REST Email Verification for Developers
One GET request runs all 9 checks, from RFC 5321 syntax to a live SMTP mailbox ping, and answers in about 380 ms median. A real-time email validation API you can wire into signup forms, CRMs, and agents with a single header.
1,000 free credits on signup, 2,500 with a work email. No card.
Trusted by 500,000+ leading GTM teams of all sizes
Quickstart
No SDK to install and no OAuth dance. A key, a GET request, and a JSON object your code can branch on.
Sign up free, open the API keys panel in the dashboard, and generate a vfx_ key. 1,000 credits land on your account instantly, 2,500 if you signed up with a work email.
Send one GET to /v1/email-validation/:email with the X-API-Key header. No SDK required, though the same call works from any HTTP client or our MCP server.
Read reachable (safe, risky, invalid, unknown) for the one-word answer, or the per-check fields when your logic needs to treat a catch-all differently from a dead mailbox.
curl -X GET "https://api.verifox.ai/v1/email-validation/john@example.com" \
-H "X-API-Key: vfx_your_api_key"{
"email": "john@example.com",
"domain": "example.com",
"isValid": true,
"reachable": "safe",
"syntax": true,
"smtp": {
"hostExists": true,
"fullInbox": false,
"catchAll": false,
"deliverable": true,
"disabled": false
},
"mx": {
"records": ["gmail-smtp-in.l.google.com."],
"smtpProvider": "Google",
"domainAgeDays": 11196,
"domainCreated": "1995-08-13",
"hasSPF": true,
"hasDMARC": true,
"hasDKIM": false
},
"isFree": false,
"isRole": false,
"isDisposable": false,
"hasGravatar": true,
"suggestion": null,
"verifiedAt": "2026-03-31T10:30:00Z",
"score": 92
}Every check maps to a field: syntax for format, mx for the domain and its SPF/DKIM/DMARC posture plus domainAgeDays, smtp for the live handshake and catch-all flag, and isDisposable / isRole for the address class. score carries the AI confidence on catch-alls.
The endpoints
Two ways to verify a single address, and a three-call bulk flow for lists. That is the entire surface area you need to learn.
/v1/email-validation/:emailVerify one address in the URL. Full 9-check verdict, 1 credit.
/v1/email-validationSame verdict via JSON body, for callers that keep addresses out of URLs and logs.
/v1/email-validation/bulkStart a bulk job from an array or an uploaded CSV. Up to 100,000 emails per job.
/v1/email-validation/bulk/:jobId/progressPoll a running job: processed count, percent done, and a safe/risky/invalid summary.
/v1/email-validation/bulk/:jobId/resultsFetch completed results with cursor pagination, 50 rows per page by default.
Request and response schemas for every route, parameter by parameter, live in the email validation API reference.
Bulk verification
Send an array or point the job at an uploaded CSV. Poll for progress, then page through results when the job completes.
curl -X POST "https://api.verifox.ai/v1/email-validation/bulk" \
-H "X-API-Key: vfx_your_api_key" \
-H "Content-Type: application/json" \
-d '{"input": ["john@example.com", "jane@test.io", "bad@invalid"]}'{
"job_id": "69d78b9e37e519a86c186261",
"total_records": 1000,
"processed_records": 420,
"status": "processing",
"progress": 42,
"summary": {
"total_safe": 200,
"total_risky": 50,
"total_invalid": 150,
"total_unknown": 20
}
}Roughly 10,000 emails per minute on the standard tier, so a 100,000-row job finishes inside a coffee break.
Results are fetched by polling the progress and results endpoints. No webhooks on bulk jobs today; we would rather say so than surprise you in staging.
Progress responses carry a running safe, risky, invalid, and unknown tally, so dashboards update before the job finishes.
Limits, in writing
You will design around these either way. Better to know them before you ship than discover them in production.
The single-verify rate limit. Exceed it and you get a 429; back off and retry. Lists belong on the bulk endpoint, which is not bound by it.
Single and bulk verifications each draw 1 credit per address. When the balance runs out the API answers 402 instead of silently degrading results.
Keys come in full, verify, and read-only scopes. Give your signup form a verify-only key and it can never touch your account endpoints.
99.9% uptime on Starter, 99.99% with an annual Volume contract. The engine self-measures 99.99% accuracy on a 1,000-address benchmark list.
Integration patterns
The same endpoint, three different jobs. Pick the pattern that matches where bad addresses enter your system.
