Is /@/ really going to catch significantly less invalid emails than whatever other almost but not quite validation you can apply?

What's more common, someone accidentally typing "foo:[email protected]" or "[email protected]"? Both would bounce and cause mails server issues.

If someone was being malicious, they can do it with an unregistered address that passes any validation you throw at it.