diff --git a/internal/api/mail_test.go b/internal/api/mail_test.go
index 90608a13a..677a94f7e 100644
--- a/internal/api/mail_test.go
+++ b/internal/api/mail_test.go
@@ -48,6 +48,49 @@ func (ts *MailTestSuite) SetupTest() {
 	require.NoError(ts.T(), ts.API.db.Create(u), "Error saving new user")
 }
 
+func (ts *MailTestSuite) TestValidateEmail() {
+	cases := []struct {
+		desc          string
+		email         string
+		expectedEmail string
+		expectedError error
+	}{
+		{
+			desc:          "valid email",
+			email:         "test@example.com",
+			expectedEmail: "test@example.com",
+			expectedError: nil,
+		},
+		{
+			desc:          "email should be normalized",
+			email:         "TEST@EXAMPLE.COM",
+			expectedEmail: "test@example.com",
+			expectedError: nil,
+		},
+		{
+			desc:          "empty email should return error",
+			email:         "",
+			expectedEmail: "",
+			expectedError: badRequestError(ErrorCodeValidationFailed, "An email address is required"),
+		},
+		{
+			desc: "email length exceeds 255 characters",
+			// email has 256 characters
+			email:         "testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest@example.com",
+			expectedEmail: "",
+			expectedError: badRequestError(ErrorCodeValidationFailed, "An email address is too long"),
+		},
+	}
+
+	for _, c := range cases {
+		ts.Run(c.desc, func() {
+			email, err := ts.API.validateEmail(c.email)
+			require.Equal(ts.T(), c.expectedError, err)
+			require.Equal(ts.T(), c.expectedEmail, email)
+		})
+	}
+}
+
 func (ts *MailTestSuite) TestGenerateLink() {
 	// create admin jwt
 	claims := &AccessTokenClaims{
diff --git a/internal/api/verify_test.go b/internal/api/verify_test.go
index a0232efcf..ea0892098 100644
--- a/internal/api/verify_test.go
+++ b/internal/api/verify_test.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"strings"
 	"testing"
 	"time"
 
@@ -900,6 +901,19 @@ func (ts *VerifyTestSuite) TestVerifyValidOtp() {
 				tokenHash: crypto.GenerateTokenHash(u.GetEmail(), "123456"),
 			},
 		},
+		{
+			desc:     "Valid Email OTP (email casing shouldn't matter)",
+			sentTime: time.Now(),
+			body: map[string]interface{}{
+				"type":  mail.EmailOTPVerification,
+				"token": "123456",
+				"email": strings.ToUpper(u.GetEmail()),
+			},
+			expected: expected{
+				code:      http.StatusOK,
+				tokenHash: crypto.GenerateTokenHash(u.GetEmail(), "123456"),
+			},
+		},
 		{
 			desc:     "Valid Email Change OTP",
 			sentTime: time.Now(),