What to check, when to check it, and how deep each validation stage needs to go — a practical guide for engineers and marketers.
Validate the address format against RFC 5322. Check for missing @, invalid TLD, consecutive dots, leading/trailing hyphens on the domain, and character encoding issues. Fast — eliminates obvious typos in microseconds. Run this at the form level before any network call.
Check whether the domain exists and has valid MX records pointing to a mail server. A domain with no MX records cannot receive email. Check for recently registered domains (high fraud signal) and disposable domain registrations. Takes ~50–200ms.
Connect to the highest-priority MX server, send EHLO, then RCPT TO. A 250 response confirms the mailbox is accepted. A 550 5.1.1 response confirms it does not exist. Most accurate stage — but requires network egress from clean IPs. Takes 1–5 seconds.
If the SMTP server accepts all RCPT TO commands regardless of mailbox, it is a catch-all. Probe with a known-nonexistent address. If accepted, flag the domain as catch-all and apply ML scoring for deliverability estimation.
Check against disposable email domain lists (10minutemail, Mailinator, 3000+ providers), role address patterns, spam trap databases, breach exposure, social profile presence, domain reputation, and historical SMTP response patterns.
Block invalid, disposable, and role addresses before the form submits. Use the BounceZero real-time API. Response in under 200ms. Return a user-facing error for invalid addresses, not a silent rejection.
Upload your full send list to BounceZero. Run Stage 1-5 validation on every address. Remove Invalid, Disposable, and Role. Mark Risky addresses for a separate low-volume test segment rather than full exclusion.
When importing contacts from HubSpot, Salesforce, Klaviyo exports, or third-party data sources, always run a full validation pass before the list enters any campaign queue.
Contacts not emailed in 90+ days are at highest risk of having changed addresses. Re-validate dormant segments before reactivation campaigns.
SMTP confirmed the mailbox does not exist. 550 5.1.1 or equivalent. Sending to these causes hard bounces. Remove from every list and suppression globally.
Domains like 10minutemail, Mailinator, GuerillaMail, and 3,000+ others. These expire in minutes to hours. Legitimate users do not use them for products they intend to keep using.
info@, admin@, support@, noreply@, sales@. Multiple people read these — individual consent may not apply. For B2B campaigns, you may choose to include them; for consumer campaigns, exclude.
Accept all SMTP. Cannot be definitively verified. Use BounceZero\'s ML confidence score. Send a small test batch first; suppress if bounce rate from this segment exceeds 1%.
Addresses with SMTP success but low ML confidence score. Include in a low-priority segment, monitor closely after first campaign, suppress if they do not engage.
Email validation checks whether an address is syntactically correct and has valid DNS/MX records. Email verification goes further — it attempts an SMTP handshake to confirm the mailbox actually exists on the server. Validation is fast; verification is deeper and more accurate.
Both. Real-time API validation at signup blocks obviously invalid addresses immediately. Bulk verification before each campaign catches addresses that were valid at signup but have since expired. The two together keep bounce rate below 0.3%.
A catch-all domain is configured to accept all incoming email regardless of whether the specific mailbox exists. SMTP verification cannot confirm individual addresses on catch-all domains. BounceZero flags these as Risky with a confidence score based on 40+ signals. Treat Risky addresses as a risk-scored segment, not a guaranteed delivery.
SMTP-based verification achieves approximately 99.5% accuracy on non-catch-all addresses. For catch-all domains (which can only be scored probabilistically), accuracy depends on ML model quality. BounceZero\'s ML model achieves AUC 0.86 on catch-all scoring.
Always block: invalid addresses (SMTP confirmed non-existent), known disposable/temporary email domains, role addresses (info@, admin@, support@, noreply@) unless your use case specifically needs them, addresses on your suppression list, and addresses flagged as spam traps.
Deep-dive guides on how email verification and inbox placement work
How the 5-stage pipeline checks a mailbox without sending email
The RCPT TO handshake explained — codes, catch-alls, limits
Why domains accept everything and how ML classifies deliverability
Temp addresses, how to detect them, and why they matter
Hard vs soft bounces, SMTP codes, and how to fix them
Get from 5-15% to under 0.5% in 6 steps
Follow BounceZero