Open Source Email Verification: What Works, What Breaks, and What to Pair It With
Roughly 30% of email addresses decay every year. A list you built six months ago is already rotting - and syntax checks alone won't save it. Open source email verification tools promise a free, self-hosted fix, and some genuinely deliver. But the gap between what OSS can validate and what production outbound actually requires is wider than most developers expect.
What You Need (Quick Version)
- Syntax + DNS validation without SMTP risk: email-verifier (Go, MIT)
- Full-stack verification including SMTP: Reacher (Rust, AGPL-3.0 - check the license)
- Production outbound at scale: pair any OSS validator with a commercial verifier for SMTP, catch-all, and spam-trap handling
Validation vs. Verification
These terms get swapped constantly, but they mean different things. Validation checks whether a string looks like an email - format, syntax, maybe MX records. Verification confirms a mailbox actually exists and can receive mail.
The distinction matters more than you'd think. In Jonas Neubert's 2026 comparison of popular validation libraries, validator.js scored 23 correct, 5 false negatives, and 0 false positives. Truemail? 16 correct, 10 false negatives, 2 false positives. Same test set, wildly different results - and that's just the syntax layer. Once you need to confirm a mailbox is live, you're in a completely different game.
If you want the deeper breakdown of layers and where tools lie, see our guide on email validation.
Open Source Tools Compared
| Tool | License | Validation Depth | Last Updated | Stars |
|---|---|---|---|---|
| Reacher | AGPL-3.0 | Syntax → DNS → SMTP + Catch-All + Disposable | Mar 2026 | ~8.5K |
| email-verifier | MIT | Syntax → DNS → Disposable (no SMTP) | Apr 2024 | ~417 |
| Truemail | MIT | Syntax → DNS → SMTP + Disposable | Apr 2024 | ~1.3K |
| Deep Email Validator | MIT | Syntax → DNS → SMTP + Disposable | Sep 2025 | ~8.4K |
| AfterShip/email-verifier | MIT | SMTP-capable verifier (Go) | 2024 | - |
Reacher (check-if-email-exists)
The most capable open source email verifier available. Reacher runs the full stack - syntax, DNS, MX, SMTP handshake, and catch-all detection - all in Rust, so it's fast.
Here's the thing: the AGPL license is a dealbreaker for many companies. If you embed Reacher in a proprietary product and serve it over a network, you're required to open-source your code. For internal tooling or side projects, that's fine. For a SaaS product, talk to a lawyer first. Reacher also offers a hosted API option if you'd rather skip self-hosting.
# Clone and run via Docker
docker run -p 8080:8080 reacherhq/backend
We've run Reacher against several thousand-address test lists, and the SMTP results are solid when your IP reputation is clean. The moment your IP gets flagged - and it will, eventually - accuracy drops off a cliff. That's the tradeoff you're signing up for. (If you’re troubleshooting deliverability, this ties directly into IP reputation vs domain reputation.)
email-verifier (umuterturk)
Use this if you want a privacy-first validator that deliberately avoids SMTP probing. Skip this if you need mailbox existence checks.
This Go + Redis tool handles syntax, domain existence, MX records, disposable detection, role-based detection, and typo suggestions. No authentication required, no usage limits.
Its standout feature is alias canonicalization: it normalizes Gmail dots, Yahoo hyphens, and Outlook plus-addressing so user.name+test@gmail.com resolves to username@gmail.com. Batch validation handles up to 100 emails with domain-grouping optimization. MIT licensed, zero SMTP risk to your IP.
If you’re building a ruleset around throwaway inboxes, pair this section with our guide to disposable email detection.
Truemail
A Ruby gem with a layered pipeline: regex, DNS/MX, SMTP, and disposable detection. What makes Truemail unique is its host audit features - IP audits, DNS audits, PTR audits - designed for diagnosing self-hosted SMTP failures. If you're running your own mail infrastructure and verification keeps failing, Truemail helps you figure out why.
Deep Email Validator
TypeScript/Node, MIT license, ~8.4K stars. Covers regex, typo detection, disposable filtering, DNS, and SMTP. If you're building in Node and need SMTP verification without Reacher's AGPL constraints, this is the safer choice for proprietary projects.
AfterShip/email-verifier
A lighter Go alternative. Useful when you want something simpler than Reacher without the AGPL headache.
