Email validation is the process of verifying that an email address is correctly formatted, actually exists, and can receive messages — before you attempt to send to it.

It matters because every email list naturally degrades at ~2% per month. People change jobs, abandon addresses, or make typos when signing up. Sending to invalid addresses drives up your bounce rate, which damages your sender reputation with ISPs like Gmail and Microsoft.

• Hard bounces > 2% trigger spam folder placement for all your emails
• Hard bounces > 5% can get your sending domain blacklisted
• ESPs like Mailchimp and SendGrid will suspend accounts that exceed their bounce thresholds

The terms are often used interchangeably, but there is a technical distinction:

• Email Validation — checks format, syntax, domain structure, and MX records. Fast (under 100ms). Catches obvious issues.
• Email Verification — goes further by attempting an SMTP handshake with the mail server to confirm the mailbox actually exists. Slower but more accurate.

Our API does both — format validation + SMTP verification — in a single call, returning a confidence score and classification (valid, invalid, risky, disposable, etc.).

Our API classifies emails into 9 distinct categories:

1. Valid — deliverable, real mailbox confirmed
2. Invalid format — syntax errors (missing @, invalid characters)
3. Invalid domain — domain doesn't exist or has no DNS records
4. No MX records — domain exists but can't receive email
5. Disposable / Temporary — services like Mailinator, 10minutemail, Guerrilla Mail
6. Role-based — info@, support@, admin@ — high unsubscribe rate
7. Catch-all / Accept-all — server accepts all emails; individual mailbox unknown
8. Spam trap — honeypot addresses used by ISPs to identify spammers
9. Typo / Near-miss — gmial.com, yahio.com, hotmial.com with suggested correction

Our accuracy metrics (measured against independent test sets of 10M+ addresses, updated quarterly):

• Overall accuracy: 99.5%
• False positive rate (valid marked invalid): <0.3%
• False negative rate (invalid marked valid): <0.2%
• Disposable email detection: 99.1% (database of 2.8M+ domains)
• Typo detection: 97.8%

No email validation service achieves 100% accuracy due to catch-all servers and privacy-protecting configurations. We're transparent about the "unknown" and "risky" categories so you can make informed decisions.

Both, ideally. Here's the recommended strategy:

• At the point of capture (form/signup/checkout) — catch typos in real-time, provide inline correction suggestions, reduce friction vs. double opt-in
• Before major campaigns — validate your full list against fresh data, especially lists older than 3 months
• Periodic hygiene (monthly/quarterly) — run bulk validation on your CRM to catch addresses that have gone stale since they were captured

Real-time validation at the point of capture is the highest-ROI single intervention. It prevents bad data from entering your system in the first place.

They serve different purposes and complement each other:

• Email validation — confirms the address is technically deliverable
• Double opt-in — confirms the human who owns that address consented

Validation can reduce your need for DOI in lower-risk use cases (e.g., free tool signups) because it eliminates most junk at the point of capture. However, for transactional consent (GDPR, CAN-SPAM, marketing lists), DOI provides the legal paper trail that validation alone cannot.

Many companies use both: validate at signup for UX quality, then confirm via DOI for consent. This gives you the best of both: clean data AND verified consent.

Response times vary by validation depth:

• Format check only: <5ms (client-side, no API call needed)
• Standard validation (domain + MX): 50–150ms
• Full SMTP verification: 150–800ms (depends on target mail server)
• Bulk processing: ~5,000 emails/minute via async API

For real-time form validation, we use a two-phase approach: instant format check on keystroke, then SMTP verification on form submit — so it's never slow from the user's perspective.

MX (Mail Exchange) records are DNS entries that tell email servers where to deliver mail for a domain. When you validate [email protected], our API:

1. Queries DNS for company.com's MX records
2. Verifies the MX records point to valid, responding mail servers
3. Attempts an SMTP handshake with the mail server to confirm the mailbox exists

A domain without MX records cannot receive email, even if the domain itself is valid. This catches a significant class of invalid emails that format-only checking misses (e.g., [email protected] — valid format, but example.com has no MX records).

