The simplest JavaScript-compatible change you could make to ensure that it does not start with a period/dot/decimal-point would be to use a negative lookahead like so: (?!\.)
at the beginning of the expression:
function validateEmail(elementValue)
{
var emailPattern = /^(?!\.)[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$/;
return emailPattern.test(elementValue);
}
There are plenty of cases this does not handle, and depending upon your reasons for this need, it might be one of thousands of things that go into creating a perfect RFC-2822 compliant email address (which I don't believe actually exists in any commercially viable system or "in the wild") - that you don't really need to worry about.
you could also simplify it further by making it case-insensitive:
/(?!\.)[a-z0-9._-]+@[a-z0-9.-]+\.[a-z]{2,4}/i
or even better...
/(?!\.)[\w.-]+@[a-z0-9.-]+\.[a-z]{2,4}/i
and you might want to consider (if you haven't already) the .travel
and .museum
TLDs that would be invalidated by your {2,4}
length limitation