Catch-all domains, spam traps, and honeypots are where open source verification hits a wall. Prospeo's 5-step proprietary pipeline handles all three - across 143M+ verified emails refreshed every 7 days, not every 6 weeks.
Stop flying blind on catch-all domains. Get 98% accuracy at $0.01/email.
The Catch-All Problem
Catch-all servers accept mail for any address at the domain. Send a RCPT TO for totallyFakeAddress@example.com and you'll get a 250 OK back - same as a real mailbox.
The standard detection approach is to probe a random fake address first: if the server accepts it, the domain is catch-all and individual mailbox verification becomes impossible via SMTP alone. This is where every email verifier - open source or commercial - hits a wall. Even Reacher, which attempts catch-all detection, still depends heavily on your IP's reputation for reliable results.
Let's be honest: catch-all handling is the single biggest reason most teams shouldn't rely on self-hosted verification for outbound. If even 15% of your list sits on catch-all domains, you're flying blind on a meaningful chunk of your pipeline.
For more context on why this matters for list quality, see benefits of email verification.
Why Self-Hosted SMTP Breaks at Scale
SMTP verification works by initiating a RCPT TO handshake without actually sending a message (the older VRFY command is rarely supported anymore). The problem is this looks exactly like address harvesting to mail servers. They throttle you, greylist you, or blacklist you outright.
Self-hosted setups running bulk SMTP probes get blocked fast. It gets worse on a VPS or home server - many hosting providers block outbound SMTP ports entirely. Developers on r/selfhosted consistently warn against running SMTP probes from residential IPs, and the data backs them up: residential and dynamic IPs are often pre-listed on Spamhaus PBL before you send a single probe. Even with a clean IP, you need valid rDNS/PTR records and careful throttling to avoid triggering anti-abuse systems.
If you’re seeing bounces spike after verification, it’s worth reviewing hard bounce rate benchmarks and fixes.
Commercial verifiers solve this by cycling through IP pools and replacing servers as they get flagged. That's impractical to replicate when you're self-hosting.
When to Add a Commercial Layer
Use a hybrid approach. Let your open source validation pipeline handle syntax, MX, and disposable detection - that's free and reliable. Then route the survivors through a commercial API for SMTP verification, catch-all handling, and spam-trap removal.
If you're verifying under 1,000 emails a month for a side project, OSS alone is fine. The moment you're running outbound campaigns, you need the commercial layer.
In our testing, the hybrid approach consistently outperforms either layer alone. Prospeo's 5-step verification pipeline handles exactly what OSS can't - catch-all detection, spam-trap removal, and honeypot filtering across 143M+ verified emails at 98% accuracy. Data refreshes every 7 days versus the 6-week industry average, and the free tier gives you 75 verifications per month to test alongside your OSS pipeline. Paid plans run about $0.01/email with no contracts.
If you’re comparing vendors, our roundups of email verification tools and email list cleaning services can save time.
For reference, ZeroBounce charges $99/month for 10,000 verifications, NeverBounce runs $125/month for the same volume, and tools like Verifalia and Hunter use tiered credit-based pricing depending on volume and features.
You don't need to choose between free and accurate. Use your OSS pipeline for syntax and MX checks, then route survivors through Prospeo's API - 92% match rate, spam-trap removal, and catch-all handling included.
Build the hybrid verification stack this article recommends in minutes.
FAQ
Is open source email verification accurate enough for outbound?
For syntax and MX validation, yes - libraries like email-verifier and Deep Email Validator handle those layers reliably. For SMTP mailbox verification at scale, no. IP throttling and catch-all domains create too many unknowns. Pair OSS validation with a commercial verifier before sending outbound.
What's the difference between AGPL and MIT licenses?
MIT lets you embed the library in proprietary software without restrictions. AGPL requires you to open-source any software that uses the library over a network - a dealbreaker for most SaaS products. Reacher uses AGPL; Deep Email Validator and email-verifier use MIT.
Can self-hosted tools detect catch-all domains?
Reacher attempts catch-all detection via SMTP probing, but accuracy depends on your sending IP's reputation and rDNS configuration. Commercial verifiers use rotating IP pools across multiple providers, producing significantly more reliable catch-all results - especially on enterprise domains.