Email Validation
Validate email addresses before sending with syntax, MX, disposable domain, and role-based address checks. Available as a standalone API with free tier.
Overview
PushMail's email validation API lets you verify email addresses before adding them to your lists or sending. Every validation runs four checks:
| Check | Description |
|---|---|
| Syntax | RFC-compliant format, valid local part length (max 64 chars) and domain length (max 253 chars) |
| MX records | DNS lookup via Cloudflare DoH to confirm the domain can receive email. Falls back to A record per RFC 5321 |
| Disposable | Checks against a built-in list of 60+ disposable email providers (mailinator, guerrillamail, etc.) |
| Role-based | Detects generic addresses like admin@, noreply@, support@ that are typically not personal inboxes |
Results are cached per domain (MX lookups) so repeated validations for the same domain are fast.
Pricing
| Tier | Cost |
|---|---|
| First 100 validations/month | Free |
| Additional validations | 1 cent each (deducted from credit balance) |
Your free allowance resets at the start of each calendar month.
Single validation
curl -X POST https://pushmail.dev/api/v1/validate \
-H "Authorization: Bearer pm_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{ "email": "user@example.com" }'Response:
{
"data": {
"email": "user@example.com",
"valid": true,
"checks": {
"syntax": true,
"mx": true,
"disposable": false,
"role": false
}
}
}When validation fails, a reason field explains why:
{
"data": {
"email": "test@mailinator.com",
"valid": false,
"checks": {
"syntax": true,
"mx": true,
"disposable": true,
"role": false
},
"reason": "Disposable email address"
}
}A suggestion field appears when a common typo is detected (e.g. gmial.com suggests gmail.com).
Batch validation
Validate up to 100 emails in a single request:
curl -X POST https://pushmail.dev/api/v1/validate \
-H "Authorization: Bearer pm_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"emails": [
"alice@gmail.com",
"bob@mailinator.com",
"admin@example.com"
]
}'Response:
{
"data": {
"results": [
{ "email": "alice@gmail.com", "valid": true, "checks": { "syntax": true, "mx": true, "disposable": false, "role": false } },
{ "email": "bob@mailinator.com", "valid": false, "checks": { "syntax": true, "mx": true, "disposable": true, "role": false }, "reason": "Disposable email address" },
{ "email": "admin@example.com", "valid": true, "checks": { "syntax": true, "mx": true, "disposable": false, "role": true } }
],
"count": 3,
"cost": {
"freeUsed": 3,
"paidCount": 0,
"totalCostCents": 0
}
}
}Rate limits
The validation endpoint is rate limited to 100 requests per minute per organization (same as other API endpoints). Each request can contain up to 100 emails in batch mode, so you can validate up to 10,000 emails per minute.
Error responses
| Status | Meaning |
|---|---|
401 | Missing or invalid API key |
400 | Invalid JSON or missing email/emails field |
402 | Insufficient credits for paid validations |
429 | Rate limit exceeded |
Sender legitimacy check
Email validation asks "can I deliver to this address?". The sender check answers the opposite question: "should I trust mail claiming to come from this address?" Use it to power phishing triage, "is this email legit?" lookups, or inbound-mail screening.
curl -X POST https://pushmail.dev/api/v1/sender-check \
-H "Authorization: Bearer pm_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{ "email": "account-security-noreply@accountprotection.microsoft.com" }'Response:
{
"data": {
"email": "account-security-noreply@accountprotection.microsoft.com",
"verdict": "verified",
"organization": "Microsoft",
"checks": {
"knownSender": true,
"knownDomain": true,
"lookalike": false,
"punycode": false,
"mx": true,
"spf": true,
"dmarc": "reject",
"disposable": false,
"domainAgeDays": 10403
},
"notes": "Microsoft account security alerts (sign-in notifications, unusual activity, security info changes)",
"explanation": "This is a documented official sender address used by Microsoft. Mail from this address is legitimate if it also passes SPF/DKIM authentication — check the email's headers to confirm it wasn't spoofed."
}
}Verdicts
| Verdict | Meaning |
|---|---|
verified | Exact match against our database of documented official sender addresses |
trusted_domain | The domain belongs to a known organization, but the specific address isn't in our database |
suspicious | Impersonation signals detected: lookalike/typosquat domain, punycode, no mail servers, or disposable domain |
unknown | No impersonation signals, but not a documented sender either — verify through official channels |
Checks
| Check | Description |
|---|---|
knownSender | Exact address match in the known-senders database (Microsoft, Google, Apple, PayPal, Amazon, banks, and more) |
knownDomain | The sending domain matches a known organization |
lookalike | Typosquat/homoglyph detection against commonly impersonated brands (paypa1.com, micros0ft.com, paypal-security.net). When true, lookalikeOf names the imitated domain |
punycode | Domain uses punycode (xn--) labels, often used to disguise lookalike characters |
mx / spf | The domain's mail infrastructure (MX records, SPF policy) |
dmarc | The domain's DMARC enforcement policy (reject, quarantine, none, or null if not published). Subdomains inherit the parent policy |
disposable | The domain is a throwaway email provider |
domainAgeDays | Days since domain registration (via RDAP). Very young domains are a phishing signal |
Batch mode
Like /validate, the sender check accepts { "emails": [...] } with up to 100 addresses per request.
Pricing
Sender checks share the same free tier and credit pool as email validation: the first 100 checks+validations per month are free, then 1 cent each.
Note on spoofing: a
verifiedverdict means the address is a documented official sender. It cannot tell you whether a specific email you received was actually sent from that address or spoofed — that requires checking the email'sAuthentication-Resultsheaders (SPF/DKIM/DMARC alignment).
Sending
PushMail sends emails via 10 supported providers. Use our managed infrastructure or bring your own API key for full control over your sending domain and reputation.
Email Providers
PushMail supports 10 email providers via BYOK (Bring Your Own Key). Connect your own SendGrid, SES, Postmark, Mailgun, or any supported provider to send through your own infrastructure.