Email Validation API: How It Works, What It Costs, and Which to Pick
A 50,000-email campaign goes out on a Tuesday morning. By Wednesday, 4,200 have bounced, your sender reputation is in freefall, and Gmail is routing the rest straight to spam. With global inbox placement sitting around 84% - one in six emails never reaches the inbox - and email marketing still returning $36-$40 for every $1 spent, the gap between "sent" and "delivered" is where real money evaporates.
An email validation API is the fix. But picking the wrong one, or implementing it badly, can be just as damaging as skipping validation entirely.
What You Need (Quick Version)
If you already know the basics and just want a recommendation:
- B2B outbound teams: Prospeo - verifies at the point of discovery, 98% accuracy, ~$0.01/email
- SaaS signup forms: Abstract API - fast, well-documented, tiered pricing from free
- High-volume list cleaning: ZeroBounce - accuracy benchmark leader, 100 free monthly credits
- Budget batch jobs: mails.so - transparent pricing starting at $4.80/mo for 10K validations
- Maximum control: Reacher - open-source, self-hosted, completely free
What Is an Email Validation API?
An email validation API is a programmatic endpoint that checks whether an email address is real, properly formatted, and safe to send to. You pass it an address; it returns a verdict - valid, invalid, risky, or some variation - along with metadata about why.
Here's a distinction most people miss: validation and verification aren't the same thing, even though the industry uses them interchangeably. Validation checks format correctness - does the address comply with RFC 5321/5322 syntax rules? Verification goes further, confirming the mailbox actually exists by querying DNS records and performing SMTP-level checks.
A proper verification tool goes beyond regex. It checks syntax, verifies domain hosts, confirms deliverability via SMTP-level signals, and flags likely spam traps. Regex alone - the approach most developers default to first - catches maybe 5% of email problems. Worse, overly strict regex patterns reject perfectly valid addresses that use plus-addressing, apostrophes, or internationalized characters. The email spec is far more permissive than most developers realize, and a good validator handles the full pipeline: syntax, DNS, SMTP, and risk scoring.
Why Validation Matters for Deliverability
Email databases decay at roughly 2.1% per month. That's 22.5% annually through compound decay. People change jobs, companies rebrand domains, mailboxes get deactivated. If you aren't actively validating addresses, nearly a quarter of your list goes stale every year.
Bounce rate thresholds are unforgiving. Under 2% is healthy. Above 5%, ISPs start flagging your domain. Gmail's complaint-rate threshold sits at just 0.3% - cross that line and your inbox placement drops fast.
Inbox placement varies wildly by provider, too. Gmail delivers 87.2% to inbox, Yahoo/AOL hits 86.0%, Apple Mail manages 76.3%, and Microsoft lags at 75.6%. If a big chunk of your list is on Outlook, you're already fighting an uphill battle. Bad data makes it worse.
At $36-$40 ROI per dollar spent on email marketing, even a small deliverability improvement compounds fast. Spending $50/month on validation to protect a $10,000/month email channel isn't a cost - it's insurance.
How Email Validation APIs Work
Every serious provider runs addresses through a multi-stage pipeline. Here's what happens at each step.
Syntax and DNS Checks
The first pass is structural. The API checks whether the address follows RFC 5321/5322 formatting rules - valid local part, proper @ separator, legitimate domain. This catches obvious garbage like missing @ signs or spaces.
Next comes DNS resolution. The API queries the domain's MX records to confirm it's configured to receive email. No MX records? The domain can't accept mail, and the address is dead regardless of formatting. This step also catches typo domains - "gmial.com" instead of "gmail.com" - which syntax checking alone would pass.
SMTP Verification
This is where real verification happens. The API opens an SMTP connection to the mail server and initiates a handshake - EHLO, MAIL FROM, then RCPT TO with the target address. A 550 response means user unknown. A 250 means the server accepted the recipient.
SMTP verification takes 1-3 seconds per address, which is fine for batch processing but too slow for keystroke-level validation on a signup form. For real-time use cases, you need sub-second response times, which usually means the provider maintains a cache of previously verified addresses.
Catch-All Domain Handling
Catch-all domains are the biggest headache in email validation. These servers accept mail for any address at the domain - real or fabricated. Send an SMTP RCPT TO for completely-fake-address@catchall-domain.com and you'll get a 250 OK response, identical to what a real mailbox returns.
The standard detection approach: generate a random, obviously non-existent address at the domain and run the SMTP check. If the server accepts it, the domain is likely catch-all, and individual mailbox existence can't be confirmed through SMTP alone. The API flags the address as "risky" or "accept-all" rather than definitively valid.
