If you run a signup form, you already know you need to detect disposable emails before they create accounts you’ll never hear from again. But every public disposable-email blocklist on the internet has the same blind spot: it flags legitimate forwarding aliases — addresses on EmailAlias.io, SimpleLogin, addy.io, DuckDuckGo Email Protection, Firefox Relay, Sign in with Apple — as throwaway addresses too. Block those and you’re rejecting your most privacy-conscious customers, the ones least likely to come back and try again. This guide shows how to detect disposable emails properly: catch the real throwaways, allow the legitimate aliases.
What is a disposable email and why detect it
A disposable email — also called temp mail, throwaway email, or temporary email — is an inbox designed to expire after a short window, typically anywhere from ten minutes to a few hours. Services like Mailinator, 10MinuteMail, Temp-Mail, Guerrilla Mail, and YOPmail let anyone generate one in a single click without signing up. The user reads the verification message inside the throwaway inbox, clicks the link, and walks away. The address dies; the account they created on your platform stays. That asymmetry is the whole problem.
For most product owners, the reason to detect disposable emails is fraud. Disposable inboxes are the cheapest possible way for an attacker to spin up thousands of fake accounts: trial farming, signup-bonus stuffing, voting manipulation, scraping behind login walls, or simply gaming any “first N users free” promotion. The accounts pass your email-verification gate because the disposable inbox really does receive your message — but once the verification timer expires, you have zero way to contact the user, push them a password reset, or invoice them. They’re ghosts.
The category does have legitimate uses — one-shot downloads, gated whitepapers, very early development testing — but those use cases are not the ones funding your product. The customers worth keeping are the ones who’ll be back, and they need an address you can reach. That’s why most modern signup forms detect disposable emails and reject them before account creation.
Why detect disposable emails in 2026
The pressure to detect disposable emails has gotten stronger every year, and 2026 isn’t an exception. Three forces in particular push more teams toward proper disposable email detection at signup:
- Carder waves. Stripe Radar logs and Cloudflare’s bot reports both show the same pattern: fraudsters using long-tail catch-all domains pointed at forwarding providers (NameSilo, Cloudflare Email Routing, Gravity Engine) to bypass naive single-domain blocklists. If you only block Mailinator, you’ll miss 90% of the abuse.
- Free-tier abuse economics. SaaS unit economics make every signup a real cost — verification email, onboarding sequence, storage, support potential. A 30% fake-signup rate (which is what most public free tiers see) means a third of the marginal CAC budget is on the floor.
- Compliance and deliverability. Mail-server reputations are increasingly sensitive to bounce rate. A high-disposable-share signup base means your transactional email lands in spam over time, hurting deliverability for the real customers too.
The encouraging part is that disposable email detection is one of the cheapest, fastest anti-fraud upgrades available. A working detector adds milliseconds to the signup path, has near-zero ongoing maintenance, and (if implemented correctly) returns more legitimate customers than it blocks. The hard part is “implemented correctly” — which brings us to how detection actually works.
How disposable email detection actually works
Under the hood, every serious disposable email detection system is a layered cascade. The cheap layers run first; expensive ones only run when the cheap layers haven’t yet decided. The cascade typically looks like this:
- Domain list lookup (sub-millisecond). Extract the domain part, lowercase it, and check it against an in-memory set of known disposable providers. A good list contains 50,000–100,000 entries — Mailinator, 10MinuteMail, GuerrillaMail, YOPmail, Temp-Mail, and the long tail of obscure throwaway services. If the domain matches, return
disposable. Done. - Forwarding-alias allowlist (sub-millisecond). Before declaring a domain “unknown,” check it against a separate allowlist of legitimate forwarding-alias providers — EmailAlias.io, SimpleLogin, addy.io, DuckDuckGo Email Protection (
duck.com), Firefox Relay (mozmail.com), Sign in with Apple’s Hide My Email relay. If the domain matches, returnforwarding_aliasand allow it through. This is the layer almost every off-the-shelf disposable email detector forgets. - MX-record check (50–200 ms). If the domain is unknown to both lists, do a DNS-over-HTTPS lookup of its MX records. Match the MX exchange hostname against a curated list of forwarding-only mail providers (NameSilo Free Forwarding, Cloudflare Email Routing, ImprovMX, Forward Email). This is a soft signal: many legitimate small businesses use Cloudflare Email Routing for their custom domain, so an MX match alone is not a reason to block. Surface it; don’t auto-reject.
- Live website probe (50–500 ms). HTTP HEAD
https://<domain>. If the request times out or returns no live server, that’s a second soft signal — catch-all domains set up purely to receive email and discard accounts almost never bother running a web stack. Combined with a forwarding MX match in stage 3, this is the strong throwaway signal worth blocking on.
