Reduce signup fraud emails by verifying every address at the point of registration. Real-time checks reject disposable domains, invalid syntax, and dead mailboxes before an account is created. This blocks throwaway accounts, promo abuse, and bot registrations at the door, keeping your user base clean and your sender reputation intact.
What counts as signup fraud?
Signup fraud is any account created with fake, disposable, or stolen identity data to abuse a product. Common patterns include throwaway addresses for free-trial farming, promo and referral abuse, bot-driven bulk registrations, and credential-stuffing footholds. Most of these start with an email address that was never meant to receive real mail.
Not every bad signup is malicious. Some users mistype their address. Others use a temporary inbox because they do not trust you yet. The verification job stays the same either way: separate addresses that can receive mail from ones that cannot, then flag the risky middle. A disposable domain at registration is a strong fraud signal, because real customers rarely sign up with a mailbox that self-destructs in ten minutes.
Fake signups quietly wreck your metrics
Fake accounts do not just sit there. They inflate your user count, so activation and retention rates look worse than they are. They burn free-tier compute and support hours. Worst of all, they poison your email program. When you send onboarding or password-reset mail to invalid and disposable addresses, those messages hard bounce. Let your bounce rate climb above 2% and mailbox providers start routing your real mail to spam.
Fraud rings farm free trials, drain referral credits, and resell access. A single bot script can create thousands of accounts overnight if the only barrier is a text field that accepts any string with an @ in it. Verification at the door turns that cheap attack into an expensive one, because throwaway addresses stop working the moment you check them. The whole economy of a fraud operation depends on cheap, unlimited addresses.
How much of your signup traffic is fake?
There is no universal number, but many consumer products see 5% to 20% of signups come from disposable or invalid addresses, and abused free tiers can run far higher. The only way to know your rate is to measure it. Verify a recent batch of signups and count the Invalid and disposable verdicts.
Track that percentage over time. A sudden spike usually means a campaign is being abused or a bot is hitting your form. Verification gives you the number and the early warning in one place, so you can tighten rules before the damage lands in your email metrics.
How does email verification reduce signup fraud?
Email verification reduces signup fraud by checking each address in real time before the account is saved. It validates syntax, confirms the domain has live MX records, runs an SMTP-level mailbox check, and matches the domain against known disposable providers. Addresses that fail get blocked or challenged, so fake accounts never enter your database.
- Syntax and typo scan. Reject malformed addresses instantly, and suggest fixes for obvious typos like gmial.com.
- Disposable domain match. Flag or block temporary providers before spending deeper checks.
- MX record lookup. Confirm the domain can actually accept mail.
- SMTP-level mailbox check. Verify the specific mailbox exists, not just the domain.
- Verdict and action. Allow Deliverable addresses, add friction to Risky ones, and reject Invalid ones.
Order matters for cost and speed. Cheap local checks run first and catch most junk without touching the network. The SMTP-level check runs last, only on addresses that survived the earlier filters. Our verification engine handles that sequence for you and returns a clear verdict per address.
Which signals flag a fraudulent address
No single check catches everything. Fraud detection works best when you weigh several signals together and match the response to the risk level. Here is how the common verdicts map to action at signup.
| Signal | What it means | Signup action |
|---|---|---|
| Invalid syntax or no MX record | Address cannot receive mail | Reject at the field |
| Disposable domain | Throwaway inbox, common in abuse | Block or require a work email |
| SMTP says no mailbox | Address does not exist | Reject |
| Catch-all domain | Accepts all mail, existence unclear | Allow but monitor |
| Role address (info@, admin@) | Shared inbox, not a person | Allow with caution for personal accounts |
| Valid and deliverable | Real, reachable mailbox | Allow |
Catch-all and role addresses need judgment. A catch-all domain accepts every address, so the SMTP check cannot confirm a real mailbox behind it. Allow it, but watch that account for abuse. Role addresses like info@ or admin@ are shared inboxes, fine for a business account but a weak signal for a personal one.
Check your list right now, free
10 checks a day with no signup. 100 a day with just your email.
How to add verification without killing conversions
Verification should be invisible to real users. Run the syntax and disposable checks in the browser as the person types, so honest customers get instant typo hints and never notice the rest. Save the SMTP-level check for form submission, where a half-second delay is fine.
Do not reject a Risky verdict outright. Add friction instead: require email confirmation, ask for a work address, or trigger a second factor. Reserve hard rejection for Invalid addresses and known disposable domains. That way you stop fraud without punishing the customer who simply fat-fingered their address. Measure the block rate weekly, and loosen the rules if real signups are getting caught.
Log every verdict with the account. When a support ticket or chargeback comes in later, that history tells you fast whether the address was Risky from day one. It also feeds your fraud model, so blatant patterns get easier to spot each month.
Mistakes that let fraud back in
Verification only helps if you act on the results and keep them current. These slips are common:
- Verifying only at signup, then never rechecking. Mailboxes go dead over time, so re-verify before big sends.
- Treating catch-all domains as automatically valid. They hide mailboxes that do not exist.
- Blocking every role address. Some legitimate B2B users register with a team inbox.
- Maintaining a disposable blocklist by hand. New throwaway domains appear daily, so use an engine that tracks them for you.
Signup fraud is cheapest to stop at the moment of registration. Verify the address, act on the verdict, and keep the list clean. Your bounce rate, your metrics, and your sender reputation all hold up better for it.