Skip to main content
Disposable email detection

Stop disposable signups before they cost you real money.

Every throwaway address in your database is a bounced campaign, an abused product trial, or a metric you can no longer trust. A drop-in snippet and a clean REST API catch them at the form, in one fast DNS-level lookup, and your policy decides what happens next.

A live look at the real engine, rate limited and never billed. Get a key to call it from your own app.

204,366
disposable domains tracked
+204,366
added in the last 7 days
668
top-level domains covered

Live numbers from the dataset behind every check, refreshed daily. Explore the data

Why it matters

A throwaway address is never just an empty row

Disposable mailboxes live for about ten minutes, then take a piece of your business with them on the way out. Here is what each one actually costs.

Bounces that brand you a spammer

Temporary mailboxes vanish minutes after they are created, so every email you send afterwards hard bounces. Mailbox providers read your bounce rate as your reputation: let enough throwaways in and your real subscribers stop seeing you in the inbox.

Free trials without end

One person with a disposable provider is an unlimited supply of fresh identities. New trial, new coupon, new credits, again and again, and the address is unaccountable by design. The compute and the discounts you burn are very real.

Marketing spend on ghosts

Welcome sequences, lifecycle campaigns, and retargeting audiences built on addresses nobody will ever read. The ad spend and the sending costs are charged whether or not the signup was ever a person.

Metrics you cannot trust

Fake signups inflate conversion, poison cohorts and attribution, and quietly skew every decision you make downstream of the form. You are optimizing a funnel that is partly fiction.

Abuse with no return address

Review spam, referral fraud, ban evasion, chargebacks. Throwaway addresses are the standard tool for all of them, precisely because there is no identity left to suspend afterwards.

204,366 new disposable domains in 30 days

The throwaway ecosystem ships faster than any static list. The free file you downloaded last quarter has never heard of the domains created this week; our pipeline ingests them daily.

Watch the dataset grow
One call, every signal

One lookup returns the whole picture

Send an address, get the disposable verdict plus every signal you opt into. A per-account policy maps each one to allow, warn, or block. We return the action; your form enforces it. We never block on your behalf.

Disposable

A throwaway or temporary mailbox provider. The core verdict, kept clean of everything else.

block

Undeliverable

No valid mail exchange (MX) records. Mail to this domain can only bounce.

block

Relay or forwarder

A privacy relay or forwarding service masking the real address.

warn

Public provider

Gmail, Outlook, Yahoo, and other free mailbox providers.

allow

Role account

Shared inboxes such as info@, support@, and billing@.

allow

Spam risk

Listed on a spam and abuse reputation source. Opt-in, and never touches the core verdict.

allow

Default actions shown. Every chip is yours to change in the policy editor, and your allow and block lists always win.

POST /v1/check200 OK
{
"checked": true,
"disposable": true,block
"mx_valid": true,
"relay": false,
"public_domain": false,
"role_account": false,
"did_you_mean": null,
"action": "block",block
"reason": "disposable"
}

The response your code sees, annotated with what the policy did. One round trip, built to sit inline in a signup form.

Built for developers

Protected in minutes, not sprints

Paste one tag into your form, or make one HTTPS call from your backend. Either way you are live before the coffee is cold, and the docs cover the rest.

The snippet, for your forms

copy, paste, done
<script src="https://cdn.isitdisposable.com/v1/snippet.js"
  data-key="pk_live_your_publishable_key"
  data-mode="warn"
  async></script>

It attaches to your email fields, checks each address with your publishable key, and applies the action you chose: show a message, ask for a permanent address, or block submit.

The REST API, for everything else

copy, paste, done
curl https://api.isitdisposable.com/v1/check \
  -H "Authorization: Bearer sk_live_..." \
  -H "content-type: application/json" \
  -d '{"email": "[email protected]"}'

One endpoint with key authentication, an OpenAPI reference generated from the live schema, and a synchronous batch endpoint for up to 100 addresses per call.

One round trip per checkNo SMTP probing, everFails open if anything goes wrongRead the docs
Inside the dashboard

Everything after the verdict is already built

The screenshots below are the real product, captured in both themes. They follow the theme toggle in the header, and every one opens full size.

Enforcement policy

Your rules, not ours

Map every signal to allow, warn, or block with one click. The strongest matched action wins, your allow and block lists always take precedence, and the platform never enforces anything server side. You stay in control of your own front door.

Change your mind at 2 a.m. and the policy is live on your forms immediately. No deploy, no code change.

isitdisposable.com / dashboard / enforcementclick to enlarge
isitdisposable.com / dashboard / usageclick to enlarge
Usage and analytics

Watch it earn its keep

Requests over time, the verdict breakdown, and your disposable rate at a glance. When the chart says a third of your form traffic was throwaway, the subscription has already justified itself.

