The only way to do so is to ensure that the supplied address conforms to the Internet message format rules as set forth by RFC 2822.
Because reading an RFC is about as entertaining as a root canal, I'll offer a very broad summary of the rules here: Because of the innumerable syntactical variations which could arise as a result of these rules, we'll need to devise a regular expression capable of accounting for all possibilities.
The carat symbol signals that the ensuing arguments are to apply to the very beginning of the string.
Simple and safe workaround for this is using strlen() before filter_val().
And while one would hope that the user would have enough sense to steer clear of invalid addresses such as those above-described, one must still take into account the possibility that a typing error could occur when supplying the address.
Not taking the time to properly verify user input in this regards is a detriment to not only the organization, but also the user who has shelled out time and perhaps money for your service!
The following items are all examples of valid usernames: The domain and TLD components of the regular expression very closely resemble the assembled username expression, save for that underscores and periods are not allowed!
Therefore you can apply all of the same rules and examples described above to this component, provided that you keep in mind that the aforementioned characters are taboo.