Call the single-verify endpoint on form submit and block invalid or disposable addresses before they reach your database. At ~380ms median the check fits inside the request without a spinner. Gate on reachable === "invalid" only, and let risky addresses through with a flag, so a flaky corporate mail server never costs you a real customer.
Run every import through the bulk endpoint before it lands in your CRM. A 50,000-row list clears in about five minutes at standard throughput, and the progress endpoint gives you a live safe, risky, and invalid tally to show the user while it runs. Most teams schedule a re-verify pass quarterly, since roughly a quarter of B2B addresses decay each year.
Verify right before send, not at collection time, because an address that was safe in January can be a dead mailbox by June. Sequencers call the GET endpoint per recipient; AI agents use the same engine through the MCP server and skip the HTTP plumbing entirely. Either way the score field decides whether a catch-all address is worth a send slot.
Forms that need protection beyond verification, like blocking typos and disposable signups at the widget level, can drop in FoxGuard form protection instead of writing the integration by hand.
The 9-point engine
The same nine-check engine our paid email verification API runs. Every email, every verification, every time.
Every address runs a full RFC 5321 and RFC 5322 compliance pass before a single network call goes out. The engine catches what visual scanning misses, the double dot in alice@verifox..ai, the trailing period, the IDN homograph that looks valid but resolves to a different domain.
Bundled typo suggestions let your form offer “did you mean alice@gmail.com?” instead of rejecting silently.
Once syntax passes, the engine resolves the domain. We confirm the DNS records exist, fetch the MX record priority list in order, and verify at least one mail-exchange server is actively accepting connections right now.
Misspelled domains like gmial.com, expired domains, and parked-for-sale domains all fail this gate before the engine wastes a single SMTP roundtrip.
The engine opens a TCP connection on port 25, performs the EHLO handshake, then negotiates MAIL FROM and RCPT TO. Every server response code (220, 250, 550, 552) is parsed deterministically against the IANA enhanced-status registry.
This is the moment a mailbox proves it actually exists. No third-party guesses, no statistical heuristics, just the receiving server's own answer.
Some domains accept every email regardless of whether the mailbox exists, a setup known as a catch-all configuration. The engine sends a deterministic probe to a deliberately fake address (zzz9k7q@domain.com); if the server returns the same 250 OK it returned for the real address, the domain is catch-all.
The verdict isn't dropped, it's flagged RISKY so you know the deliverability signal is degraded.
The engine maintains a curated registry of 10,247 disposable email providers, including Mailinator, Guerrilla Mail, 10MinuteMail, Tempmail, and the long tail of regional clones.
Any address matching the blocklist is flagged INVALID. Deliverability to a mailbox that exists for 10 minutes and is never checked is functionally zero, regardless of whether the SMTP handshake passes.
info@, support@, no-reply@, admin@, hello@, billing@, contact@. These are shared inboxes, not individuals.
The engine extracts the local-part of every address, matches it against the known role-prefix registry, and tags the result with a reduced engagement score.
You don't drop them automatically. The verdict tells you they're roles so you can decide whether they belong in your outbound.
Fresh-spam domains registered hours ago are the single biggest source of inbound abuse. The engine queries WHOIS and RDAP for every unique domain, extracts the registration date, and flags anything under 30 days old with a “fresh” warning.
Domains aged 5+ years pick up a corresponding trust signal. The same heuristic spam filters have been using since the early 2000s, ported into the verdict.
SPF, DKIM, and DMARC together prove the sender is authorised to send from that domain.
The engine reads each policy via DNS, validates SPF includes recursively, scans six common DKIM selectors for a published key, and confirms DMARC alignment with the From: header.
A failing DMARC policy means the sender can be spoofed, so the verdict warns you before you reply.
Beyond “exists vs doesn't exist”, the engine extracts the precise mailbox state from the SMTP server's response. Full inbox (552 / 522 quota), disabled mailbox (550 5.1.1), out-of-office autoresponder, frozen account.
Each state maps to a specific retry policy. Full inbox retries in 6 hours. Disabled drops permanently. The verdict tells you which bucket the bounce belongs in so your retry logic doesn't waste cycles.
Why an email verification API
An email verification API moves list hygiene from a monthly chore to a property of your system. Instead of exporting a CSV, running it through a cleaner, and importing it back, every address gets checked the moment it enters: at the signup form, the lead-capture webhook, the CRM import. One request to api.verifox.ai returns a structured verdict in about 380 ms median, fast enough to sit inline in a form submit, and the free email checker you can try in the browser runs this exact engine.