The reason stage 2 matters so much — and the reason it’s so often missing — is the entire point of the rest of this guide.
The hidden gotcha: forwarding aliases vs disposable email
Almost every public disposable-email blocklist on GitHub conflates two categories that look superficially similar but are completely different in practice.
- Disposable inbox. Anonymous, public, expires. Mail sent to
foo@mailinator.comlands in a shared web inbox anyone with the address can read. The “user” can’t be contacted again once the timer runs out. - Forwarding alias. Permanent, private, attached to a real inbox. Mail sent to
user-shop23@emailalias.ioforwards to the user’s actual Gmail or Outlook inbox. The user reads it like any other email and replies through the alias. The address never expires. The user can disable any individual alias without affecting the others.
Lists that flag both as “disposable” are a self-inflicted wound. The customer signing up with checkout-shoes@emailalias.io is the most privacy-conscious customer you have — exactly the cohort least likely to come back and retry with a “real” Gmail address after you reject them. They go somewhere that doesn’t block. We’ve written before about why permanent forwarding aliases are categorically distinct from disposable inboxes, but the short version is: blocking aliases conflates a legitimate identity-management pattern with throwaway fraud, and you lose the wrong people.
The fix is to separate the two lists. Keep a disposable-domain blocklist of ~74,000 throwaway providers, and keep a separate forwarding-alias allowlist of the ~20 known privacy providers. Check the allowlist first, return early with a “legitimate forwarding alias” verdict, and never let the address hit the disposable lookup. That’s the design pattern our open-source library and hosted disposable email checker are both built around — and it’s the single biggest thing missing from off-the-shelf detection libraries on npm and PyPI today.
Top open-source libraries to detect disposable emails
If you’re picking a library to detect disposable emails in production, here’s how the most-used options compare on the dimensions that matter at integration time:
| Library | Languages | Domain count | Forwarding-alias allowlist | Auto-refresh | License |
|---|---|---|---|---|---|
| @emailalias/disposable-email-detector | JS + Python | 74,090 | Yes (6 providers) | Weekly via GitHub Action | MIT |
| disposable-email-domains (martenson) | Data only | ~5,000 curated | No | Manual PRs | MIT |
| disposable/disposable-email-domains | Data only | ~70,000 | No | Daily community PRs | MIT |
| mailchecker | 10+ via Node | ~60,000 | No | Manual rebuilds | MIT |
| disposable-email-detector (IntegerAlex) | JS | ~30,000 | No | Manual | MIT |
Three of the five options above ship the raw domain data only — you wire them into your own code. mailchecker and our own disposable-email-detector are the only ones that ship a complete library with verdict logic and an install one-liner. mailchecker has the broader language coverage (Node bindings into PHP, Ruby, Python, Go, Java, Rust, and others); our library adds the forwarding-alias allowlist that none of the others have, which is the difference between blocking real customers and not.
How to detect disposable emails in your signup form
The mechanical steps to detect disposable emails in a working signup flow are simpler than they look. Here’s the five-step pattern most teams converge on:
- Install the library. For Node/TypeScript signup forms,
npm install @emailalias/disposable-email-detector. For Python backends (Django, FastAPI, Flask),pip install disposable-email-detector. Both ship the same data files internally. - Add a server-side check at the signup endpoint. Don’t do this on the client — anyone can bypass client-side validation. The check has to run server-side, before you write the account row to your database.
- Branch on the verdict. Reject the
disposableverdict with a friendly error message (“That looks like a temporary email address. Please use your primary inbox.”). Allowforwarding_aliasthrough normally — those are real customers. Allowokthrough. Forsuspicious(random local part + suspicious TLD), either allow or require an extra verification step depending on your tolerance. - Log the verdict. Store the detection result alongside the signup row so you can audit later. If you see legitimate customer complaints about being blocked, you can grep the log for their address and see whether they hit the disposable list or the forwarding-alias allowlist.
- Iterate on edge cases. Once a quarter, review your “blocked at signup” log. Real customers wrongly blocked? Add their provider to the forwarding-alias allowlist via a PR upstream. Fraud slipping through? Add the catch-all domain to your local disposable additions.
A working example in TypeScript:
import { check } from "@emailalias/disposable-email-detector";
export async function POST(req: Request) {
const { email, password } = await req.json();
const result = check(email);
if (result.verdict === "disposable") {
return Response.json(
{ error: "Please use a permanent email address, not a temporary one." },
{ status: 400 }
);
}
// result.verdict === "forwarding_alias" → allow (legitimate privacy user)
// result.verdict === "ok" → allow (normal address)
// result.verdict === "suspicious" → allow but flag for review
return createAccount({ email, password });
}Same shape in Python:
from disposable_email_detector import check
def signup(email: str, password: str):
result = check(email)
if result["verdict"] == "disposable":
raise HTTPException(400, "Please use a permanent email address.")
return create_account(email, password)Two lines in the path, sub-millisecond per check, no network calls, no API key, no rate limit. The full library is on npm and PyPI; both packages are MIT-licensed.