A catch-all (or accept-all) server accepts any email addressed to its domain without rejecting unknown mailboxes. So [email protected] and [email protected] both return "accepted" during SMTP handshake — making it impossible to confirm if a specific mailbox exists.

Our approach to catch-all domains:

• Classify them as "risky" (not invalid — the domain is real)
• Provide a catch-all confidence score (0–100) based on domain reputation signals
• Cross-reference against our database of known catch-all domains
• Let you set your own accept/reject threshold in dashboard settings

Approximately 15–20% of B2B corporate domains use catch-all configuration, which is why this category requires nuanced handling rather than automatic rejection.

We maintain a proprietary database of 2.8 million+ disposable email domains, updated in real-time using:

• Manual curation of known services (Mailinator, 10minutemail, Guerrilla Mail, etc.)
• Automated crawling of new disposable services
• Community reports from our API users
• Behavioral signals — domains with no legitimate email history
• Pattern recognition — subdomains generated for obfuscation

Detection rate: 99.1%. New disposable services are added within 24–48 hours of discovery. Our database is updated every 4 hours.

Our typo engine catches the most common categories of email typos:

• Domain misspellings: gmial.com → gmail.com, yaho.com → yahoo.com
• TLD errors: gmail.con → gmail.com, gmail.co → gmail.com
• Extra/missing dots: [email protected]
• Missing @ symbol: usergmail.com
• Double @: user@@gmail.com

When a typo is detected, the API returns both the original email and a did_you_mean suggestion that you can present to your user inline:

{ "email": "[email protected]", "status": "typo", "did_you_mean": "[email protected]", "confidence": 0.97 }

A full verification response includes:

{
  "email": "[email protected]",
  "status": "valid",
  "sub_status": null,
  "free_email": false,
  "disposable": false,
  "role": false,
  "catch_all": false,
  "mx_found": true,
  "mx_record": "mail.company.com",
  "smtp_provider": "Google Workspace",
  "score": 0.98,
  "did_you_mean": null,
  "processed_at": "2026-02-19T09:00:00Z",
  "response_time_ms": 138
}

Status values: valid, invalid, risky, unknown. Sub-status gives the specific reason (e.g., mailbox_not_found, disposable, no_mx_record).

No. SMTP verification works by initiating a handshake with the mail server up to (but not including) the DATA command — no email is ever sent. The process is:

1. Connect to mail server → EHLO
2. Identify sender → MAIL FROM: <[email protected]>
3. Check recipient → RCPT TO: <[email protected]>
4. Read response (250 = exists, 550 = not found) → QUIT

The target address's inbox never receives anything. No notification is triggered. This is fully GDPR-compliant — you're only querying public infrastructure, not processing personal data beyond what's necessary for the stated purpose.

Industry benchmarks for hard bounce rates:

• <1% — Excellent. Top-tier deliverability maintained.
• 1–2% — Acceptable. Monitor closely.
• 2–5% — Warning zone. Immediate list cleaning recommended.
• >5% — Danger. ESP suspension risk. Aggressive validation needed.

Gmail and Microsoft have tightened their thresholds significantly since 2024 with the Sender Policy Framework updates. A bounce rate above 2% now actively triggers spam folder routing for all recipients — not just bounced ones.

Our customers average 0.8% bounce rate after implementing real-time validation.

Yes — but it's one factor among several. Email validation directly improves:

• Bounce rate — the #1 spam signal ISPs use
• Engagement rate — fewer invalid addresses means better open/click ratios
• Sender reputation — consistent low bounce rate builds long-term domain trust

Other factors that affect spam placement (outside validation's scope): SPF/DKIM/DMARC configuration, email content quality, sending volume ramp-up, and unsubscribe rate management.

Email lists decay at approximately 2–3% per month. This translates to roughly 25–30% of your list becoming invalid within a year.