No API can fully solve catch-all domains. Ask any vendor how they handle catch-alls, and you'll quickly see who's being honest about their limitations.
Risk Scoring
The final layer classifies addresses by risk type. Disposable email addresses (Mailinator, Guerrilla Mail) get flagged - these are throwaway accounts that'll never convert. Role-based addresses (info@, support@, sales@) get tagged because they're shared inboxes with lower engagement rates. Spam traps - addresses seeded by ISPs to catch senders with poor list hygiene - get identified and removed.
The best APIs combine all four stages into a single confidence score, giving you a clear send/don't-send signal.
Most email validation APIs make you find contacts first, then pay again to verify them. Prospeo's proprietary 5-step verification is built into every email lookup - syntax, DNS, SMTP, catch-all handling, and spam-trap removal in a single call. 98% accuracy at ~$0.01 per email, with data refreshed every 7 days instead of the industry's 6-week average.
Find and validate emails in one API call - not two bills.
Best Email Validation APIs Compared
Here's pricing and capabilities across 11 providers, followed by individual breakdowns.
| Tool | Price/1,000 | Free Tier | Accuracy | Notable |
|---|---|---|---|---|
| Prospeo | ~$10 | 75 emails/mo | 98% | Find + verify in one |
| ZeroBounce | $7.50 | 100/mo | 96-98% | Accuracy benchmark |
| Abstract API | Tiered | 100 req/mo | Not benchmarked | Best docs |
| NeverBounce | $8 | 1K trial | 99.9%* | Bulk specialist |
| Emailable | ~$5-15 | 250 credits | Not benchmarked | Clean UX |
| Clearout | ~$5-15 | N/A | Not benchmarked | SOC 2 + ISO 27001 |
| mails.so | $0.48 (Pro) | 50 credits | Not benchmarked | Cheapest per-email |
| Bouncer | $7 | 1K trial | 99.5%* | Solid mid-range |
| BriteVerify | $10 | None | 97%* | Enterprise-focused |
| Maileroo | Pay-as-you-go | 250/mo | Not benchmarked | No monthly fees |
| Reacher | Free | N/A | Not benchmarked | Open-source, Rust |
*Vendor-stated accuracy. Published comparisons like Woodpecker's roundup put ZeroBounce around 96-98%.
Prospeo
Use this if you're running B2B outbound and want to skip the "find emails in one tool, verify them in another" dance. Prospeo's 5-step verification pipeline - catch-all handling, spam-trap removal, honeypot filtering - runs automatically on every email it finds. The result: 98% email accuracy across 143M+ verified emails, with a 7-day data refresh cycle versus the 6-week industry average.
Pricing is simple: ~$0.01 per email, 75 free emails per month, no contracts. When Snyk rolled out Prospeo across 50 AEs, their bounce rate dropped from 35-40% to under 5%, and AE-sourced pipeline jumped 180%. That's the difference between a tool that verifies at discovery versus one that makes you clean up after the fact.
Skip this if you only need a standalone endpoint for form submissions - Prospeo's strength is combining discovery and verification in a single workflow.
ZeroBounce
ZeroBounce is the tool cheaper alternatives get measured against. It runs 96-98% accuracy in published comparisons with solid catch-all detection and spam trap identification. At $7.50 per 1,000 emails (minimum $15 for 2,000), you're paying a premium - but for high-stakes campaigns where a single deliverability dip costs thousands, that premium earns its keep.
The 100 free monthly credits are enough to test the API properly. The consensus on r/coldemail is telling: people regularly frame the problem as "cheaper than ZeroBounce but similar accuracy," which shows you exactly where the market positions this tool.
Skip this if you're processing millions of emails monthly on a tight budget. At scale, that per-email premium compounds.
Abstract API
If you're a developer who judges tools by their docs first, Abstract API will make you happy. The REST API is clean, responses are fast, and the documentation is genuinely good - not "good for a validation tool," just good. Pricing tiers are transparent: Free at 100 requests/month, then Starter ($17/mo), Standard ($37/mo), Professional ($39/mo).
The free tier makes Abstract one of the more accessible options for prototyping a free email validation API integration. The tradeoff: it's optimized for single-address, real-time validation. For bulk list cleaning or B2B-specific workflows, look elsewhere.
NeverBounce
NeverBounce is a bulk processing workhorse at $8 per 1,000 emails. The 1,000 free trial credits give you enough to run a meaningful test. They claim 99.9% accuracy - in our experience, no tool hits that number consistently once catch-all domains enter the picture. Still a solid pick if bulk email cleaning is your primary use case.
Emailable
Emailable offers 250 free credits and a developer experience that's noticeably cleaner than most competitors, with client libraries for Node.js, Ruby, and Python. It doesn't try to be everything - no intent data, no enrichment, just validation done well. For teams that want a straightforward API without feature bloat, it's worth a trial.
