Email Verification API: How Syntax, MX & SMTP Checks Work (With Code)

Email address parsing sounds deceptively simple until your production system rejects a perfectly valid address or, worse, accepts one that bounces every single time. According to Validity's 2023 Email Deliverability Report, invalid email addresses account for nearly 20% of all email bounces, and a hard bounce rate above 2% can permanently damage your sender reputation with major ISPs. The gap between "looks like an email" and "is a valid email" is where most developers fall into expensive traps.

---

Why Email Address Parsing Is Harder Than You Think

Most developers reach for a quick regular expression, ship it, and move on. This approach works for roughly 95% of email addresses encountered in the wild. The remaining 5% — the edge cases, the internationalized domains, the quoted local parts, the subaddressed inboxes — can cause silent failures that erode data quality over months and years. By the time the damage is visible in your bounce metrics, you may already be on a blocklist.

The core challenge is that email address syntax is governed by a family of overlapping RFCs, each addressing a different layer of the problem. RFC 5322 defines the Internet Message Format and the syntax rules for email addresses in message headers. RFC 5321 governs the SMTP protocol itself, including how addresses are transmitted in the envelope. These two standards are not identical, and the differences matter enormously in practice.

According to HubSpot's 2022 Email Marketing Statistics report, the average email database degrades by approximately 22.5% every year due to people changing jobs, abandoning addresses, and domain expirations. If your parsing layer is too permissive, you're compounding that natural decay with synthetic invalidity. If it's too strict, you're rejecting real customers at the point of acquisition.

The Cost of Getting It Wrong

A Litmus research study found that for every $1 spent on email marketing, the average return is $36. That ROI collapses when your list is polluted with invalid addresses. A sender reputation drop caused by high bounce rates triggers ISP throttling, which affects your entire sending domain — not just the campaigns that generated the bounces. This is why email address parsing is not a cosmetic concern. It is a foundational infrastructure problem.

SMTP servers communicate parsing and delivery failures through standardized response codes. When you encounter a 550 response ("Requested action not taken: mailbox unavailable"), it typically means the recipient address does not exist on the remote server. A 551 response means the user is not local and the server is not willing to relay. A 552 response indicates the mailbox storage limit has been exceeded. These are permanent failures. Contrast them with a 421 response ("Service not available, closing transmission channel") or a 450 response ("Requested mail action not taken: mailbox unavailable"), which are transient failures that warrant retry logic. Understanding these codes is essential context for why parsing accuracy matters before a message ever reaches the SMTP conversation.

---

RFC 5322 Deep Dive: The Authoritative Standard for Email Address Syntax

RFC 5322, published in October 2008 as an update to RFC 2822, is the definitive specification for Internet Message Format. It defines the syntax of email addresses as they appear in message headers — the From, To, Cc, and Reply-To fields. Understanding its grammar is the prerequisite for building any serious email address parsing system.

The Anatomy of an Email Address Under RFC 5322

An email address under RFC 5322 is formally called an addr-spec, defined as a local-part followed by the @ symbol followed by a domain. This deceptively simple structure contains significant complexity at every level.

import re
import dns.resolver
import unicodedata
from email.headerregistry import Address
from email.utils import parseaddr
from typing import Optional, Tuple
# RFC 5321 limits
MAX_LOCAL_PART_LENGTH = 64
MAX_EMAIL_LENGTH = 254
MAX_DOMAIN_LABEL_LENGTH = 63
MAX_DOMAIN_LENGTH = 253
# RFC 5322 compliant local part pattern (dot-atom form)
LOCAL_PART_PATTERN = re.compile(
r'^[a-zA-Z0-9!#$%&\'*+\-/=?^_`{|}~]'
r'([a-zA-Z0-9!#$%&\'*+\-/=?^_`{|}~.]*'
r'[a-zA-Z0-9!#$%&\'*+\-/=?^_`{|}~])?$'
)
# RFC 1123 compliant domain label pattern
DOMAIN_LABEL_PATTERN = re.compile(
r'^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?$'
)
class EmailParseResult:
def __init__(self, is_valid: bool, local_part: str = "",
domain: str = "", error: str = ""):
self.is_valid = is_valid
self.local_part = local_part
self.domain = domain
self.error = error
self.normalized = f"{local_part}@{domain}".lower() if is_valid else ""
def __repr__(self):
return (f"EmailParseResult(valid={self.is_valid}, "
f"address={self.local_part}@{self.domain}, "
f"error='{self.error}')")
def validate_local_part(local_part: str) -> Tuple[bool, str]:
"""
Validates the local part of an email address against RFC 5322 rules.
Returns (is_valid, error_message).
"""
if not local_part:
return False, "Local part cannot be empty"
if len(local_part) > MAX_LOCAL_PART_LENGTH:
return False, (f"Local part exceeds RFC 5321 limit of "
f"{MAX_LOCAL_PART_LENGTH} characters")
# Handle quoted strings (RFC 5322 section 3.2.4)
if local_part.startswith('"') and local_part.endswith('"'):
# Quoted local parts are valid if properly formed
inner = local_part[1:-1]
# Check for unescaped double quotes inside
if re.search(r'(?<!\\)"', inner):
return False, "Unescaped double quote inside quoted local part"
return True, ""
# Validate dot-atom form
if local_part.startswith('.') or local_part.endswith('.'):
return False, "Local part cannot start or end with a dot"
if '..' in local_part:
return False, "Local part cannot contain consecutive dots"
if not LOCAL_PART_PATT...