Soft signals: MX provider and missing website
The four-stage cascade earlier mentioned two soft signals beyond the domain lists. They’re worth understanding because they catch the cases the lists miss — the freshly-registered catch-all domains that haven’t made it onto any community blocklist yet.
MX provider check. Carders running catch-all signup farms almost always point their domains at a forwarding-only mail provider, because running real MTA infrastructure for hundreds of throwaway domains is annoying. The most common patterns we see in EmailAlias.io abuse logs are MX records ending in .namesilo.com (NameSilo Free Email Forwarding), route1/2/3.mx.cloudflare.net (Cloudflare Email Routing), .improvmx.com, and .gravityengine.cc. The catch is that many legitimate small-business domains also use Cloudflare Email Routing, so an MX match alone is not enough to block on — it’s a soft signal.
Live website probe. A HEAD request to https://<domain> with a 3-second timeout. If the domain is set up to receive email but has no live web server at all — connection refused, NXDOMAIN, or hard timeout — that’s a much stronger signal. Real businesses have websites; carder catch-alls usually don’t bother. The combination of forwarding MX AND no website is the strong throwaway signal worth blocking on; either alone has too many legitimate counter-examples (indie developers, hobbyist domain registrants) to auto-reject.
Our hosted disposable email checker runs both soft-signal probes in parallel via Cloudflare DNS-over-HTTPS, with strict per-request timeouts so a slow target never blocks the response. The API returns the matched MX provider name and the website-existence boolean as separate fields, so the caller decides their own policy — block, warn, or allow.
Common mistakes when blocking disposable emails
Five mistakes are by far the most common when teams first try to detect disposable emails at signup. Avoiding all five is most of the difference between a detector that helps and one that quietly costs you customers.
- Treating every “alias-shaped” domain as disposable. The big one.
addy.io,duck.com,sl.email,mozmail.com, andprivaterelay.appleid.comare not disposable — they forward to real inboxes. Blocking them rejects legitimate privacy customers. Always check a forwarding-alias allowlist before the disposable list. - Using a stale list. New disposable providers launch weekly. A list last refreshed two years ago will miss 30–50% of current abuse. Use a library with weekly auto-refresh from upstream community sources.
- Validating only on the client. Any motivated user can disable JavaScript, edit the form payload, or hit your API directly. Detection has to run server-side at the signup endpoint, period.
- Hard-blocking on soft signals. An MX match against a forwarding provider, or a missing website, on their own are not reasons to block — both have plenty of legitimate domains. Use them as inputs to a risk score, not as auto-block triggers.
- Forgetting to log rejections. Without a log of what got blocked and why, you have no way to spot wrong rejections. Log the verdict, the reason, and the address fingerprint (a hash, not the raw address — for privacy) so you can debug customer complaints.
- Showing a hostile error message. When you do reject a disposable signup, the response message matters. “Email rejected” reads as broken; “That looks like a temporary inbox — please use your primary address so we can reach you when you log in” reads as helpful. The customer who genuinely intended to sign up with a real address (and accidentally pasted in a saved temp-mail string) will re-submit. The fraud farmer will move on. Both outcomes are wins. The category of mistake here is treating the rejection like a security boundary instead of a UX moment — the moment is the place where you either earn the customer’s confidence or scare them away forever, and the wording is most of the work.
If you want to test how your address (or a specific domain) is currently classified across all of these signals before integrating anything, the easiest path is to paste it into our hosted disposable email checker and see the full verdict surface. Then mirror that behavior in your code.
When to detect disposable emails inline vs combine with risk scoring
Disposable email detection is a useful primitive on its own, but for serious abuse pipelines it’s usually one input to a broader risk score rather than a standalone gate. The decision tree is straightforward:
- Low-stakes signup (newsletter, free download, beta waitlist): a single inline call to detect disposable emails is enough. Reject on
disposable, allow everything else. No CAPTCHA needed. - Medium-stakes signup (free SaaS tier, social platform, forum): detect disposable emails inline, plus rate-limit by IP, plus add a CAPTCHA on suspicious patterns (rapid signups from one IP, browser fingerprints that match prior abuse). The disposable verdict feeds the risk score; it doesn’t drive the decision alone.
- High-stakes signup (financial, payments, identity): the disposable check is one of many signals — alongside phone number reputation, device fingerprint, payment-method history, behavior post-signup. Tools like Stripe Radar, Sift, or Castle combine all of these. Your disposable-email verdict feeds in as a feature, and the model decides.
