Email Verification API v2.0 Production-grade email verification service with multi-layer verification: syntax validation, DNS health checks, disposable/role/free email detection, typo suggestion, and direct SMTP verification.
Client → FastAPI → Verification Engine
→ Layer 1: Syntax (RFC 5321/5322, TLD, gibberish, normalization)
→ Layer 2: DNS (MX, A/AAAA fallback, SPF, DKIM, DMARC, PTR)
→ Layer 3: Database (disposable, free, role, typo detection)
→ Layer 4: SMTP (RCPT TO, catch-all, greylisting, rate limiting)
→ Response (status, confidence score, detailed checks)
git clone https://github.com/codezelat/email-verifier.git
cd email-verifier
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
cp .env.example .env
# Edit .env — set SECRET_API_KEY to a strong random value Interactive API docs at http://localhost:8000/docs (when DEBUG=true).
Endpoint
Method
Auth
Description
/verifyPOST
Yes
Single email verification
/bulk-verifyPOST
Yes
Bulk verification (max 50)
/healthGET
No
Liveness probe
/readyGET
No
Readiness probe
/cache-statsGET
No
Cache statistics
/GET
No
Service info
All verification endpoints require an X-API-Key header:
curl -X POST " http://localhost:8000/verify" " X-API-Key: your-secret-key" " Content-Type: application/json" ' {"email": "user@example.com"}' {
"email" : " user@example.com" "options" : {
"check_smtp" : true ,
"check_dns_health" : true ,
"check_catch_all" : true ,
"check_disposable" : true ,
"check_role" : true ,
"check_free" : true ,
"check_typo" : true
}
} All options default to true. Disable checks you don't need for faster results.
{
"email" : " user@example.com" "status" : " Valid" "sub_status" : null ,
"confidence_score" : 95 ,
"deliverability" : " high" "is_deliverable" : true ,
"is_disposable" : false ,
"is_role_account" : false ,
"is_free_email" : false ,
"is_catch_all" : false ,
"typo_suggestion" : null ,
"smtp_provider" : " Google" "checks" : {
"syntax" : {
"valid" : true ,
"normalized_email" : " user@example.com" "warnings" : [],
"errors" : []
},
"dns" : {
"mx_found" : true ,
"mx_records" : [" mx1.example.com" "a_records" : [" 93.184.216.34" "aaaa_records" : [],
"spf_valid" : true ,
"spf_record" : " v=spf1 include:_spf.example.com ~all" "dkim_valid" : true ,
"dmarc_valid" : true ,
"dmarc_record" : " v=DMARC1; p=reject;" "ptr_valid" : true ,
"null_mx" : false ,
"errors" : []
},
"database" : {
"is_disposable" : false ,
"is_free" : false ,
"is_role" : false ,
"is_spam_trap" : false ,
"typo_suggestion" : null ,
"detected_provider" : null
},
"smtp" : {
"deliverable" : true ,
"catch_all" : false ,
"greylisted" : false ,
"error_code" : null ,
"error_message" : null ,
"mx_used" : " mx1.example.com" "verification_blocked" : false
}
},
"processing_time_ms" : 1247 ,
"verified_at" : " 2026-05-29T10:30:00Z" "from_cache" : false ,
"request_id" : " a1b2c3d4e5f6a7b8" {
"emails" : [" user1@example.com" " user2@test.com" "options" : {"check_smtp" : true }
} {
"results" : [... ],
"total_requested" : 2 ,
"total_processed" : 2 ,
"processing_time_ms" : 3500 ,
"request_id" : " a1b2c3d4e5f6a7b8" Maximum 50 emails per request. Duplicates are automatically removed.
Status
Meaning
ValidDeliverable, all checks passed
InvalidMailbox not found, syntax error, null MX
UndeliverableNo MX records, connection failed, relay denied
Catch-AllDomain accepts all addresses (cannot verify individually)
DisposableTemporary email provider (mailinator.com, etc.)
Role Accountinfo@, support@, admin@, etc.
Free EmailGmail, Yahoo, Outlook, etc.
