email validation api
Score any email before it signs up
One POST returns disposable status, MX deliverability, domain age, and DNSBL blacklist hits for any email or domain.
The problem
A regex isn't a reputation check
Signup and checkout forms get flooded with throwaway and undeliverable addresses, and a naive regex passes every one of them. By the time a bounce or chargeback tells you the email was junk, the fake account or order already exists.
How it works
One call, four live checks, cached for 30 days
Send the address, FormShield resolves the domain's reputation, and you gate on the booleans — no extra round trips.
POST the email or domain
Send POST /v1/email with a Bearer API key and a JSON body of {"email": "..."}. You can pass a full address (user@domain.com) or just the bare domain (domain.com) — both resolve to the same domain-level reputation.
FormShield runs the live checks
On a cache miss it runs disposable-domain matching, MX/A-record deliverability (with the RFC 5321 implicit-MX fallback), DNSBL lookups against Spamhaus DBL, SURBL, URIBL, and Barracuda, and an RDAP domain-age lookup — concurrently. Each result is cached for 30 days, so repeat lookups on the same domain return instantly.
Gate on the signal
The response returns a normalized risk in [0,1], a coarse subverdict (clean / suspicious / malicious / unknown), and the individual booleans. Read disposable, deliverable, and blacklisted directly to allow, flag, or block the signup — no further round trips.
Signals
Every signal in the response
Read each field directly, or fold them into the normalized risk and subverdict for a single decision.
Disposable detection
disposable is true when the domain (or its parent domain) is a known throwaway/temporary mailbox provider — the addresses people use to dodge one account per person. Surfaced as the email_disposable flag.
Deliverability (MX setup)
deliverable reflects whether the domain has MX records, falling back to an A record as an implicit MX per RFC 5321. A domain with neither can't receive mail; it comes back deliverable: false with an email_undeliverable flag.
Blacklist checks
blacklisted is set from live DNSBL queries against Spamhaus DBL, SURBL, URIBL, and Barracuda. blacklists lists exactly which zones the domain hit, and error/test responses (127.255.255.x) are filtered so rate-limited lookups don't false-positive.
Domain age
domain_age_days is the registration age resolved via RDAP. Freshly registered domains are a strong fraud tell — domains under the young/very-young thresholds raise the risk score and add email_domain_young / email_domain_very_young flags.
The API
POST an email, read the signal
A Bearer key and a JSON body is the whole integration. The response carries the risk, the subverdict, and every boolean.
curl -X POST https://api.formshield.dev/v1/email \
-H "Authorization: Bearer fs_live_xxx" \
-H "Content-Type: application/json" \
-d '{"email": "newuser@mailinator.com"}'FAQ
Common questions
Call POST /v1/email with the submitted address and a Bearer API key before you create the account. Read disposable, deliverable, and blacklisted from the returned signal to block throwaway or undeliverable addresses, or use the risk/subverdict fields for a single allow/flag/block decision. It accepts a full email or a bare domain, and results are cached per-domain for 30 days.
No. /v1/email is a reputation lookup, not a verification email. It checks the domain — disposable status, MX/A-record deliverability, DNSBL listings, and RDAP domain age — without sending mail or probing the recipient's SMTP server, so it never tips off the user or risks deliverability damage. Confirming a specific mailbox exists still requires your own double opt-in flow.
Each /v1/email lookup is 3 credits. Cached domains (a repeat lookup within the 30-day window) return from cache as cached: true, and the first lookup of any domain warms that cache for everyone hitting it next.
Stop fighting spam by hand
One API call. IP, email, content & behavior signals in a single intelligence platform. Start free, no credit card required.