The reason this matters: a determined attacker can always find a fresh catch-all domain that hasn’t hit any blocklist yet. The disposable check is a cheap filter that removes the lazy attackers in milliseconds; for the rest, you need the layered defense. Pair the inline detection with the broader anti-spam playbook in our spam-prevention guide if you want to go further than just blocking signups.
One more nuance worth flagging: the disposable-email category overlaps with the broader “anonymous email” category that includes forwarding aliases like Firefox Relay and its alternatives. The overlap is exactly why the forwarding-alias allowlist matters — without it, the broad term “anonymous email” gets mistakenly mapped onto throwaway inboxes when it actually means something completely different to the user.
Final thoughts
Disposable email detection is one of the cheapest anti-fraud upgrades you can ship — sub-millisecond per signup, no recurring API cost, near-zero maintenance with a properly auto-refreshed library, and a measurable drop in fake-account rate the same day you deploy it.
The trap most teams fall into is grabbing the first GitHub blocklist they find, wiring it into their signup form, and then watching customer-support tickets trickle in from privacy-conscious users complaining about being rejected. The fix is to recognize that forwarding aliases are not disposable email: addresses on EmailAlias.io, SimpleLogin, addy.io, DuckDuckGo, Firefox Relay, and Apple’s Hide My Email are real, permanent, reach-the-customer addresses. Block the throwaway providers, allow the forwarding aliases — that’s the design pattern that produces a detector you can run on the production signup path without accumulating false-positive scars.
The full disposable-domain list, the forwarding-alias allowlist, the suspicious-MX patterns, and language wrappers for both Node and Python are all open-source on GitHub. The hosted checker is at emailalias.io/tools/disposable-email-checker — free, no signup, no logging. If you’d rather skip the integration entirely and just give every customer a real address they can rotate when they want to, EmailAlias.io’s free tier covers ten permanent forwarding aliases — the same forwarding-alias category this guide spent half its length asking detectors to allow through.
Frequently asked questions
What’s the difference between detecting disposable emails and blocking them?
Detecting is the classification step — figuring out whether a given address belongs to a throwaway-inbox provider. Blocking is the policy you apply on top: reject at signup, require an extra verification step, or just log the verdict for analytics. Most teams that detect disposable emails block them outright at signup, but the two steps are separable.
How accurate are public disposable-email blocklists?
The two well-maintained community lists (disposable/disposable-email domains and disposable-email-domains/disposable-email-domains on GitHub) together cover about 74,000 providers and catch the vast majority of well-known throwaway inboxes. They miss freshly-registered catch-all domains in the first few days to weeks. That’s where MX provider and live website soft signals help.
Will detecting disposable emails block legitimate privacy users?
Only if your detection library lumps forwarding aliases (EmailAlias.io,
SimpleLogin, addy.io, DuckDuckGo Email Protection, Firefox Relay, Apple Hide My Email) into the same bucket as throwaway inboxes. The fix is a forwarding-alias allowlist that runs BEFORE the disposable lookup and returns a “legitimate forwarding alias” verdict so site owners don’t block real customers.
Is there a free API to detect disposable emails?
Yes. The same endpoint that powers our hosted disposable email checker is free and IP-rate-limited at emailalias.io/api/tools/disposable-check — POST a JSON body with the email and you get back a verdict, the matched list size, the forwarding-alias provider (if any), and soft signals like the MX provider and whether the domain has a live website. For self-hosted use, the same logic ships as an MIT-licensed npm and pip package.
How often does the disposable domain list need to be refreshed?
Weekly is the right cadence. New disposable providers launch constantly, but the rate of change is slow enough that a daily refresh would just be noise. Our library has a scheduled GitHub Action that pulls upstream community lists every Monday and opens a PR with the diff; auto-merge is gated on the list size not shrinking by more than 5% to catch upstream errors.
Can I detect disposable emails without making a network call?
Yes — the basic domain-list check is in-memory and sub-millisecond. Only the soft signals (MX provider lookup, live-website probe) require network calls, and they’re optional. Most teams run the in-memory check synchronously on every signup and skip the network signals entirely.
What about cases where the domain isn’t on any list?
That’s the “unknown” verdict – not on the disposable list, not a known forwarding-alias provider, no heuristic hits. Almost all legitimate addresses end up here. Treat unknown as “allow” by default. If you want extra defense against freshly-registered catch-all domains, enable the MX provider and live-website soft-signal checks server-side.
Does detecting disposable emails violate user privacy?
The detection itself is a stateless lookup against a domain blocklist the address never has to leave your server, and good libraries (including ours) don’t log the values. If you use a hosted API like our checker, verify that the provider doesn’t log addresses; we don’t, and the rate-limiter only counts requests per IP.
