DEV Community

Cover image for How I Stopped Worrying About Fake Signups (And Built an API Instead)
J Kelly
J Kelly

Posted on

How I Stopped Worrying About Fake Signups (And Built an API Instead)

#api #saas #startup #webdev

If you’ve ever built a signup flow, you’ve probably run into this at some point:

You launch something… and within a few days you start seeing signups like:

asdf123@mailinator.com
test@test.com
qweqwe@tempmail.xyz

At first I ignored it. Then it started affecting things:
noisy user data
wasted emails
skewed metrics
occasional abuse

That’s when I realized basic email validation wasn’t doing much.

Regex isn’t enough

Like most people, I started with a simple regex check.

It works for catching obvious mistakes, but that’s about it.
It doesn’t tell you:
if the domain exists
if the domain can receive email
if it’s a disposable address

So technically valid emails were still completely useless.

What actually helped
I started layering in a few additional checks.
Nothing fancy — just practical stuff that could run fast enough during signup.

  1. Domain validation
    Make sure the domain actually exists.
    This alone filters out a surprising number of junk entries.

  2. MX record check
    Check if the domain can receive email.
    If there are no MX records, it’s not going anywhere.

  3. Disposable email detection
    This made the biggest difference.

There are tons of disposable email providers, and once you start blocking those, a lot of low-effort spam disappears.

The tradeoff: speed vs accuracy

At one point I looked into SMTP-level verification (checking if the mailbox actually exists).

It works… but it’s slow.

And for a signup form, speed matters more than being 100% certain.

I’d rather:
let a few bad emails through
than slow down the signup experience for real users

So I focused on checks that are:
fast
reliable enough
easy to run in real time

What I ended up doing
After experimenting with this across a couple projects, I ended up wrapping these checks into a small API so I could reuse it.

The goal wasn’t to build something overly complex — just something simple that:

validates emails quickly
catches obvious junk
works well during signup

Example request:

POST /v1/validate
{
  "email": "user@example.com"
}
Enter fullscreen mode Exit fullscreen mode 
{
  "email": "user@example.com",
  "normalizedEmail": "user@example.com",
  "suggestedEmail": null,
  "valid": true,
  "confidenceScore": 90,
  "deliverabilityLikelihood": "high",
  "syntaxValid": true,
  "mxRecordsFound": true,
  "disposable": false,
  "roleBased": false,
  "freeProvider": false,
  "provider": "custom",
  "catchAll": false,
  "warnings": []
}
Enter fullscreen mode Exit fullscreen mode

Where I landed
This setup has been a good balance so far:
fewer fake signups
cleaner data
no noticeable impact on signup speed

It’s not perfect, but it’s good enough for most real-world use cases.
Curious what others are doing
I’m interested in how others are handling this.

Are you:
sticking with basic validation?
using a third-party service?
doing anything more advanced?

Always curious to see how people balance accuracy vs performance here.

If anyone’s interested, happy to share more about what I’ve been building around this.

I'm looking for active developers to be Beta testers:

Join Beta Program - Get 50% Off Forever | EmailCheck.dev

Pro plan free for 3 months, then 50% off forever. Limited spots available.

favicon emailcheck.dev

Top comments (0)