Typo DetectedDomain misspelling (e.g., gmial.com → gmail.com)
GreylistedServer temporarily rejected, retry later
Verification BlockedServer rejects verification attempts
Spam TrapKnown spam trap address
UnknownTemporary failure, timeout
ErrorInternal error
Sub-Status
Meaning
failed_syntax_checkEmail format is invalid
domain_not_foundDomain does not exist (NXDOMAIN)
null_mxDomain explicitly rejects email (RFC 7505)
no_mx_recordNo MX, A, or AAAA records found
mailbox_not_foundRCPT TO returned 550
connection_failedCannot connect to MX server
mailbox_quota_exceededMailbox full (552)
relay_deniedServer refused to relay (554)
timeoutSMTP or DNS timeout
temporary_failure4xx error, greylisting
dns_errorDNS resolution failed
network_errorNetwork unreachable
config_errorServer misconfigured
internal_errorUnexpected error
Level
Score Range
Meaning
high70-100
Strong confidence, all checks passed
medium50-69
Good confidence, most checks passed
low30-49
Limited verification signals
risky—
Disposable email detected
undeliverable—
Invalid or unreachable
unknown—
Temporary failure, cannot determine
Signal
Points
Syntax valid
+15
MX found
+15
SPF valid
+5
DKIM valid
+5
DMARC valid
+5
PTR valid
+5
SMTP deliverable
+35
Catch-all detected
+20
Maximum 100
HTTP Code
Meaning
401
Missing or invalid X-API-Key header
413
Bulk request exceeds 50 email limit
422
Validation error (bad request body)
500
Internal server error
Error response format:
{
"error" : " Validation Error" "detail" : [... ],
"request_id" : " a1b2c3d4e5f6a7b8"
Response Headers
Header
Description
X-Request-IDUnique request identifier (16-char hex)
X-Process-TimeProcessing time in milliseconds
Variable
Default
Description
SECRET_API_KEY(required) API authentication key (min 16 chars)
VERIFY_FROM_EMAILverify@yourdomain.comMAIL FROM address for SMTP checks
VERIFY_EHLO_HOSTNAMEverify.yourdomain.comEHLO hostname (should match reverse DNS)
DATABASE_URL(empty = SQLite) PostgreSQL: postgresql+asyncpg://user:pass@host/db
DNS_CACHE_TTL3600DNS cache TTL in seconds
SMTP_CACHE_TTL86400SMTP result cache TTL in seconds
RATE_LIMIT_VERIFY30/minutePer-IP rate limit for /verify
RATE_LIMIT_BULK5/minutePer-IP rate limit for /bulk-verify
SMTP_CONNECT_TIMEOUT15SMTP connection timeout (seconds)
SMTP_COMMAND_TIMEOUT10SMTP command timeout (seconds)
SMTP_OVERALL_TIMEOUT30Total SMTP operation timeout (seconds)
SMTP_RATE_GMAIL3Gmail verification rate (per minute)
SMTP_RATE_OUTLOOK5Outlook verification rate (per minute)
SMTP_RATE_YAHOO3Yahoo verification rate (per minute)
SMTP_RATE_DEFAULT15Default verification rate (per minute)
SMTP_MAX_CONCURRENT20Max concurrent SMTP connections
SMTP_MAX_PER_HOST3Max connections per MX host
CORS_ORIGINShttp://localhost:3000,...Allowed CORS origins
LOG_LEVELINFOLogging level
BULK_MAX_SIZE50Max emails per bulk request
DEBUGfalseEnable debug mode (shows /docs)
The SMTP engine connects directly to the recipient's MX server on port 25:
Resolves MX records (with A/AAAA fallback per RFC 5321)
Blocks connections to private/reserved IPs (SSRF prevention)
Connects with STARTTLS when available
Issues MAIL FROM + RCPT TO without sending email
Tests catch-all with a random address
Handles greylisting (450/451) responses
Per-domain rate limiting prevents overloading remote servers
docker build -t email-verifier .
docker run -p 8000:8000 --env-file .env email-verifier Docker Compose (with PostgreSQL) # Set DATABASE_URL in .env to use PostgreSQL:# DATABASE_URL=postgresql+asyncpg://verifier:verifier_secret@postgres/emailverifiersource .venv/bin/activate
pytest tests/ -vemail-verifier/
├── app/
│ ├── main.py # FastAPI application, lifespan
│ ├── config.py # Pydantic Settings, env validation
│ ├── database.py # Async SQLAlchemy (SQLite/PostgreSQL)
│ ├── dependencies.py # API key authentication
│ ├── models/
│ │ ├── requests.py # Request models with validation
│ │ └── responses.py # Response models, enums
│ ├── routers/
│ │ ├── verify.py # /verify, /bulk-verify endpoints
│ │ └── health.py # /health, /ready, /cache-stats
│ ├── services/
│ │ ├── syntax.py # RFC 5321/5322 validation engine
│ │ ├── dns_checks.py # MX, SPF, DKIM, DMARC, PTR
│ │ ├── database_checks.py # Disposable, free, role, typo
│ │ ├── smtp_verification.py # Direct SMTP verification engine
│ │ ├── scoring.py # Confidence scoring (0-100)
│ │ ├── cache.py # In-memory TTL cache
│ │ └── verification.py # Verification orchestrator
│ ├── middleware/
│ │ └── request_id.py # Request ID + timing headers
│ └── core/
│ ├── exceptions.py # Error handlers
│ └── logging.py # Structured logging (structlog)
├── data/
│ ├── free_providers.txt # 100+ free email providers
│ ├── role_prefixes.txt # 50+ role account prefixes
│ ├── popular_domains.txt # Typo detection domains
│ └── tlds.txt # IANA TLD list
├── tests/ # 118 tests across 10 files
├── Dockerfile
├── docker-compose.yml
├── requirements.txt
├── pyproject.toml
└── .env.example
Edge Case
Handling
Internationalized emails (IDN)
NFC normalization, Punycode domains
Plus-addressing (user+tag@)
Preserved during verification
Gmail dots (u.s.e.r@)
Normalized for Gmail domains
Quoted local parts
Parsed per RFC 5322
IP address domains
Parsed and validated
Long addresses (254 limit)
Byte-level length checks
No MX, A record fallback
RFC 5321 Section 5.1
Catch-all domains
Random address SMTP test
Greylisting (450/451)
Detected and flagged
Always-550 servers
Flagged as "Verification Blocked"
Null MX (RFC 7505)
Detected as "Domain does not accept email"
MX → CNAME chains
Resolved transparently
Temporary DNS failures
Caught and reported
SSRF via private MX IPs
Blocked by IP validation
Case sensitivity
Domain lowercased, local preserved
API Key : Timing-safe comparison via hmac.compare_digestSSRF Prevention : MX hosts resolving to private/reserved IPs are blockedSTARTTLS : Certificate validation enabledInput Validation : Pydantic models with length limitsDocker : Runs as non-root userLogging : Email addresses hashed in logs (PII protection)Docs : Disabled in production (enable with DEBUG=true)
MIT