Validate email addresses and compute a 0–100 risk score based on six checks — syntax, MX records, disposable domains, domain age, free provider detection, and abuse list matching. Bulk assess up to 10 emails at once.
Every email is checked for syntax validity, MX records, disposable domain usage, domain age (via WHOIS), free provider status, and abuse list presence.
Results include a 0–100 score and a risk tier (low, medium, high, critical). Invalid syntax short-circuits at 100; other signals add weighted points.
Over 5,000 known disposable email providers are checked instantly. When a match is found, the provider name is returned (e.g. "guerrillamail").
Newly registered domains are a strong fraud signal. The API performs a live WHOIS lookup (with 7-day caching) and flags domains under 30 days old.
Domains are checked against the StopForumSpam toxic domain list — over 70,000 entries updated regularly from community-reported spam sources.
Assess up to 10 email addresses in a single request. Each email is evaluated independently so one failure doesn't block the rest.
# Assess a single email
$ curl -X POST https://api.apicrate.io/api/v1/email/risk \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com"}'
# Response
{
"status": "ok",
"data": {
"email": "user@example.com",
"risk_score": 5,
"risk_tier": "low",
"checks": {
"syntax": {"valid": true},
"mx_record": {"valid": true, "mx_hosts": ["mx1.example.com"]},
"disposable": {"is_disposable": false},
"domain_age": {"domain": "example.com", "age_days": 10950, "source": "whois"},
"free_provider": {"is_free": false},
"abuse_list": {"listed": false, "sources": []}
}
}
}
import requests
response = requests.post(
"https://api.apicrate.io/api/v1/email/risk",
headers={"X-API-Key": "YOUR_API_KEY"},
json={"email": "test@guerrillamail.com"},
)
data = response.json()["data"]
print(f"Score: {data['risk_score']}, Tier: {data['risk_tier']}")
# Score: 65, Tier: high
print(f"Disposable: {data['checks']['disposable']['is_disposable']}")
# Disposable: True
const res = await fetch("https://api.apicrate.io/api/v1/email/risk", {
method: "POST",
headers: {
"X-API-Key": "YOUR_API_KEY",
"Content-Type": "application/json",
},
body: JSON.stringify({ email: "signup@newdomain.xyz" }),
});
const { data } = await res.json();
if (data.risk_tier === "critical" || data.risk_tier === "high") {
console.log(`Blocked: score ${data.risk_score}`);
}
# Assess multiple emails at once
$ curl -X POST https://api.apicrate.io/api/v1/email/risk/bulk \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"emails": ["user@gmail.com", "spam@throwaway.email", "ceo@company.com"]}'
# Response
{
"status": "ok",
"total": 3,
"data": [
{"email": "user@gmail.com", "risk_score": 5, "risk_tier": "low", "checks": {"...": "..."}},
{"email": "spam@throwaway.email", "risk_score": 65, "risk_tier": "high", "checks": {"...": "..."}},
{"email": "ceo@company.com", "risk_score": 0, "risk_tier": "low", "checks": {"...": "..."}}
]
}
import requests
emails = [
"alice@gmail.com",
"bob@tempmail.de",
"carol@legitimate-corp.com",
]
response = requests.post(
"https://api.apicrate.io/api/v1/email/risk/bulk",
headers={"X-API-Key": "YOUR_API_KEY"},
json={"emails": emails},
)
for result in response.json()["data"]:
flag = "!" if result["risk_score"] > 50 else " "
print(f" {flag} {result['email']}: {result['risk_score']} ({result['risk_tier']})")
const res = await fetch("https://api.apicrate.io/api/v1/email/risk/bulk", {
method: "POST",
headers: {
"X-API-Key": "YOUR_API_KEY",
"Content-Type": "application/json",
},
body: JSON.stringify({
emails: ["user@gmail.com", "test@guerrillamail.com", "admin@example.org"],
}),
});
const { data, total } = await res.json();
console.log(`Assessed ${total} emails`);
data.forEach((r) => console.log(`${r.email}: ${r.risk_tier} (${r.risk_score})`));
# Return only score and tier
$ curl -X POST "https://api.apicrate.io/api/v1/email/risk?fields=risk_score,risk_tier" \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com"}'
# Response
{
"status": "ok",
"data": {
"risk_score": 5,
"risk_tier": "low"
}
}
import requests
# Only fetch score and disposable check
response = requests.post(
"https://api.apicrate.io/api/v1/email/risk",
headers={"X-API-Key": "YOUR_API_KEY"},
params={"fields": "risk_score,risk_tier,checks.disposable"},
json={"email": "user@example.com"},
)
print(response.json()["data"])
const res = await fetch(
"https://api.apicrate.io/api/v1/email/risk?fields=risk_score,risk_tier",
{
method: "POST",
headers: {
"X-API-Key": "YOUR_API_KEY",
"Content-Type": "application/json",
},
body: JSON.stringify({ email: "user@example.com" }),
}
);
const { data } = await res.json();
console.log(data); // { risk_score: 5, risk_tier: "low" }
/api/v1/email/risk
Assess email risk
/api/v1/email/risk/bulk
Assess email risk (bulk)
Six checks: RFC 5321 syntax validation, MX record lookup, disposable domain detection (5,000+ domains), WHOIS domain age, free provider flagging, and StopForumSpam abuse list matching.
Invalid syntax scores 100 (critical) immediately. Otherwise, points are added: no MX records (+30), disposable domain (+35), domain age under 7 days (+30) or under 30 days (+20), abuse list match (+25), free provider (+5). Capped at 100.
Low (0–25), medium (26–50), high (51–75), and critical (76–100).
The bulk endpoint accepts up to 10 email addresses per request. Each email is assessed independently.
Yes. WHOIS results are cached for 7 days to avoid repeated lookups and rate limiting from WHOIS servers.
Not necessarily. Free providers (Gmail, Yahoo, Outlook, etc.) add only 5 points. The flag is informational — useful for B2B lead scoring where corporate addresses are preferred.
Create a free account and start making requests in under a minute.