The absolute answer is that you have to send mail to that address and request that the user take some action to indicate that they received the email. That might be as simple as replying to your email or logging into a webpage by providing a code included in the email that you sent. This is the only way you can really validate an email address.
But maybe you'd like to do some pre-checking before you go to all that trouble. It's easy enough to write a regular expression that matches email addresses as defined in RFC822 - and you should definitely look at that before you decide that you know what a valid address looks like! But that's just syntactically correct - it doesn't mean that the domain exists or that it has a mailserver if it does exist or that the user at that address actually exists. Still, regex checking can eliminate a lot of the worst crap people will type in to a web form
If it is valid, you could try asking the server if it will accept mail for that user. That used to be a lot easier than it is now: all you had to do was connect and issue a "VRFY jack". Almost nobody lets you do that today because it was an easy way for spammers to check addresses - they would just try every name they could think of and send junk to the addresses that existed.
But you still can ask by using "rcpt to:". See How do I test an SMTP server for details; you look up the MX for the domain, connect to that and issue a "Helo yourdomain.org", a "Mail from: [email protected]" command and then a "rcpt to: [email protected]". If you get a positive response (a 250 rather than a 55? or anything else, that SHOULD be a valid address. Maybe :-)
However, there are any number of reasons that a server might give you back a 250 for a completely bogus user. Many servers today are configured to do exactly that to avoid giving spammers information about users. So they accept anything and then may or may not send back a bounce message later. More and more are configured to be totally silent - you'll just never know the address was bad.
(Most Kerio mail servers are configured that way.)
Even if that were not true, it may be configured to forward unknown users to some other server - again, you won't know anything unless that server chooses to tell you. That brings us back to what I said at the top: the only absolute trest is to send email that requests the recipient take some verifiable action.