Logs respect your privacy mode: domain only by default, or nothing at all in no-storage mode.

isitdisposable.com / dashboardclick to enlarge

A calm home base

Quota, plan, team, and quick actions on one screen, with usage warnings long before the limit.

isitdisposable.com / dashboard / listsclick to enlarge

Your exceptions, your call

Account-level allow and block lists with notes and CSV import. They run before detection and beat every other rule.

isitdisposable.com / dashboard / webhooksclick to enlarge

Events, signed and delivered

Usage thresholds, billing changes, and key lifecycle events at your endpoint, each delivery signed with HMAC SHA-256.

isitdisposable.com / dashboard / snippetclick to enlarge

The no-code path

Pick a key, a mode, and a message; copy one script tag. The form is protected without touching your backend.

The dataset

Fresh beats free

Free lists are static files; the throwaway ecosystem is not. Our pipeline merges multiple sources, validates mail servers, and refreshes every day, then publishes its own numbers so you can hold us to them.

domains tracked
added in 7 days
added in 30 days
top-level domains
sources merged
Built to be trusted

Promises your engineers will appreciate

Detection is the easy half. The hard half is being the kind of dependency you are comfortable putting between a customer and your signup button.

01

It fails open, always

Over quota, or in the middle of the worst outage we ever have, a check returns a safe allow that is clearly marked unchecked. Your signup form never breaks because of us, and we put that in writing.

02

Privacy by default

Request logs store the domain, never the part before the @ and never the full address. The opt-in no-storage mode drops the domain too, keeping only the verdict and billing metadata. Your users are not our data.

03

No SMTP probing

Verdicts come from Domain Name System (DNS) records and our continuously refreshed dataset. We never open mailbox connections pretending to deliver mail, so checks are fast, polite, and safe to run on every keystroke.

04

We run it on ourselves

Our own signup form runs this exact detection, so if it ever slipped, we would feel it first. The api publishes a public status page, and the dataset publishes its own growth. Watch our uptime live.

Pricing

Start free. Upgrade when you're ready.

A 14-day full-access trial, then the Free plan - no surprise bills. Plans are flat monthly subscriptions with a hard stop at the quota that fails open, so the worst case is a safe allow, never an overage invoice.

Annual billing saves roughly 20%.

Cancel anytime, no contract.

Every account starts with a 14-day full-access trial - no credit card required. After the trial you stay on the Free plan, or upgrade anytime.

Free

$0 / month

Free, no credit card required

Lookups / month
250
Team seats
1
Requests / second
5
Start free

Starter

$19 / month

billed monthly

Lookups / month
10,000
Team seats
2
Requests / second
10
Get started
Most popular

Growth

$49 / month

billed monthly

Lookups / month
50,000
Team seats
5
Requests / second
25
Get started

Pro

$149 / month

billed monthly

Lookups / month
250,000
Team seats
15
Requests / second
50
Get started

Enterprise

Custom

Volume pricing, tailored to you

Lookups / month
Custom
Team seats
Custom
Requests / second
Custom
Contact sales
Questions

The things you would ask before paying

Why use this instead of the free disposable lists on GitHub?

Free lists are snapshots, and throwaway providers rotate domains specifically to outrun them. We merge multiple sources, validate mail servers, add what appears daily, and remove false positives through a reviewed correction queue. You are paying for detection that is current this morning, plus the policy engine, analytics, webhooks, team seats, and someone to answer when something looks wrong.

Will it block legitimate users?

The disposable verdict stays narrow and clean: it only flags throwaway and temporary mailbox providers. Privacy relays, forwarding services, public providers, and role accounts are separate signals that you map to allow, warn, or block yourself, and your own allowlist always wins. If we ever misclassify a domain, the public correction page feeds a human-reviewed fix.

What happens when I hit my quota?

You are warned by email and in the dashboard at 80, 90, and 95 percent. At 100 percent, checks return a safe response with checked false and the action allow, so your form keeps working while you decide whether to upgrade. There is no overage billing and nothing breaks.

What do you store about my users?

By default, request logs keep the email domain and the verdict, never the part before the @ and never the full address. The opt-in no-storage mode drops the domain too, keeping only the verdict, the action, and billing metadata. We never probe mailboxes over SMTP at any point.

How fast is a check?

One round trip. A check is a lookup against our continuously refreshed dataset plus DNS-level mail server validation, with no SMTP handshakes and no queues, which is what makes it safe to run inline on a signup form. The snippet debounces as your user types, so the verdict is usually waiting before they reach the submit button.

Can my whole team use it?

Yes. Every plan includes team seats with owner, admin, and member roles, multiple API keys per environment, shared allow and block lists, and webhooks. Billing is one subscription for the whole account.

Your next throwaway signup is already typing

The demo above was the real engine. Create an account, paste the snippet or call the API, and the same verdict is protecting your forms in minutes, from $0 a month.