diff --git a/README.md b/README.md
index c991f9cbd..e8bd41677 100644
--- a/README.md
+++ b/README.md
@@ -106,7 +106,7 @@ Validator                               | Description
 **isDecimal(str [, options])**             | check if the string represents a decimal number, such as 0.1, .3, 1.1, 1.00003, 4.0, etc.<br/><br/>`options` is an object which defaults to `{force_decimal: false, decimal_digits: '1,', locale: 'en-US'}`.<br/><br/>`locale` determines the decimal separator and is one of `['ar', 'ar-AE', 'ar-BH', 'ar-DZ', 'ar-EG', 'ar-IQ', 'ar-JO', 'ar-KW', 'ar-LB', 'ar-LY', 'ar-MA', 'ar-QA', 'ar-QM', 'ar-SA', 'ar-SD', 'ar-SY', 'ar-TN', 'ar-YE', 'bg-BG', 'cs-CZ', 'da-DK', 'de-DE', 'el-GR', 'en-AU', 'en-GB', 'en-HK', 'en-IN', 'en-NZ', 'en-US', 'en-ZA', 'en-ZM', 'eo', 'es-ES', 'fa', 'fa-AF', 'fa-IR', 'fr-FR', 'fr-CA', 'hu-HU', 'id-ID', 'it-IT', 'ku-IQ', 'nb-NO', 'nl-NL', 'nn-NO', 'pl-PL', 'pl-Pl', 'pt-BR', 'pt-PT', 'ru-RU', 'sl-SI', 'sr-RS', 'sr-RS@latin', 'sv-SE', 'tr-TR', 'uk-UA', 'vi-VN']`.<br/>**Note:** `decimal_digits` is given as a range like '1,3', a specific value like '3' or min like '1,'.
 **isDivisibleBy(str, number)**          | check if the string is a number that is divisible by another.
 **isEAN(str)**                          | check if the string is an [EAN (European Article Number)][European Article Number].
-**isEmail(str [, options])**            | check if the string is an email.<br/><br/>`options` is an object which defaults to `{ allow_display_name: false, require_display_name: false, allow_utf8_local_part: true, require_tld: true, allow_ip_domain: false, allow_underscores: false, domain_specific_validation: false, blacklisted_chars: '', host_blacklist: [] }`. If `allow_display_name` is set to true, the validator will also match `Display Name <email-address>`. If `require_display_name` is set to true, the validator will reject strings without the format `Display Name <email-address>`. If `allow_utf8_local_part` is set to false, the validator will not allow any non-English UTF8 character in email address' local part. If `require_tld` is set to false, email addresses without a TLD in their domain will also be matched. If `ignore_max_length` is set to true, the validator will not check for the standard max length of an email. If `allow_ip_domain` is set to true, the validator will allow IP addresses in the host part. If `domain_specific_validation` is true, some additional validation will be enabled, e.g. disallowing certain syntactically valid email addresses that are rejected by Gmail. If `blacklisted_chars` receives a string, then the validator will reject emails that include any of the characters in the string, in the name part. If `host_blacklist` is set to an array of strings or regexp, and the part of the email after the `@` symbol matches one of the strings defined in it, the validation fails. If `host_whitelist` is set to an array of strings or regexp, and the part of the email after the `@` symbol matches none of the strings defined in it, the validation fails.
+**isEmail(str [, options])**            | check if the string is an email.<br/><br/>`options` is an object which defaults to `{ allow_display_name: false, require_display_name: false, allow_utf8_local_part: true, require_tld: true, allow_ip_domain: false, allow_underscores: false, domain_specific_validation: false, blacklisted_chars: '', host_blacklist: [], host_whitelist: [], allow_zero_width: true, ignore_max_length: false }`. If `allow_display_name` is set to true, the validator will also match `Display Name <email-address>`. If `require_display_name` is set to true, the validator will reject strings without the format `Display Name <email-address>`. If `allow_utf8_local_part` is set to false, the validator will not allow any non-English UTF8 character in email address' local part. If `require_tld` is set to false, email addresses without a TLD in their domain will also be matched. If `ignore_max_length` is set to true, the validator will not check for the standard max length of an email. If `allow_ip_domain` is set to true, the validator will allow IP addresses in the host part. If `domain_specific_validation` is true, some additional validation will be enabled, e.g. disallowing certain syntactically valid email addresses that are rejected by Gmail. If `blacklisted_chars` receives a string, then the validator will reject emails that include any of the characters in the string, in the name part. If `host_blacklist` is set to an array of strings or regexp, and the part of the email after the `@` symbol matches one of the strings defined in it, the validation fails. If `host_whitelist` is set to an array of strings or regexp, and the part of the email after the `@` symbol matches none of the strings defined in it, the validation fails. If `allow_zero_width` is set to false, the validator will reject emails containing zero-width characters (U+200B-U+200D, U+FEFF).
 **isEmpty(str [, options])**            | check if the string has a length of zero.<br/><br/>`options` is an object which defaults to `{ ignore_whitespace: false }`.
 **isEthereumAddress(str)**              | check if the string is an [Ethereum][Ethereum] address. Does not validate address checksums.
 **isFloat(str [, options])**            | check if the string is a float.<br/><br/>`options` is an object which can contain the keys `min`, `max`, `gt`, and/or `lt` to validate the float is within boundaries (e.g. `{ min: 7.22, max: 9.55 }`) it also has `locale` as an option.<br/><br/>`min` and `max` are equivalent to 'greater or equal' and 'less or equal', respectively while `gt` and `lt` are their strict counterparts.<br/><br/>`locale` determines the decimal separator and is one of `['ar', 'ar-AE', 'ar-BH', 'ar-DZ', 'ar-EG', 'ar-IQ', 'ar-JO', 'ar-KW', 'ar-LB', 'ar-LY', 'ar-MA', 'ar-QA', 'ar-QM', 'ar-SA', 'ar-SD', 'ar-SY', 'ar-TN', 'ar-YE', 'bg-BG', 'cs-CZ', 'da-DK', 'de-DE', 'en-AU', 'en-GB', 'en-HK', 'en-IN', 'en-NZ', 'en-US', 'en-ZA', 'en-ZM', 'eo', 'es-ES', 'fr-CA', 'fr-FR', 'hu-HU', 'it-IT', 'nb-NO', 'nl-NL', 'nn-NO', 'pl-PL', 'pt-BR', 'pt-PT', 'ru-RU', 'sl-SI', 'sr-RS', 'sr-RS@latin', 'sv-SE', 'tr-TR', 'uk-UA']`. Locale list is `validator.isFloatLocales`.
@@ -266,4 +266,4 @@ This project is licensed under the [MIT](LICENSE). See the [LICENSE](LICENSE) fi
 [MIME Type]: https://en.wikipedia.org/wiki/Media_type
 [mongoid]: http://docs.mongodb.org/manual/reference/object-id/
 [RFC 3339]: https://tools.ietf.org/html/rfc3339
-[VAT Number]: https://en.wikipedia.org/wiki/VAT_identification_number
+[VAT Number]: https://en.wikipedia.org/wiki/VAT_identification_number
\ No newline at end of file
diff --git a/src/lib/isEmail.js b/src/lib/isEmail.js
index abe465052..3c5688d59 100644
--- a/src/lib/isEmail.js
+++ b/src/lib/isEmail.js
@@ -12,6 +12,7 @@ const default_email_options = {
   require_display_name: false,
   allow_utf8_local_part: true,
   require_tld: true,
+  allow_zero_width: true,
   blacklisted_chars: '',
   ignore_max_length: false,
   host_blacklist: [],
@@ -26,6 +27,7 @@ const gmailUserPart = /^[a-z\d]+$/;
 const quotedEmailUser = /^([\s\x01-\x08\x0b\x0c\x0e-\x1f\x7f\x21\x23-\x5b\x5d-\x7e]|(\\[\x01-\x09\x0b\x0c\x0d-\x7f]))*$/i;
 const emailUserUtf8Part = /^[a-z\d!#\$%&'\*\+\-\/=\?\^_`{\|}~\u00A1-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+$/i;
 const quotedEmailUserUtf8 = /^([\s\x01-\x08\x0b\x0c\x0e-\x1f\x7f\x21\x23-\x5b\x5d-\x7e\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]|(\\[\x01-\x09\x0b\x0c\x0d-\x7f\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]))*$/i;
+const zeroWidthChars = /[\u200B-\u200D\uFEFF]/;
 const defaultMaxEmailLength = 254;
 /* eslint-enable max-len */
 /* eslint-enable no-control-regex */
@@ -107,6 +109,12 @@ export default function isEmail(str, options) {
 
