Because you’re doing it wrong. At least, that’s what I’ve discovered to be the case with Borders.com, JustFlowers.com, and a number of other sites.
My personal e-mail address has a .name top-level domain. Dot-name, of course, being one of the 280 (at present) valid TLDs. Your rinky-dink regular expression that checks (com|net|org|gov|mil) does not cut it.
This morning I tried to order a book from Borders. I couldn’t. They didn’t like my e-mail address. I also tried to change my password. Couldn’t.
Ultimately, I had to change my e-mail address in order to do anything. Now all of my personal e-mail goes to one address, and all the Borders mail goes to another that I use for technical mailing lists.
Look, e-mail addresses are complicated. More complicated than you think. See Phil Haack’s enlightening blog post on the subject if you don’t believe me.
Did you ever consider why you are validating e-mail addresses in the first place? It’s in the customer’s best interest for an order confirmation e-mail to get to their inbox. Why do you put two text fields to confirm an address? It’s to help prevent the user from making dumb mistakes, right? The fact is there’s no need for rigid validation—either the e-mail gets there or it doesn’t.
If you must validate, do this instead: /.+@.+/. That’s guaranteed to be future-proof, and people like me won’t write you ticked-off e-mails telling you to fix it. 