Most email validation tools stop after three checks: syntax, DNS, and an SMTP probe. We learned the hard way that those three miss the addresses that hurt you most — spam traps, catch-all domains, and brand-new disposable domains designed to evade detection.
Here's what each of the seven checks does, and the real failure mode each one catches.
Check 1: Syntax. RFC 5321/5322 with proper handling of quoted local parts, IDN, and length limits. Catches the obvious. Industry table stakes.
Check 2: DNS. A/AAAA/MX resolution with DNSSEC where present. Catches dead domains. Also table stakes.
Check 3: SMTP probe. RCPT TO over a short-lived session. Catches mailboxes that don't exist on real domains. Most validators stop here. We don't.
Check 4: Catch-all detection. Many domains accept every local part as a courtesy. A naive SMTP probe passes; the address might still be invalid. We test with a known-bad local part and report the risk.
Check 5: Risk databases. Spam-trap, abuse, litigator, breach, and global-suppress lists. This is where most "validation" tools quietly fail you. We run these checks BEFORE DNS so trap hits on dead domains classify as spamtrap, not "no_dns_entries."
Check 6: MX blacklist. Spamhaus Zen and Barracuda lookups against each MX host. If your recipient's mail server is blacklisted, you'll bounce — better to know before you send.
Check 7: WHOIS domain age. 35 TLDs supported, GDPR-aware caching. A domain registered 6 hours ago is almost always a disposable address. None of the other six checks catch this.
The lift over a 3-check validator: 12.4 percentage points fewer bounces on cold lists in our internal benchmark. That's real money.
