diff --git a/Cargo.lock b/Cargo.lock
index f4ac9f5..942351d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1080,6 +1080,7 @@ dependencies = [
  "diesel_migrations",
  "dotenv",
  "lazy_static",
+ "regex 1.3.4",
  "rocket",
  "rocket_contrib",
  "rocket_cors",
diff --git a/Cargo.toml b/Cargo.toml
index f0abaf5..de3eed8 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -16,4 +16,5 @@ serde = { version = "1.0.104", features = ["derive"] }
 scrypt = "0.2.0"
 uuid = { version = "0.8", features = ["v4"] }
 chrono = "0.4"
-serde_json = "1.0"
\ No newline at end of file
+serde_json = "1.0"
+regex = "1"
\ No newline at end of file
diff --git a/src/api.rs b/src/api.rs
index 8befe34..baa8135 100644
--- a/src/api.rs
+++ b/src/api.rs
@@ -9,6 +9,12 @@ use rocket_contrib::json::Json;
 use serde::{Serialize, Deserialize};
 use std::vec::Vec;
 
+lazy_static! {
+    static ref EMAIL_RE: regex::Regex =
+        regex::Regex::new(r"^([a-z0-9_+]([a-z0-9_+.]*[a-z0-9_+])?)@([a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,6})")
+                .unwrap();
+}
+
 pub fn routes() -> impl Into<Vec<rocket::Route>> {
     routes![
         auth,
@@ -56,6 +62,10 @@ struct AuthResult {
 
 #[post("/auth", format = "json", data = "<new_user>")]
 fn auth(db: DbConn, new_user: Json<user::NewUser>) -> Custom<JsonResp<AuthResult>> {
+    if !EMAIL_RE.is_match(&new_user.email) {
+        return error_resp(Status::BadRequest, vec!["Invalid email address".into()]);
+    }
+
     match user::User::create(&db.0, &new_user) {
         Ok(_) => _sign_in(db, &new_user.email, &new_user.password),
         Err(user::UserOpError(e)) =>
diff --git a/src/main.rs b/src/main.rs
index 2eca156..fc636cc 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,5 +1,6 @@
 #![feature(proc_macro_hygiene, decl_macro)]
 
+extern crate regex;
 #[macro_use]
 extern crate rocket;
 #[macro_use]