DEV Community: Pady The latest articles on DEV Community by Pady (@padymies). https://dev.to/padymies https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F481327%2F74ef0c76-8a6b-4f80-9134-51681a1f3bfa.png DEV Community: Pady https://dev.to/padymies en Email validation in production: regex, MX, SMTP, and the trade-offs nobody tells you Pady Fri, 20 Mar 2026 23:17:16 +0000 https://dev.to/padymies/how-to-validate-emails-properly-in-your-app-beyond-regex-1e9g https://dev.to/padymies/how-to-validate-emails-properly-in-your-app-beyond-regex-1e9g <p>Most email validation tutorials stop at regex. That's fine for a toy project. In production, bad emails cost you money — bounced sends hurt sender reputation, disposable signups inflate metrics, and typos mean a real user never gets your onboarding email.</p> <p>This isn't a tutorial about regex. It's about what to actually check, when, and what the trade-offs are.</p> <h2> What to validate on the frontend </h2> <p>Keep it fast and non-blocking. The frontend's job is to catch obvious mistakes before the user submits, not to be the final authority.</p> <p><strong>Do:</strong></p> <ul> <li>Basic format check with a pragmatic validator that catches obvious mistakes</li> <li>Typo suggestion for common domains </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Typo suggestion: if domain is close to a known provider, suggest the correction</span> <span class="kd">const</span> <span class="nx">knownDomains</span> <span class="o">=</span> <span class="p">[</span><span class="dl">"</span><span class="s2">gmail.com</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">yahoo.com</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">hotmail.com</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">outlook.com</span><span class="dl">"</span><span class="p">]</span> <span class="kd">function</span> <span class="nf">suggestTypo</span><span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">local</span><span class="p">,</span> <span class="nx">domain</span><span class="p">]</span> <span class="o">=</span> <span class="nx">email</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">@</span><span class="dl">"</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">domain</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span> <span class="c1">// Levenshtein distance ≤ 2</span> <span class="kd">const</span> <span class="nx">match</span> <span class="o">=</span> <span class="nx">knownDomains</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">d</span> <span class="o">=&gt;</span> <span class="nf">levenshtein</span><span class="p">(</span><span class="nx">domain</span><span class="p">,</span> <span class="nx">d</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="mi">2</span> <span class="o">&amp;&amp;</span> <span class="nx">domain</span> <span class="o">!==</span> <span class="nx">d</span><span class="p">)</span> <span class="k">return</span> <span class="nx">match</span> <span class="p">?</span> <span class="s2">`</span><span class="p">${</span><span class="nx">local</span><span class="p">}</span><span class="s2">@</span><span class="p">${</span><span class="nx">match</span><span class="p">}</span><span class="s2">`</span> <span class="p">:</span> <span class="kc">null</span> <span class="p">}</span> </code></pre> </div> <p><strong>Don't:</strong></p> <ul> <li>Block submission on suspicious emails — you'll lose real users</li> <li>Make async calls (MX, SMTP) from the frontend — latency kills conversion</li> </ul> <h3> UX example </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>user types: john@gmial.com → Show inline: "Did you mean john@gmail.com?" [Yes, fix it] [No, keep it] → Never block. Always let them proceed. </code></pre> </div> <h2> What to validate on the backend </h2> <p>The backend is where heavier checks belong. In most apps, they should run outside the critical request path.</p> <h3> 1. Format (again) </h3> <p>Always re-validate on the backend. Never trust client input.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">email_validator</span> <span class="kn">import</span> <span class="n">validate_email</span><span class="p">,</span> <span class="n">EmailNotValidError</span> <span class="k">def</span> <span class="nf">check_format</span><span class="p">(</span><span class="n">email</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">[</span><span class="nb">bool</span><span class="p">,</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span><span class="p">]:</span> <span class="k">try</span><span class="p">:</span> <span class="n">info</span> <span class="o">=</span> <span class="nf">validate_email</span><span class="p">(</span><span class="n">email</span><span class="p">,</span> <span class="n">check_deliverability</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> <span class="k">return</span> <span class="bp">True</span><span class="p">,</span> <span class="n">info</span><span class="p">.