diff --git a/src/Module/Api/AuthController.php b/src/Module/Api/AuthController.php
index e5d94ac..7b5019b 100644
--- a/src/Module/Api/AuthController.php
+++ b/src/Module/Api/AuthController.php
@@ -25,6 +25,7 @@
 
 use function Windwalker\Query\uuid2bin;
 use function Windwalker\uid;
+use function Windwalker\validate;
 
 #[Controller]
 class AuthController
@@ -40,6 +41,8 @@ public function challenge(
 
         RequestAssert::assert($email, 'No email');
 
+        $this->validateEmail($email);
+
         $sessId = uid();
         $user = $orm->findOne(User::class, compact('email'));
 
@@ -123,10 +126,7 @@ public function authenticate(
         RequestAssert::assert($A, 'Invalid credentials');
         RequestAssert::assert($M1, 'Invalid credentials');
 
-        if (!str_contains($email, '@')) {
-            // Todo: Use email filters
-            throw new \RuntimeException('Invalid Email format');
-        }
+        $this->validateEmail($email);
 
         $user = $orm->findOne(User::class, compact('email'));
 
@@ -201,10 +201,7 @@ public function register(
 
         RequestAssert::assert($email, 'No Email');
 
-        if (!str_contains($email, '@')) {
-            // Todo: Use email filters
-            throw new \RuntimeException('Invalid Email format');
-        }
+        $this->validateEmail($email);
 
         $verifier = BigInteger::fromBase($verifier, 16);
         $salt = BigInteger::fromBase($salt, 16);
diff --git a/src/Module/Api/Traits/SRPValidationTrait.php b/src/Module/Api/Traits/SRPValidationTrait.php
index 4a4f5ea..aac7ac2 100644
--- a/src/Module/Api/Traits/SRPValidationTrait.php
+++ b/src/Module/Api/Traits/SRPValidationTrait.php
@@ -15,6 +15,8 @@
 use Firebase\JWT\JWT;
 use Firebase\JWT\Key;
 use Lyrasoft\Luna\Auth\SRP\SRPService;
+use Windwalker\Core\Form\Exception\ValidateFailException;
+use Windwalker\Filter\Rule\EmailAddress;
 use Windwalker\ORM\ORM;
 use Windwalker\SRP\Exception\InvalidSessionProofException;
 
@@ -94,4 +96,16 @@ protected function srpValidate(
             ErrorCode::INVALID_CREDENTIALS->throw();
         }
     }
+
+    protected function isEmail(string $email): bool
+    {
+        return (new EmailAddress())->test($email);
+    }
+
+    protected function validateEmail(string $email): void
+    {
+        if (!$this->isEmail($email)) {
+            throw new ValidateFailException('Invalid Email');
+        }
+    }
 }