   let user = parts.join('@');
 
+  if (!options.allow_zero_width) {
+    if (zeroWidthChars.test(user) || zeroWidthChars.test(domain)) {
+      return false;
+    }
+  }
+
   if (options.domain_specific_validation && (lower_domain === 'gmail.com' || lower_domain === 'googlemail.com')) {
     /*
     Previously we removed dots for gmail addresses before validating.
diff --git a/test/validators.test.js b/test/validators.test.js
index 9bd00d6ec..9dbaadc91 100644
--- a/test/validators.test.js
+++ b/test/validators.test.js
@@ -377,6 +377,48 @@ describe('Validators', () => {
     });
   });
 
+  it('should reject email addresses with zero-width characters when allow_zero_width is false', () => {
+    test({
+      validator: 'isEmail',
+      args: [{ allow_zero_width: false }],
+      valid: [
+        'foo@bar.com',
+        'test@example.com',
+        'user+tag@domain.co.uk',
+      ],
+      invalid: [
+        'foo\u200B@bar.com',
+        'foo@bar\u200B.com',
+        'test\u200C@example.com',
+        'test@exam\u200Cple.com',
+        'user\u200D@domain.com',
+        'user@dom\u200Dain.com',
+        'admin\uFEFF@site.com',
+        'admin@si\uFEFFte.com',
+      ],
+    });
+  });
+
+  it('should allow email addresses with zero-width characters by default', () => {
+    test({
+      validator: 'isEmail',
+      valid: [
+        'foo@bar.com',
+        'test@example.com',
+        'foo\u200B@bar.com',
+        'foo@bar\u200B.com',
+        'test\u200C@example.com',
+        'user\u200D@domain.com',
+        'admin\uFEFF@site.com',
+      ],
+      invalid: [
+        'invalidemail@',
+        'invalid.com',
+        '@invalid.com',
+      ],
+    });
+  });
+
   it('should validate URLs', () => {
     test({
       validator: 'isURL',