</span><span class="n">normalized</span> <span class="k">except</span> <span class="n">EmailNotValidError</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span><span class="p">,</span> <span class="bp">None</span> </code></pre> </div> <h3> 2. MX records </h3> <p>Does the domain have mail servers? This is fast (~100ms) and catches a large class of bad emails.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">dns.resolver</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">has_mx</span><span class="p">(</span><span class="n">domain</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">records</span> <span class="o">=</span> <span class="k">await</span> <span class="n">dns</span><span class="p">.</span><span class="n">asyncresolver</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="n">domain</span><span class="p">,</span> <span class="sh">"</span><span class="s">MX</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">records</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> </code></pre> </div> <p><strong>Trade-offs:</strong></p> <ul> <li>Fast and reliable</li> <li>Some legitimate companies have unusual DNS setups — rare but real</li> <li>Doesn't tell you if the specific mailbox exists</li> </ul> <h3> 3. SMTP verification </h3> <p>Actually connects to the mail server and asks if the mailbox exists, without sending an email.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">aiosmtplib</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">check_smtp</span><span class="p">(</span><span class="n">email</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">mx_host</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span> <span class="o">|</span> <span class="bp">None</span><span class="p">:</span> <span class="n">smtp</span> <span class="o">=</span> <span class="n">aiosmtplib</span><span class="p">.</span><span class="nc">SMTP</span><span class="p">(</span><span class="n">hostname</span><span class="o">=</span><span class="n">mx_host</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">25</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">await</span> <span class="n">smtp</span><span class="p">.</span><span class="nf">connect</span><span class="p">()</span> <span class="k">await</span> <span class="n">smtp</span><span class="p">.</span><span class="nf">ehlo</span><span class="p">()</span> <span class="k">await</span> <span class="n">smtp</span><span class="p">.</span><span class="nf">mail</span><span class="p">(</span><span class="sh">"</span><span class="s">verify@yourdomain.com</span><span class="sh">"</span><span class="p">)</span> <span class="n">code</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="k">await</span> <span class="n">smtp</span><span class="p">.</span><span class="nf">rcpt</span><span class="p">(</span><span class="n">email</span><span class="p">)</span> <span class="k">return</span> <span class="n">code</span> <span class="o">==</span> <span class="mi">250</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="c1"># unknown, not invalid </span> <span class="k">finally</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">await</span> <span class="n">smtp</span><span class="p">.</span><span class="nf">quit</span><span class="p">()</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">pass</span> </code></pre> </div> <p><strong>Trade-offs — the ones nobody mentions:</strong></p> <ul> <li> <strong>Latency:</strong> 2–5 seconds per check. Never do this synchronously in a request.</li> <li> <strong>Catch-all servers:</strong> Many servers return 250 for <em>any</em> address. You need a second check with a random address to detect this.</li> <li> <strong>Greylisting:</strong> Some servers temporarily reject unknown senders — your SMTP check returns false even though the email is valid.</li> <li> <strong>Port 25 blocking:</strong> Many cloud providers (AWS, GCP, Railway) block outbound port 25. You either need a VPS or a dedicated SMTP checking service.</li> <li> <strong>False positives and negatives:</strong> SMTP checks are noisy enough that you should treat them as a signal, not as ground truth.</li> </ul> <p><strong>Verdict:</strong> Use SMTP check for high-value flows (paid signups, enterprise onboarding). Don't use it on every signup form.</p> <h2> What you should never block </h2> <p>This is where most implementations go wrong.</p> <p><strong>Role emails</strong> (admin@, info@, support@) are <em>suspicious</em> but not invalid. A developer testing your API will use their work address. A small business owner might use <a href="mailto:info@theircompany.com">info@theircompany.com</a> as their primary email. Flag them, don't block them.</p> <p><strong>Free providers</strong> (Gmail, Yahoo, Hotmail) are fine for most B2C products. Blocking them is a conversion killer.</p> <p><strong>Disposable emails</strong> — this is context-dependent. For a free tier with limited resources, blocking makes sense. For a paid product, you might want to let them through and restrict features instead.