JavaScript: Node.js Email Parser with Async DNS Validation

const dns = require('dns').promises;
// RFC 5321 limits
const MAX_LOCAL_PART_LENGTH = 64;
const MAX_EMAIL_LENGTH = 254;
const MAX_DOMAIN_LABEL_LENGTH = 63;
const MAX_DOMAIN_LENGTH = 253;
// RFC 5322 dot-atom local part pattern
const LOCAL_PART_REGEX = /^[a-zA-Z0-9!#$%&'*+\-/=?^_`{|}~]([a-zA-Z0-9!#$%&'*+\-/=?^_`{|}~.]*[a-zA-Z0-9!#$%&'*+\-/=?^_`{|}~])?$/;
// RFC 1123 domain label pattern
const DOMAIN_LABEL_REGEX = /^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?$/;
class EmailParseResult {
constructor({ isValid, localPart = '', domain = '', error = '' }) {
this.isValid = isValid;
this.localPart = localPart;
this.domain = domain;
this.error = error;
this.normalized = isValid
? `${localPart}@${domain}`.toLowerCase()
: '';
}
toString() {
return `EmailParseResult(valid=${this.isValid}, ` +
`address=${this.localPart}@${this.domain}, ` +
`error='${this.error}')`;
}
}
function validateLocalPart(localPart) {
if (!localPart) {
return { valid: false, error: 'Local part cannot be empty' };
}
if (localPart.length > MAX_LOCAL_PART_LENGTH) {
return {
valid: false,
error: `Local part exceeds RFC 5321 limit of ${MAX_LOCAL_PART_LENGTH} characters`
};
}
// Handle quoted strings per RFC 5322 section 3.2.4
if (localPart.startsWith('"') && localPart.endsWith('"')) {
const inner = localPart.slice(1, -1);
if (/(?<!\\)"/.test(inner)) {
return {
valid: false,
error: 'Unescaped double quote inside quoted local part'
};
}
return { valid: true, error: '' };
}
if (localPart.startsWith('.') || localPart.endsWith('.')) {
return {
valid: false,
error: 'Local part cannot start or end with a dot'
};
}
if (localPart.includes('..')) {
return {
valid: false,
error: 'Local part cannot contain consecutive dots'
};
}
if (!LOCAL_PART_REGEX.test(localPart)) {
return {
valid: false,
error: 'Local part contains invalid characters'
};
}
return { valid: true, error: '' };
}
function validateDomain(domain) {
if (!domain) {
return { valid: false, error: 'Domain cannot be empty' };
}
if (domain.length > MAX_DOMAIN_LENGT...

---

Internationalized Domain Names: Parsing Beyond ASCII

The global adoption of internationalized domain names (IDNs) has added a critical dimension to email address parsing that many developers overlook entirely. RFC 5891 (Internationalized Domain Names in Applications, or IDNA 2008) and RFC 6530 (Overview and Framework for Internationalized Email) define the standards that govern non-ASCII characters in email addresses. Ignoring these standards means rejecting legitimate users from markets where non-Latin scripts are dominant.

How Punycode Encoding Works

Internationalized domain names are represented in DNS using Punycode encoding, defined in RFC 3492. A Unicode domain label is converted to an ASCII-compatible encoding (ACE) by prepending the string "xn--" and appending the Punycode-encoded form of the non-ASCII characters. For example, the domain münchen.de becomes xn--mnchen-3ya.de in its DNS-compatible form.

When parsing email addresses that may contain IDNs, your parser must handle both the Unicode presentation form (what users type) and the ACE form (what DNS understands). Failing to normalize between these forms leads to false negatives — rejecting valid addresses — and duplicate entries in your database when the same address is stored in both forms.

