is seriously not good. It allows IP addresses in the domain portion (incorrect), it doesn't limit the total length of the regex or the length of the domain portion. It improperly restricts characters from the local portion that it should not restrict. It's not a good specification at all.

Answer 4

You should learn regular expressions from a source such as http://www.regular-expressions.info - the attempt so far displays much missing knowledge, and the problem stated is significantly complex (even ignoring that a custom regex is almost certainly the wrong approach, though it might be a useful pre-filter).

Why doesn't this regex work - @"(?:[^.-])([\w.-])@([\w.-])(?:[.-]$)");

I'll explain by breaking the regex down into English (which in general is a great technique for regexes):

First off, all the brackets here serve no functional purpose so I'm ignoring them (see tutorial for what they mean)

local

• [^.-] - 1 character that's not a dot or dash
• [\w.-] - 1 character that's alphanumeric or a dot or a dash

So the definition of local is any string that ends with the 2 character string with the above constraints.

@ - Literal, the character '@'

domain

• [\w.-] - 1 character that's alphanumeric or a dot or a dash
• [.-] - 1 character that's a dot or a dash
• $ - End of the string.

So the definition of domain is a 2 character string with the constraints above.

This is clearly very far from the given problem.

What is a regex that satisfies the given constraints?

Regexes are essentially evaluated left-right in sequence. Express your constraints in a sequential set of descriptions, then translate those into regex constructs. I'll do this for precisely the given constraints (which I don't think are complete). Mentally insert a 'followed by' between every line.

beginning of string - ^ - Regex way to express beginning of string

local - [\w._-]* - Any number of (alphanumeric, dot, dash).

@ - @ - Literal character

domain

The key requirement is at least 1 dot. This dot will be explicitly present in the regex, so think of domain as {preDot}{dot}{postDot}. For simplicity, define {dot} as the first occurrence of ..

• \w - Single alphanumeric character - this is the doesn't start with dot or dash requirement
• [\w-]* - Any number of characters that are alphanumeric or dash
• \. - Single (first) dot character - this is the special must exist dot
• (\w*[\.-])* - Any number of (any number of alphanumeric characters followed by a dot or dash)
• [\w-]+ - 1 or more alphanumeric or dash characters - this is the must not end in dot requirement

end of string - $ - Regex way to express end of string

And here is the corresponding code:

var literal = @"\w*";

var preDot = @"\w[\w-]*";
var dot = @"\.";
var postDot = @"(\w*[\.-])*[\w-]+";
var domain = $"{preDot}{dot}{postDot}";

var email = $"^{literal}@{domain}$";

FYI - the regex ends up being ^\w*@\w[\w-]*\.(\w*[\.-])*[\w-]+$ but that's largely irrelevant, it would be horrible to try to understand/maintain/change it as a single string, while the breakdown is followable.