Recommended re-validation schedule:

• Active sending lists: Every 3 months
• Dormant lists (not emailed in 6+ months): Before every campaign
• Purchased or acquired lists: Before first use, no exceptions
• High-turnover sectors (hospitality, retail): Monthly

B2B lists decay faster (~30–35%/year) due to job changes. B2C lists at personal email domains decay more slowly (~15–20%/year).

It depends on your use case. Role-based addresses have specific characteristics:

• Typically monitored by multiple people (team inboxes)
• 3–5x higher unsubscribe rate vs personal addresses
• High spam complaint rate — one person unsubscribes, another re-subscribes them
• Lower engagement rates on personalized content

Our recommendation:

• Marketing/newsletter lists: Block role-based — they hurt engagement metrics
• B2B sales outreach: Keep them — info@ is often the entry point to a company
• SaaS signups: Soft-block — show a warning, let user proceed

Our API lets you configure role-based handling per use case in your dashboard.

Spam traps are email addresses deliberately placed by ISPs, blocklist operators, and email security firms to identify spammers. There are two types:

• Pristine traps: Never belonged to a real user. Sending to them = you bought a list or scraped addresses.
• Recycled traps: Old, abandoned addresses re-purposed as traps. Sending to them = you're not maintaining list hygiene.

Our API cross-references against known spam trap patterns and signals. We flag high-probability spam trap addresses (confidence score approach). However, no service can identify 100% of spam traps — they're designed to be hidden.

Best defense: Use permission-based list building + regular validation. Organic lists with clear opt-in practices essentially never contain spam traps.

Yes — with proper implementation. GDPR compliance for email validation involves:

• Legitimate interest / contractual necessity: Validating emails to fulfill a service (delivering ordered goods, sending account credentials) is typically covered under Article 6(1)(b) or 6(1)(f).
• Data minimization: We process only the email address, not additional PII. Our API does not store emails after processing (configurable).
• Data Processing Agreement (DPA): We provide a GDPR-compliant DPA for all Business and Enterprise plan customers.
• EU data residency: Available on Business+ plans — all processing stays within EU data centers.
• Retention: Default is zero retention (no email storage). Audit logging can be enabled separately.

Security measures in place:

• TLS 1.3 for all API communications
• API keys with configurable IP allowlisting and rate limits
• Zero-logging mode: Emails are processed in memory and immediately discarded (default)
• SOC 2 Type II certified (available on request)
• HTTPS only — HTTP requests are rejected, not redirected
• No shared tenant data — your validation results are never accessible to other customers

For Enterprise customers: dedicated API keys, custom data retention policies, and isolated processing environments are available.

Email validation supports CAN-SPAM compliance indirectly:

• Ensures your list contains real, reachable people — not bots or invalid addresses that inflate complaint rates
• Reduces spam complaint probability by filtering role-based and disposable addresses that correlate with complaints
• Helps demonstrate good-faith list management practices in case of regulatory review

CAN-SPAM's primary requirements (unsubscribe mechanism, honest subject lines, physical address) are content and consent issues — outside validation's scope. But clean lists are foundational to compliant email marketing.

API key security best practices:

• Never expose in frontend JavaScript — use server-side proxy instead
• Use environment variables — never hardcode in source files
• Enable IP allowlisting in dashboard to restrict which servers can use your key
• Set rate limits per key to limit damage if a key is compromised
• Use separate keys for dev/staging/production environments
• Rotate keys quarterly or immediately after any suspected exposure

Storage depends on your settings:

• Default (all plans): Zero retention — emails processed in memory, results returned, nothing stored
• Audit log mode (optional): Validation results (status only, not email content) stored for 30 days for debugging
• Bulk job history: Job metadata stored 90 days. Download your results within that window.
• EU residency option: All processing and any logs remain within EU (Frankfurt data center)

You can configure retention settings in Dashboard → Security → Data Retention. You can also request deletion of any stored data at any time via the API or support.