Internationalized Email Addresses (EAI)

RFC 6531 extends SMTP to support non-ASCII characters in both the local part and the domain, a capability known as Email Address Internationalization (EAI). This allows addresses like 用户@例子.广告 (a Chinese email address) to be transmitted natively over SMTP when both the sending and receiving servers support the SMTPUTF8 extension defined in RFC 6532.

Support for EAI is not universal. As of 2023, major providers including Gmail and Outlook support receiving EAI addresses, but many legacy systems do not. Your parsing layer should detect EAI addresses and route them appropriately — either rejecting them if your infrastructure does not support SMTPUTF8, or flagging them for special handling.

import unicodedata
import encodings.idna
def normalize_domain_to_ace(domain: str) -> str:
"""
Converts a Unicode domain to its ASCII-Compatible Encoding (ACE) form
per RFC 3492 (Punycode) and RFC 5891 (IDNA 2008).
Args:
domain: Domain string, potentially containing Unicode characters.
Returns:
ACE-encoded domain string suitable for DNS lookup.
Raises:
ValueError: If the domain cannot be encoded as a valid IDN.
"""
labels = domain.split('.')
ace_labels = []
for label in labels:
if not label:
raise ValueError(f"Empty label in domain: '{domain}'")
# Check if label is already ASCII
try:
label.encode('ascii')
ace_labels.append(label.lower())
except UnicodeEncodeError:
# Apply IDNA encoding for non-ASCII labels
try:
# Normalize Unicode to NFC form per RFC 5891
normalized = unicodedata.normalize('NFC', label)
ace_label = encodings.idna.ToASCII(normalized).decode('ascii')
ace_labels.append(ace_label)
except (UnicodeError, UnicodeDecodeError) as e:
raise ValueError(
f"Cannot encode domain label '{label}' as IDN: {e}"
)
return '.'.join(ace_labels)
def is_eai_address(email: str) -> bool:
"""
Detects whether an email address contains non-ASCII characters,
indicating it is an Internationalized Email Address (EAI) per RFC 6531.
Args:
email: The email address string to check.
Returns:
True if the address contains non-ASCII characters.
"""
try:
email.encode('ascii')
return False
except UnicodeEncodeError:
return True
def parse_internationalized_email(email: str) -> dict:
"""
Parses an email address that may contain internationalized components.
Handles both IDN domains and EAI addresses.
Args:
email: Email address potentially containing Unicode characters.
Returns:
Dictionary with parsed components and normalization details.
"""
result = {
'original': email,
'is_eai': False,
'local_part': None,
'domain_unicode': None,
'domain_ace': None,
'ace_email': None,
'valid': False,
'error': None
}
if not email or '@' not in email:
result['error'] = 'Invalid email format'
return result
at_...

---

Common Pitfalls and Parsing Anti-Patterns

Years of production email systems have produced a well-documented catalog of parsing mistakes. Understanding these anti-patterns is as important as knowing the correct approach, because the mistakes are seductive — they seem reasonable until they fail in production.

The Regex Trap: When Simple Patterns Become Liabilities

The single most common mistake in email address parsing is relying on a single regular expression to validate the entire address. This approach fails for several compounding reasons. First, the full RFC 5322 grammar cannot be expressed as a regular expression — it is a context-free grammar, and the quoted-string local part in particular requires stateful parsing. Second, even the most sophisticated regex-based validators found in popular libraries have documented edge cases. The famous Perl regular expression for RFC 5322 compliance spans multiple pages and is widely acknowledged to be unmaintainable.

; MX records for gmail.com
gmail.com.    3600    IN    MX    5    gmail-smtp-in.l.google.com.
gmail.com.    3600    IN    MX    10   alt1.gmail-smtp-in.l.google.com.
gmail.com.    3600    IN    MX    20   alt2.gmail-smtp-in.l.google.com.
gmail.com.    3600    IN    MX    30   alt3.gmail-smtp-in.l.google.com.
gmail.com.    3600    IN    MX    40   alt4.gmail-smtp-in.l.google.com.

The number before each hostname is the preference value — lower values indicate higher priority. A sending server attempts delivery to the lowest-preference MX host first and falls back to higher-preference hosts if the primary is unavailable.

