Signup Gating: Block Free & Disposable Emails

Use EmailKind to prevent spam signups on your SaaS by blocking free email providers (Gmail, Hotmail, Yahoo) and disposable emails (Mailinator, Guerrilla Mail) at registration time.

The Problem

Spammers sign up for free or trial plans using throwaway or free email addresses, then abuse your product. Manually maintaining blocklists is tedious and always incomplete.

The Solution

Call the EmailKind API at signup time and use the classification flags to decide whether to allow, challenge, or block the registration.

Implementation

1. Classify the email at registration

curl "https://emailkind.com/v1/[email protected]" \
  -H "Authorization: Bearer sk_live_your_key"

Response:

{
  "email": "[email protected]",
  "domain": "hotmail.co.uk",
  "provider": { "id": "outlook", "name": "Outlook.com", "type": "personal" },
  "classification": {
    "is_business": false,
    "is_free": true,
    "is_disposable": false,
    "is_education": false,
    "is_custom_domain": false,
    "is_role": false
  },
  "confidence": 0.98
}

2. Apply your gating logic

Here's a recommended decision matrix:

| Condition | Action | Reason | |-----------|--------|--------| | is_disposable = true | Block | Throwaway address, almost certainly spam | | is_free = true AND confidence >= 0.8 | Block or challenge | Free provider (Gmail, Hotmail, Yahoo) | | is_free = true AND confidence < 0.8 | Challenge (CAPTCHA, email verification) | Less certain — verify before blocking | | is_business = true AND is_custom_domain = true | Allow | Legitimate business email | | is_role = true | Challenge or route | Shared mailbox (info@, support@), not an individual — may warrant team onboarding | | is_education = true | Allow or special plan | University email | | confidence < 0.5 | Challenge | Unknown domain — ask for verification |

3. Example code (Node.js)

import EmailKind from 'emailkind';

const client = new EmailKind('sk_live_your_key');

async function shouldAllowSignup(email: string): Promise<{
  allowed: boolean;
  reason: string;
  requireVerification: boolean;
}> {
  const result = await client.classify({ email });

  // Always block disposable emails
  if (result.classification.is_disposable) {
    return { allowed: false, reason: 'disposable_email', requireVerification: false };
  }

  // Block free emails with high confidence
  if (result.classification.is_free && result.confidence >= 0.8) {
    return { allowed: false, reason: 'free_email', requireVerification: false };
  }

  // Challenge low-confidence or unknown results
  if (result.confidence < 0.5) {
    return { allowed: true, reason: 'low_confidence', requireVerification: true };
  }

  // Allow business emails
  return { allowed: true, reason: 'business_email', requireVerification: false };
}

4. Example code (Python)

from emailkind import EmailKind

client = EmailKind("sk_live_your_key")

def check_signup(email: str) -> dict:
    result = client.classify(email=email)

    if result.classification.is_disposable:
        return {"allowed": False, "reason": "disposable_email"}

    if result.classification.is_free and result.confidence >= 0.8:
        return {"allowed": False, "reason": "free_email"}

    if result.confidence < 0.5:
        return {"allowed": True, "reason": "low_confidence", "verify": True}

    return {"allowed": True, "reason": "business_email"}

Fine-Tuning with Custom Lists

If you need exceptions (e.g., allow a specific Gmail address), use Custom Lists to whitelist specific domains or override classifications.

Using Confidence Scores

The confidence field (0.0 to 1.0) tells you how certain the classification is:

| Score | Meaning | |-------|---------| | 0.95 - 1.0 | Very high — known provider, exact MX match | | 0.8 - 0.95 | High — strong MX or SPF match | | 0.5 - 0.8 | Medium — inferred from MX patterns | | 0.1 - 0.5 | Low — unknown or ambiguous domain |

Recommendation: Use confidence >= 0.8 as your threshold for automated blocking. For scores below 0.8, add a verification step (email confirmation, CAPTCHA) instead of blocking outright.

Best Practices

  • Don't block silently — show a clear message like "Please sign up with your work email"
  • Offer an appeal path — some legitimate users have free email addresses
  • Log decisions — track which signups were blocked and why, so you can tune your logic
  • Use the batch endpoint to retroactively classify existing users and clean up your database
  • Combine with email verification — EmailKind classifies the provider, but doesn't verify the mailbox exists. Use both for maximum protection.