Clearout
Clearout leads with compliance: SOC 2 Type II and ISO 27001 certified. They run 20+ validation checks and classify results into granular buckets: valid, invalid, risky, disposable, gibberish, role-based. If compliance certifications are a hard requirement for your org, Clearout belongs on your shortlist.
mails.so
The most transparent pricing in the space. Pro tier: $4.80/month for 10,000 validations ($0.005 per extra). Business: $9.80/month for 50,000. Unlimited: $49.80/month. That Pro tier works out to $0.48 per 1,000 emails - dramatically cheaper than ZeroBounce or NeverBounce. They're GDPR compliant with 99.99% availability. The tradeoff is less brand recognition and fewer third-party accuracy benchmarks, but for budget batch jobs where you're willing to test accuracy yourself, mails.so is hard to beat on price.
Budget and Niche Options
Bouncer hits the sweet spot for mid-range needs: $7 per 1,000, 99.5% vendor-stated accuracy, and 1,000 trial credits. Nothing flashy, just reliable. (If you're comparing vendors, see our Bouncer alternatives roundup.)
BriteVerify charges $10 per 1,000 with no free trial - it's enterprise-focused and priced accordingly. If you're already in the Validity ecosystem, it makes sense. Otherwise, you're overpaying.
Maileroo offers 250 free verifications monthly with pay-as-you-go pricing and no monthly fees, making it a solid option for early-stage startups that need validation but can't justify a monthly commitment yet.
Reacher is the open-source option - 8.5K GitHub stars, written in Rust, self-hosted. We'll cover it more in the Build vs. Buy section below.
How to Choose the Right Provider
Let's be honest: the cheapest API is almost never the cheapest option. A tool that costs $3/1,000 but misses disposable addresses and spam traps will cost you far more in damaged sender reputation than one charging $8/1,000 with proper detection.
One note on platform-integrated options: Twilio email validation is available as part of Twilio SendGrid's sending platform, and Mailgun offers a similar built-in option. If you're already using either for delivery, their integrated validation is convenient. But standalone tools typically offer deeper risk scoring, better catch-all handling, and more granular results - which is why we've focused on dedicated providers here.
Here's the evaluation checklist that actually matters:
- Accuracy beyond syntax. Every API checks formatting. The real test is MX verification, SMTP handshake, and what happens with catch-all domains. Ask vendors specifically how they handle catch-alls - vague answers are a red flag.
- Disposable and spam trap detection. If the API can't flag Mailinator addresses and known spam traps, it isn't doing its job.
- Scrubbing depth. Look for an API that goes beyond simple valid/invalid verdicts - granular risk categories like disposable, role-based, spam trap, and honeypot give you more control over what enters your pipeline.
- Compliance certifications. SOC 2 and ISO 27001 matter if you're handling customer data.
- SLAs and uptime guarantees. If validation is in your signup flow, downtime means lost registrations.
- Reporting and rules. Can you set allowlists/blocklists? Can you customize risk thresholds?
The MillionVerifier situation on Reddit illustrates this perfectly. Users reported it missing obvious invalids - unregistered domains, invalid TLDs that should've been caught in the DNS step. Cheaper isn't better if the tool's skipping fundamental checks. The false-negative tradeoff (letting bad emails through) is almost always worse than the false-positive tradeoff (rejecting a few valid ones).
How to Implement Correctly
Getting the API key is the easy part. Wiring validation into your stack without creating bottlenecks or gaps - that's where most teams stumble.
Where to Place Validation
You've got four architectural patterns, and most mature teams use more than one:
Real-time at capture works for signup forms and lead gen pages. The API validates as the user submits, rejecting bad addresses before they enter your system. Target sub-300ms latency here - anything slower and users notice the delay.
CRM ingestion gate validates every new contact before it hits your database. This prevents bad data from propagating through your entire stack. We've seen teams skip this step and spend months cleaning up the mess downstream. (If you're standardizing your stack, start with contact management software.)
Pre-send check runs validation right before a campaign fires. This catches addresses that were valid when captured but have since decayed.
Scheduled hygiene runs batch validation on your full database - quarterly at minimum, monthly if you can afford it. This is your safety net for the 2.1% monthly decay that accumulates silently.
Caching and Performance
Don't re-validate the same address every time it appears. Cache stable results (valid/invalid) for 7-30 days. Uncertain results (risky, catch-all) deserve shorter TTLs - 7 days max. For real-time validation on forms, if the API response exceeds your latency budget, accept the submission and queue a background recheck rather than blocking the user.