SPF, DKIM, and DMARC: Authentication Records

While not directly part of address parsing, understanding the authentication record ecosystem is essential context for developers building email infrastructure. SPF (Sender Policy Framework), defined in RFC 7208, allows domain owners to specify which mail servers are authorized to send email on behalf of their domain. A typical SPF record looks like:

; SPF TXT record for example.com
example.com.    3600    IN    TXT    "v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.0/24 ~all"

DKIM (DomainKeys Identified Mail), defined in RFC 6376, provides cryptographic signing of email messages. The public key is published as a DNS TXT record under a selector subdomain:

; DKIM public key record
google._domainkey.example.com.    3600    IN    TXT    "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

DMARC (Domain-based Message Authentication, Reporting, and Conformance), defined in RFC 7489, ties SPF and DKIM together with a policy that instructs receiving servers how to handle messages that fail authentication:

; DMARC policy record
_dmarc.example.com.    3600    IN    TXT    "v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; adkim=s; aspf=s"

When your email address parser validates a domain, checking for the presence of SPF, DKIM, and DMARC records provides additional confidence that the domain is actively managed for email. Domains with no authentication records are higher-risk targets — they may be abandoned domains being used for spam, or newly registered domains not yet fully configured.

---

Integrating Professional Email Verification with MailValid

Building a robust email address parsing pipeline from scratch — covering syntax validation, DNS verification, disposable domain detection, and mailbox existence checking — is a significant engineering investment. For most applications, integrating a purpose-built verification API delivers better accuracy with a fraction of the development effort.

The MailValid API: Production Integration

MailValid.io provides a comprehensive email verification API that combines RFC-compliant syntax parsing, real-time DNS validation, MX record verification, disposable domain detection, and SMTP mailbox verification into a single API call. The following example demonstrates a production-ready integration with proper error handling, timeout management, and result interpretation.

import requests
import logging
from typing import Optional
from dataclasses import dataclass
logger = logging.getLogger(__name__)
@dataclass
class MailValidResult:
email: str
is_valid: bool
is_deliverable: bool
is_disposable: bool
is_role_based: bool
syntax_valid: bool
dns_valid: bool
mx_found: bool
smtp_valid: Optional[bool]
score: float
reason: str
normalized_email: str
@classmethod
def from_api_response(cls, email: str, data: dict) -> 'MailValidResult':
return cls(
email=email,
is_valid=data.get('is_valid', False),
is_deliverable=data.get('is_deliverable', False),
is_disposable=data.get('is_disposable', False),
is_role_based=data.get('is_role_based', False),
syntax_valid=data.get('syntax_valid', False),
dns_valid=data.get('dns_valid', False),
mx_found=data.get('mx_found', False),
smtp_valid=data.get('smtp_valid'),
score=data.get('score', 0.0),
reason=data.get('reason', ''),
normalized_email=data.get('normalized_email', email)
)
class MailValidClient:
"""
Production client for the MailValid.io email verification API.
Handles authentication, retries, and error classification.
"""
BASE_URL = "https://mailvalid.io/api/v1"
DEFAULT_TIMEOUT = 10  # seconds
MAX_RETRIES = 3
def __init__(self, api_key: str, timeout: int = DEFAULT_TIMEOUT):
self.api_key = api_key
self.timeout = timeout
self.session = requests.Session()
self.session.headers.update({
"X-API-Key": api_key,
"Content-Type": "application/json",
"Accept": "application/json"
})
def verify(self, email: str) -> MailValidResult:
"""
Verifies a single email address using the MailValid API.
Args:
email: The email address to verify.
Returns:
MailValidResult with comprehensive validation details.
Raises:
requests.exceptions.Timeout: If the API request times out.
requests.exceptions.HTTPError: For 4xx/5xx API responses.
ValueError: If the API response is malformed.
"""
url = f"{self.BASE_URL}/verify"
for attempt in range(1, self.MAX_RETRIES + 1):
try:
response = requests.post(
url,
headers={"X-API-Key": "mv_live_key"},
...

Interpreting Verification Results for Business Logic

A verification API returns more signal than a simple boolean. The score field enables nuanced decision-making. For a signup form, you might accept addresses with a score above 0.7 immediately, prompt users with scores between 0.3 and 0.7 to confirm their address, and reject addresses below 0.3 with a helpful error message. For a bulk list cleaning operation, you would apply different thresholds depending on your risk tolerance and the cost of false negatives versus false positives.

The is_disposable flag is particularly valuable for fraud

---

---

Start Verifying Emails with MailValid

Everything in this guide is built into MailValid's email verification API:

• 95%+ accuracy with syntax, MX, and SMTP validation
• <200ms response time for real-time checks
• $0.001 per email — 6x cheaper than ZeroBounce, 8x cheaper than NeverBounce
• Credits never expire — pay once, use whenever
• 100 free credits to start — no credit card required

import requests

response = requests.post(
    "https://mailvalid.io/api/v1/verify",
    headers={"X-API-Key": "mv_live_your_key", "Content-Type": "application/json"},
    json={"email": "[email protected]"}
)
print(response.json())

→ Start free with 100 credits at mailvalid.io