The fastest path: 5 minutes to first validation.

# 1. Get your API key (free signup, no credit card)
# 2. Make your first call:
curl -X GET "https://api.emailvalidation.io/v1/[email protected]" \
  -H "Authorization: Bearer YOUR_API_KEY"

For common use cases we offer SDKs in: JavaScript/Node.js, Python, PHP, Ruby, Go, Java, C#. Plus native integrations for Shopify, HubSpot, Salesforce, Zapier, and more.

For form validation without backend changes:

<script src="https://cdn.emailvalidation.io/widget.js" 
  data-key="YOUR_API_KEY" 
  data-target="#email-input"></script>

Real-time API rate limits by plan:

• Starter: 100 requests/minute, 10K validations/month
• Growth: 1,000 requests/minute, 100K validations/month
• Business: 5,000 requests/minute, 500K validations/month
• Enterprise: Custom (up to 50,000 req/min)

Bulk validation uses a separate async API with no rate limits per se — you upload a CSV or JSON list, we process it asynchronously and notify you (webhook or email) when complete. Processing speed: ~5,000 emails/minute per job.

POST /v1/bulk
{ "emails": ["[email protected]", "[email protected]", ...],
  "callback_url": "https://yoursite.com/webhook/validation-done" }

Webhooks allow our API to push results to your server rather than you polling. Common use cases:

• Bulk job completion notifications
• Real-time CRM sync when validation results change
• Automated list cleaning triggers

Webhook payload example:

{
  "event": "bulk_job_completed",
  "job_id": "job_abc123",
  "total": 5000,
  "valid": 4201,
  "invalid": 612,
  "risky": 187,
  "download_url": "https://api.emailvalidation.io/v1/bulk/job_abc123/results",
  "expires_at": "2026-02-26T09:00:00Z"
}

Webhooks are signed with HMAC-SHA256 using your webhook secret. Always verify the signature before processing.

Yes — several no-code options:

• Zapier integration: Validate emails in any Zap. Connect 3,000+ apps. Most popular: "When form submitted → Validate email → Add to CRM if valid"
• Make (Integromat): Official module with full API coverage
• n8n: Community node available
• Shopify app: Install from App Store, no configuration needed
• WordPress plugin: Works with Gravity Forms, WPForms, Contact Form 7
• HubSpot app: Native integration, validate on form submission or bulk from lists

Our pricing is based on monthly validation volume:

• Free: 250 validations/month — no credit card, forever free
• Starter ($29/mo): 10,000 validations, real-time API, bulk upload
• Growth ($79/mo): 100,000 validations, all integrations, priority support
• Business ($199/mo): 500,000 validations, SLA, dedicated support, EU residency
• Enterprise (custom): Unlimited, dedicated infrastructure, SLA >99.99%

Pay-as-you-go is also available: $0.003 per validation (min $10 credit). Overage on subscription plans is charged at $0.002/validation.

Volume discounts available — contact us for custom pricing at over 1M validations/month.

Multiple ways to test for free:

• Free forever plan: 250 validations/month, no time limit, no credit card
• Interactive playground: Test at emailvalidation.io/playground without even signing up
• 14-day trial: Any paid plan, full features, cancel anytime
• Bulk sample: Upload up to 100 emails for free via the dashboard (no account required)

We intentionally make it easy to validate your use case before committing. Most customers go from signup to production integration in under 24 hours.

We never cut off your service mid-month. Here's what happens when you reach your limit:

• Email alert at 80% and 100% of quota
• Overage continues automatically at $0.002/validation (no interruption)
• Auto-upgrade option: Enable in dashboard to automatically upgrade to the next plan instead of paying per-validation overage
• Hard cap option: For budget control, set a hard limit — API returns a clear error when limit is reached

We'll never surprise you with a massive overage bill. The dashboard shows real-time usage, and you can set email alerts at any threshold you choose.