Please note, email addresses should be considered to be public data.
When capturing information for insertion into a database, or use in other processing, it's important to control what the user can enter.
Otherwise you can end up with values in the database that have no relation to reality.
Data from all potentially untrusted sources should be subject to input validation, including not only Internet-facing web clients but also backend feeds over extranets, from suppliers, partners, vendors or regulators, each of which may be compromised on their own and start sending malformed data.
Input Validation should not be used as the primary method of preventing XSS, SQL Injection and other attacks which are covered in respective cheat sheets but can significantly contribute to reducing their impact if implemented properly.
To normalise an email address input, you would convert the domain part ONLY to lowercase.
Unfortunately this does and will make input harder to normalise and correctly match to a users intent.
Input validation can be implemented using any programming technique that allows effective enforcement of syntactic and semantic correctness, for example: , where the ' character is fully legitimate.
For more information on XSS filter evasion please see the XSS Filter Evasion Cheat Sheet.
It is very difficult to validate rich content submitted by a user.
For more information, please see the cheatsheet on Sanitizing HTML Markup with a Library Designed for the Job.
Recent changes to the landscape mean that the number of false-negatives will increase, particularly due to: To ensure an address is deliverable, the only way to check this is to send the user an email and have the user take action to confirm receipt.