Skip to main content
PushMail.dev

Email Validation

Validate email addresses before sending with syntax, MX, disposable domain, and role-based address checks. Available as a standalone API with free tier.

Overview

PushMail's email validation API lets you verify email addresses before adding them to your lists or sending. Every validation runs four core checks, plus a deeper mailbox verification tier that confirms the individual address actually exists — not just that its domain can receive mail.

CheckDescription
SyntaxRFC-compliant format, valid local part length (max 64 chars) and domain length (max 253 chars)
MX recordsDNS lookup via Cloudflare DoH to confirm the domain can receive email. Falls back to A record per RFC 5321
DisposableChecks against a built-in list of 60+ disposable email providers (mailinator, guerrillamail, etc.)
Role-basedDetects generic addresses like admin@, noreply@, support@ that are typically not personal inboxes
MailboxDeep, provider-aware confirmation that the specific mailbox exists (see below)

Together these give a triple-verified result — format → domain → mailbox — returned as a single deliverability status and a confidence level so you know not just whether an address passed, but how certain the answer is.

Results are cached (MX lookups per domain; mailbox verdicts per email, with a long TTL for stable providers) so repeated validations are fast and cheap.

Pricing

Monthly volumeCost per validation
First 100 / monthFree
Up to 20,000$0.005
20,001 – 250,000$0.003
250,001+$0.0015

One price per email — a validation costs exactly the same as a send, because every PushMail send already runs the same triple-verified check (format → domain → mailbox) before relaying, dropping confirmed-undeliverable addresses before they burn a send credit or bounce against your sender reputation. A standalone validation is simply that check without the delivery. Volume tiers are graduated and the first 100 each month are free; the allowance resets at the start of each calendar month. (Addresses we can't confirm either way — catch-all domains, consumer Gmail — are still delivered; only addresses confirmed dead are dropped.)

Single validation

curl -X POST https://pushmail.dev/api/v1/validate \
  -H "Authorization: Bearer pm_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "email": "user@example.com" }'

Response:

{
  "data": {
    "email": "user@contoso.com",
    "valid": true,
    "status": "deliverable",
    "confidence": "verified",
    "provider": "microsoft",
    "method": "microsoft_getcredentialtype",
    "checks": {
      "syntax": true,
      "mx": true,
      "disposable": false,
      "role": false,
      "mailbox": "exists"
    }
  }
}

status is the headline deliverability verdict; confidence tells you how strong the underlying evidence is. See Deep mailbox verification for the full field reference.

When validation fails, a reason field explains why:

{
  "data": {
    "email": "test@mailinator.com",
    "valid": false,
    "checks": {
      "syntax": true,
      "mx": true,
      "disposable": true,
      "role": false
    },
    "reason": "Disposable email address"
  }
}

A suggestion field appears when a common typo is detected (e.g. gmial.com suggests gmail.com).

Batch validation

Validate up to 100 emails in a single request:

curl -X POST https://pushmail.dev/api/v1/validate \
  -H "Authorization: Bearer pm_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "emails": [
      "alice@gmail.com",
      "bob@mailinator.com",
      "admin@example.com"
    ]
  }'

Response:

{
  "data": {
    "results": [
      { "email": "alice@gmail.com", "valid": true, "checks": { "syntax": true, "mx": true, "disposable": false, "role": false } },
      { "email": "bob@mailinator.com", "valid": false, "checks": { "syntax": true, "mx": true, "disposable": true, "role": false }, "reason": "Disposable email address" },
      { "email": "admin@example.com", "valid": true, "checks": { "syntax": true, "mx": true, "disposable": false, "role": true } }
    ],
    "count": 3,
    "cost": {
      "freeUsed": 3,
      "paidCount": 0,
      "totalCostCents": 0
    }
  }
}

Deep mailbox verification

The core four checks tell you the domain can receive mail. Mailbox verification goes further and confirms the specific address exists, using a provider-aware strategy — because the right way to verify a mailbox depends on who runs it.

PushMail classifies the domain by its MX records, then routes to the best method for that provider:

ProviderMethodResult
Microsoft 365 / Outlook / HotmailGetCredentialType account lookupverified — a true exists / not-found answer
Google / Yahoo / iCloudprovider lookup (rolling out) + Gravatar corroborationbest_effort — major-provider mailboxes accept all SMTP, so these can't be confirmed with certainty
Self-hosted / business domainsGravatar corroboration (SMTP probe tier available on request)best_effort or mx_only
Catch-all domainsdetected and flaggedcatch_all — the domain accepts every address, so no per-mailbox answer is possible

The response adds five fields on top of the core checks:

{
  "status": "deliverable",          // deliverable | undeliverable | risky | unknown
  "confidence": "verified",         // verified | best_effort | mx_only | none
  "provider": "microsoft",          // detected MX provider
  "method": "microsoft_getcredentialtype",
  "checks": { "...": "...", "mailbox": "exists" }  // exists | not_found | catch_all | unverifiable
}

status

StatusMeaning
deliverableMailbox confirmed to exist — safe to send
undeliverableWill bounce — bad syntax, no MX, or mailbox confirmed not to exist
riskySendable but uncertain — disposable, role-based, catch-all, or a mailbox we couldn't confirm
unknownNot enough signal to classify

confidence

ConfidenceMeaning
verifiedProvider gave a definitive exists/not-found answer (e.g. Microsoft)
best_effortCorroborating signal only (e.g. a matching Gravatar, or an accept-all major provider)
mx_onlyDomain accepts mail but the mailbox couldn't be probed
noneNo mailbox-level signal available

Honest by design. For accept-all providers (consumer Gmail, catch-all domains) no verifier — SMTP or otherwise — can truly confirm an individual mailbox; that's why these return best_effort/risky rather than a false green checkmark. Microsoft-hosted business domains do return verified. We tell you how confident the answer is, not just pass/fail.

Freshness & caching

Mailbox verdicts are cached per email with a provider-aware TTL — up to 365 days for stable consumer-provider exists results (a Gmail address that exists today almost certainly exists a year from now), shorter for business domains and unconfirmed results. Each cached verdict carries a verifiedAt timestamp; pass maxAgeMs to force a fresh re-verify when you need a guaranteed-current answer. Because the cache is keyed on the address, an address verified once — including through our free tools — is instant (and free of provider calls) on every later lookup.

Rate limits

The validation endpoint is rate limited to 100 requests per minute per organization (same as other API endpoints). Each request can contain up to 100 emails in batch mode, so you can validate up to 10,000 emails per minute.

Error responses

StatusMeaning
401Missing or invalid API key
400Invalid JSON or missing email/emails field
402Insufficient credits for paid validations
429Rate limit exceeded

Sender legitimacy check

Email validation asks "can I deliver to this address?". The sender check answers the opposite question: "should I trust mail claiming to come from this address?" Use it to power phishing triage, "is this email legit?" lookups, or inbound-mail screening.

curl -X POST https://pushmail.dev/api/v1/sender-check \
  -H "Authorization: Bearer pm_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "email": "account-security-noreply@accountprotection.microsoft.com" }'

Response:

{
  "data": {
    "email": "account-security-noreply@accountprotection.microsoft.com",
    "verdict": "verified",
    "organization": "Microsoft",
    "checks": {
      "knownSender": true,
      "knownDomain": true,
      "lookalike": false,
      "punycode": false,
      "mx": true,
      "spf": true,
      "dmarc": "reject",
      "disposable": false,
      "domainAgeDays": 10403
    },
    "notes": "Microsoft account security alerts (sign-in notifications, unusual activity, security info changes)",
    "explanation": "This is a documented official sender address used by Microsoft. Mail from this address is legitimate if it also passes SPF/DKIM authentication — check the email's headers to confirm it wasn't spoofed."
  }
}

Verdicts

VerdictMeaning
verifiedExact match against our database of documented official sender addresses
trusted_domainThe domain belongs to a known organization, but the specific address isn't in our database
suspiciousImpersonation signals detected: lookalike/typosquat domain, punycode, no mail servers, or disposable domain
unknownNo impersonation signals, but not a documented sender either — verify through official channels

Checks

CheckDescription
knownSenderExact address match in the known-senders database (Microsoft, Google, Apple, PayPal, Amazon, banks, and more)
knownDomainThe sending domain matches a known organization
lookalikeTyposquat/homoglyph detection against commonly impersonated brands (paypa1.com, micros0ft.com, paypal-security.net). When true, lookalikeOf names the imitated domain
punycodeDomain uses punycode (xn--) labels, often used to disguise lookalike characters
mx / spfThe domain's mail infrastructure (MX records, SPF policy)
dmarcThe domain's DMARC enforcement policy (reject, quarantine, none, or null if not published). Subdomains inherit the parent policy
disposableThe domain is a throwaway email provider
domainAgeDaysDays since domain registration (via RDAP). Very young domains are a phishing signal

Batch mode

Like /validate, the sender check accepts { "emails": [...] } with up to 100 addresses per request.

Pricing

Sender checks share the same free tier and credit pool as email validation: the first 100 checks+validations per month are free, then billed at the same per-email volume tiers (from $0.005, dropping with volume).

Note on spoofing: a verified verdict means the address is a documented official sender. It cannot tell you whether a specific email you received was actually sent from that address or spoofed — that requires checking the email's Authentication-Results headers (SPF/DKIM/DMARC alignment).

On this page