All 11 validation layers

When you call the verify endpoint, all 11 checks run in parallel. Each one examines a different aspect of the email address — the format, the domain, the mailbox, the provider, the patterns. The results are combined into a single quality score.

A few checks are fail-fast: if the syntax is invalid, if a typo is detected, or if a provider format rule is violated, the score drops to 0 immediately and the remaining checks are skipped. There's no point doing an SMTP handshake on an email that's misspelled.

Checks whether the email follows the correct format (RFC 5321/5322). This catches obvious problems like missing @ signs, spaces, double dots, and invalid characters.

If syntax is invalid, the score is set to 0 immediately. Nothing else matters if the address can't even be parsed.

Queries DNS for the domain's mail exchange (MX) records. These records tell the internet which servers handle mail for that domain. No MX records means no mail server — the address can't receive anything.

This catches dead domains, parked domains, and domains that were never set up for email.

Checks whether the domain belongs to a temporary or throwaway email service — providers like Guerrilla Mail, Tempail, 10MinuteMail, and hundreds more. These addresses are designed to expire quickly.

We maintain a continuously updated database of disposable email providers. When a new one appears, it's usually added within days.

Identifies group or function addresses like info@, support@, sales@, noreply@. These aren't tied to a specific person — they're shared inboxes managed by teams.

Learn more about why this matters in Role-based addresses.

Flags addresses from free email providers (Gmail, Yahoo, Outlook, etc.) and checks for format abuse patterns. Specifically, it catches plus-addressing (user+tag@gmail.com) and excessive dot manipulation (u.s.e.r@gmail.com) — patterns commonly used to create multiple accounts from a single inbox.

Compares the domain against known providers and suggests corrections for common misspellings: gmial.com → gmail.com, yaho.com → yahoo.com, outlok.com → outlook.com.

When a typo is detected, the API response includes a suggestion field with the corrected domain. You can use this to prompt the user: "Did you mean user@gmail.com?"

Typo detection is fail-fast: the score drops to 0 because the address as typed almost certainly doesn't exist.

The only way to truly confirm a mailbox exists is to ask the mail server directly. MailSentry opens an SMTP connection and simulates delivering a message — without actually sending one.

This is the most definitive check, but also the slowest (1-3 seconds depending on the server). Learn more about how it works and its limitations in SMTP verification.

Analyzes the local part (everything before @) for patterns that suggest it was randomly generated — keyboard walks like asdfgh@, random strings like xk2j9m@, or meaningless character sequences.

The penalty scales with severity: mild gibberish gets a moderate deduction, while clearly random strings get a heavy one.

Identifies addresses that match patterns used by blocklist operators as honeypots. Sending to a spam trap can get your sending domain blocklisted — sometimes permanently.

Looks up when the domain was registered. Domains less than 30 days old are flagged as suspicious. Brand-new domains are disproportionately used for fraud, phishing, and throwaway signups.

This isn't a hard fail — a new domain from a legitimate startup is fine. But combined with other signals (no MX records, gibberish local part), it adds useful context.

Checks the address and domain against known abuse patterns — addresses associated with spam, fraud, or toxic behavior. This uses a combination of blocklists and heuristic pattern matching.