First of all: however rare, "!" and "$" are allowed characters in email addresses (on the left-hand/mailbox side, not on the domain side). So an HTML5- and SMTP-compliant email validator must not discard addresses because of those characters.
That said, Marketo's built-in validator is more permissive than most people expect, for example allowing test@example (without any TLD). Again, that is a valid email address. But it won't be routable on the public internet, and since the idea behind a Marketo form is to gather public email addresses, it stands to reason that it should not validate.
At the same time, any JavaScript-based validation can be bypassed, so if a person is maliciously trying to get those addresses into your system, they'll just post around it and will never see a warning like "Please enter a valid email address."
In reality, you have 3 different types of malicious use to cover:
- Avoiding script-based form validation. Combat this by implementing reCAPTCHA, so posts by automated processes/bots can be discarded.
- Entering email addresses that are syntactically valid, but which do not exist. Combat this by using a verification service such as Etumos Verify that integrates directly into the form.
- Entering email addresses that do exist, but which are disposable (so they can never be emailed again). Verification services can detect most domains that specifically offer disposable addresses (though they can't stop someone who sets up a Gmail address and never checks it!).
You might also give a look at this blog post as it pertains to form-entered tokens in general.
.png)