The reason a real-time email validation API beats regex and even most verification services is what happens after syntax. Checking the format catches typos; it does not catch a mailbox that was deactivated last quarter, a disposable domain spun up this morning, or a catch-all server that accepts everything and bounces it later. Those last ones matter most: 20 to 40% of B2B lists fail at catch-all domains, which is why the engine layers AI-confidence scoring on top of catch-all detection instead of marking the whole domain unknown and walking away. The full methodology, all nine checks of it, is documented on our email verification service page, and the email verifier shows the verdicts in a human-readable form.
Integration cost stays low on purpose. Auth is one header, the response is one JSON object, and bulk jobs of up to 100,000 emails run through three endpoints documented in the API reference. Pricing follows usage: credits are pay-as-you-go, never expire, and volume rates are shown for your region. And if your stack is agentic rather than RESTful, the same engine ships as a native email verification MCP server for Claude, Cursor, and friends.
Trust & compliance
Emails sent to the API are processed in memory and discarded, never stored, logged, or sold. SOC 2 Type II attested, with 2.1B+ emails verified on the platform to date.
Independently audited to the SOC 2 Type II standard.
Built for the EU with full GDPR data-subject rights.
California opt-out, do-not-sell, plus DSAR handling.
Information security held to the ISO 27001 standard.
AI governance aligned to the new ISO 42001 standard.
Common questions
Auth, rate limits, the response shape, bulk jobs, and what happens to the addresses you send us. Real numbers, including the ones that are limits.
One header: X-API-Key: vfx_your_api_key. Create a free account, generate a key in the dashboard, and every endpoint accepts it. Keys carry scopes, so you can mint a verify-only key for a service that should never touch anything else.
The full auth section, including key rotation and the read-only scope, lives in the API reference.
Nine things, in parallel: RFC 5321/5322 syntax, domain existence and MX records, a live SMTP handshake with a mailbox ping, disposable-domain match, role-address detection, catch-all detection, AI-confidence scoring on catch-alls, domain age, and SPF/DKIM/DMARC authentication.
Every one of those surfaces as a field in the response, so your code can branch on the exact failure. The methodology behind each check is on the email verification service page.
Median single-verify latency is around 380 ms, and under 50 ms when the result is cached. Bulk jobs process roughly 10,000 emails per minute on the standard tier.
A real SMTP handshake takes time; anything that claims instant mailbox checks is skipping the mailbox. SLA is 99.9% on Starter and 99.99% on an annual Volume contract.
60 requests per minute on the single-verify endpoints. Past that you get a 429 and should back off before retrying. We publish the number because you will hit it if you loop a list through the single endpoint.
That is what the bulk endpoint is for: one POST covers up to 100,000 addresses and the rate limit stops mattering. Details in the API docs.
Yes. Signing up credits your account with 1,000 verifications, or 2,500 if your signup email is a work address. No card. Each single verify costs 1 credit, and credits never expire.
Want to test the engine before writing any code? The free email checker runs the same engine in the browser, 4 checks a day without an account.
POST your list (a JSON array or an uploaded CSV referenced by s3_url) to /v1/email-validation/bulk and you get a job ID back. Poll the progress endpoint for a live safe/risky/invalid summary, then page through results when the status hits completed.
Honest note: results are pull-based today. There is no webhook on bulk jobs, so build a poller. For a no-code path, the multiple email checker covers the same flow in the browser.
Catch-all servers accept every address during the handshake, which is why 20 to 40% of B2B lists fail there with most verifiers. We flag the domain via smtp.catchAll, then run AI-confidence scoring so the score field still separates likely-real from likely-fake.
You decide the threshold per use case. See the catch-all email checker for how the scoring behaves on real domains.
No. Addresses are processed in memory and discarded when the verification completes. Nothing is logged, retained, or sold, which matters when the addresses you verify belong to your users.
Verifox is SOC 2 Type II compliant, and the privacy policy spells out exactly what is touched and what is not, byte by byte.
reachable is the verdict: safe, risky, invalid, or unknown. isValid is the boolean rollup, and score (0 to 100) is the confidence grade that does the heavy lifting on catch-alls.
Most integrations gate on reachable and only read the nested smtp and mx objects when they need the why. Field-by-field docs are in the API reference.
Yes, two ways. Any agent that can make HTTP calls can hit the REST endpoints directly. Or skip the glue code: the email verification MCP server exposes this same engine as native tools for Claude, Cursor, and any MCP client.
If your agent also needs to discover addresses, not just verify them, pair this API with the email finder API or the email finder tool.
Start free
Sign up, mint a key, and make your first call inside two minutes. 2,500 credits if you sign up with a work email, and credits never expire. No card required.