[doxcf434]

The problem is that there are many email addresses that are valid but are likely just abusers. An email address entirely of * and 200 chars long is valid in the RFC, but clearly not a human.

I settled on < 100 chars and:

`^[\w\.\+\-]+@[\w\-]+\.[\w\-\.]+$`

We'll see how it goes in production :)

[admax88q]

What value does your system provide by limiting addresses to 100 characters and the given regex.

Why not just allow any input and validate the address by attempting to send to it. It's really the only way to tell if its a real address.

What abuse can a person bring on your system by having a 200 char email address? That should be nothing in terms of server load.

[ben_jones]

Take a rational approach but then provide a human-feedback mechanism for the very small number of edge cases that may crop up?

It shouldn't be "lets automate this and hope it goes well in production" i.e. the Google approach. It should be "lets use common sense and manage failure in a way that doesn't piss off customers".