Error Handling and Resilience
Validation APIs go down. Plan for it.
Implement retries with exponential backoff plus jitter - don't hammer a struggling endpoint with synchronized retry storms. Add circuit breakers that fail open (accept the email, queue for later validation) rather than blocking all submissions during an outage. For bulk jobs, use dead-letter queues to capture addresses that fail validation after max retries.
And secure your API keys with IP allowlisting. One Mailgun user on Reddit reported unexplained spikes of 10 million validations on Christmas Day, followed by a $30,000 overage invoice. Auth controls and rate limits aren't optional.
Mistakes That Kill Deliverability
Seven ways teams sabotage their own email programs:
Regex-only validation. It catches formatting errors and nothing else. Regex can't tell you if a mailbox exists, if the domain accepts mail, or if the address is a spam trap.
Not validating at signup. Every bad address you accept creates downstream problems - bounces, wasted sends, reputation damage. Validate at the door.
Never re-validating before campaigns. An address that was valid six months ago might not be today. At 2.1% monthly decay, skipping pre-campaign validation is gambling with your sender score. (For a deeper playbook, see our email deliverability guide.)
Ignoring role-based addresses. Sending cold outreach to info@ or support@ tanks engagement metrics. These shared inboxes rarely convert and often generate complaints.
Skipping spam trap detection. Spam traps are ISP-planted addresses designed to catch senders with bad hygiene. Hit enough of them and your domain gets blocklisted. Period. (If you need remediation, start with spam trap removal.)
No billing alerts or rate limits. That Mailgun user's $30K surprise bill happened because there were no usage caps or monitoring on the validation endpoint. Set alerts at 2x your expected volume.
Treating validation as a one-time task. Email hygiene is ongoing. At $39 ROI per $1 spent on email marketing, the cost of continuous validation is trivial compared to the cost of letting your list rot.
Build vs. Buy
For full control, Reacher is the standout open-source option - 8.5K GitHub stars, written in Rust, self-hosted. It checks mailbox existence without sending actual emails and includes an HTTP backend you can deploy on your own infrastructure.
The tradeoffs are real, though. Self-hosting means managing SMTP rate-limiting (mail servers will throttle or block you if you verify too aggressively), maintaining IP reputation for your verification server, and handling all the infrastructure overhead - updates, monitoring, scaling. There's also centminmod/validate-emails (86 stars), a self-hosted script that wraps multiple commercial provider APIs into a unified interface.
For most teams doing under 100,000 verifications per month, a commercial email validation API is almost always cheaper than the engineering time to maintain a self-hosted solution. If you have serious volume and a team comfortable managing email infrastructure, Reacher is excellent. If not, pick a commercial provider and move on. (If you're building outbound workflows end-to-end, a cold email API can be the next layer.)
Bad validation APIs let catch-all domains and stale data slip through. Prospeo's infrastructure handles catch-all verification, honeypot filtering, and spam-trap removal natively - no third-party email providers in the chain. Teams using Prospeo cut bounce rates from 35%+ to under 4% and book 26% more meetings than ZoomInfo users.
Protect your sender reputation with data that's never more than 7 days old.
FAQ
What's the difference between email validation and verification?
Validation checks format - does the address comply with RFC syntax rules? Verification confirms deliverability by querying DNS records and performing SMTP-level mailbox checks. Most APIs do both, and the industry uses the terms interchangeably. When evaluating tools, focus on whether they perform SMTP verification, not just what they call themselves.
How accurate are email validation APIs?
Top-tier tools hit 96-99% accuracy on standard domains, but catch-all domains are the wildcard. No API can confirm individual mailbox existence on a catch-all server, so accuracy claims always carry an asterisk. Ask vendors specifically how they handle catch-alls - that's where real accuracy differences live.
Is there a good free email validation API?
Abstract API offers 100 free requests/month, ZeroBounce gives 100 free credits/month, Prospeo includes 75 free verified emails/month with its 5-step pipeline, and Reacher is completely free if you self-host. All four are production-ready - the free tiers are just volume-limited, so you can evaluate accuracy on your own data before committing budget.
How often should I re-validate my email list?
Before every major campaign, at minimum. For ongoing lists, quarterly re-validation catches the ~2.1% monthly decay that accumulates silently. B2B lists decay faster due to job changes - platforms with a short data refresh cycle handle much of this re-validation automatically.
Can I build my own email validation instead of using an API?
Yes - Reacher is open-source and fully capable. But you'll manage SMTP rate-limiting, IP reputation, and server infrastructure yourself. For most teams, a commercial API at $5-10 per 1,000 emails costs less per month than the engineering hours needed to keep a self-hosted solution running reliably.