</p> <p>Better UX than blocking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"Temporary email addresses are allowed, but some features (email notifications, account recovery) may not work." </code></pre> </div> <h2> Decision flow </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Input email │ ├─► Format valid? │ No → reject with message │ ├─► Typo detected? → suggest correction (non-blocking) │ ├─► MX records exist? │ No → in most apps, reject │ ├─► Disposable domain? │ Yes → allow with warning or restrict features │ ├─► Role email? │ Yes → flag internally, don't block │ └─► SMTP check (only for high-value flows) Delivered → high confidence Catch-all → medium confidence Timeout/error → unknown, don't penalize Rejected → invalid </code></pre> </div> <h2> Quality score over binary valid/invalid </h2> <p>Binary validation loses nuance. A simple scoring model can work better:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Signal</th> <th>Weight</th> <th>Reasoning</th> </tr> </thead> <tbody> <tr> <td>MX valid</td> <td>0.40</td> <td>Hard requirement</td> </tr> <tr> <td>SMTP delivered</td> <td>0.30</td> <td>Strong signal when available</td> </tr> <tr> <td>Not disposable</td> <td>0.20</td> <td>Business quality signal</td> </tr> <tr> <td>Not role</td> <td>0.10</td> <td>Engagement quality signal</td> </tr> </tbody> </table></div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">quality_score</span><span class="p">(</span><span class="n">mx</span><span class="p">:</span> <span class="nb">bool</span><span class="p">,</span> <span class="n">smtp</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">|</span> <span class="bp">None</span><span class="p">,</span> <span class="n">disposable</span><span class="p">:</span> <span class="nb">bool</span><span class="p">,</span> <span class="n">role</span><span class="p">:</span> <span class="nb">bool</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="n">score</span> <span class="o">=</span> <span class="mf">0.0</span> <span class="k">if</span> <span class="n">mx</span><span class="p">:</span> <span class="n">score</span> <span class="o">+=</span> <span class="mf">0.40</span> <span class="k">if</span> <span class="n">smtp</span> <span class="ow">is</span> <span class="bp">True</span><span class="p">:</span> <span class="n">score</span> <span class="o">+=</span> <span class="mf">0.30</span> <span class="k">elif</span> <span class="n">smtp</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">score</span> <span class="o">+=</span> <span class="mf">0.15</span> <span class="c1"># unknown — partial credit </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">disposable</span><span class="p">:</span> <span class="n">score</span> <span class="o">+=</span> <span class="mf">0.20</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">role</span><span class="p">:</span> <span class="n">score</span> <span class="o">+=</span> <span class="mf">0.10</span> <span class="k">return</span> <span class="nf">round</span><span class="p">(</span><span class="nf">min</span><span class="p">(</span><span class="n">score</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">),</span> <span class="mi">2</span><span class="p">)</span> </code></pre> </div> <p>Use the score to make nuanced decisions:</p> <ul> <li> <code>&gt;= 0.8</code> → accept silently</li> <li> <code>0.5–0.8</code> → accept with a note</li> <li> <code>&lt; 0.5</code> → warn or restrict</li> </ul> <h2> If you don't want to implement this yourself </h2> <p>I also published an <a href="https://rapidapi.com/padicodeaicloud/api/email-validator85" rel="noopener noreferrer">Email Validator API</a> that bundles these checks into a single request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://email-validator85.p.rapidapi.com/v1/validate/email</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">email</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user@gmail.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">check_smtp</span><span class="sh">"</span><span class="p">:</span> <span class="bp">False</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">X-RapidAPI-Key</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">YOUR_KEY</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">X-RapidAPI-Host</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">email-validator85.p.rapidapi.com</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> </code></pre> </div> <p>Free tier available (100 req/month). But honestly, if you only need format + MX + basic disposable detection, the code in this post is enough to get you 80% of the way there.</p> <h2> Summary </h2> <ul> <li>Frontend: format + typo suggestion, never block</li> <li>Backend: MX always, SMTP only when it matters</li> <li>Never block role emails or free providers outright</li> <li>Use a score, not binary valid/invalid</li> <li>SMTP has real failure modes — account for them</li> </ul> webdev api javascript python