Email Verification API: The 2026 Developer Guide

Q: What is the difference between real-time and bulk email verification?

Real-time verification runs inside a user flow, usually on a signup or lead-capture form, and needs a single synchronous response in a few hundred milliseconds to a couple of seconds. Bulk verification cleans whole lists through a batch endpoint: you submit a job, get a job ID, then poll or receive a webhook when results are ready. Bulk jobs take minutes to hours because providers pace SMTP checks to avoid false signals and recipient defenses.

An email verification API is an HTTP endpoint your application calls with an email address. It runs syntax, domain, MX, and SMTP-level checks, then returns a structured verdict (valid, invalid, risky, or unknown) plus signals like disposable, role-based, and catch-all, so your code can suppress bounces before an address ever enters a sending pipeline. Overloop bundles that verification straight into its outbound workflow, so teams running prospecting and sequences do not have to wire a separate API to keep their bounce rate down.

You can do everything right in email, warm your domains, write good copy, segment your lists, and still get throttled because a chunk of your addresses were never deliverable in the first place. In 2026 that problem is harder to catch early: more corporate gateways and mailbox providers block SMTP probing, so verification results include far more "unknown" and "catch-all" than they used to.

An email verification API gives your app a fast, structured verdict you can act on at signup or during imports. The win is not perfection. The win is routing: suppress deterministic invalids, treat risky buckets differently, and keep your pipeline moving without poisoning your sender reputation. This is the developer and integration companion to our email verification guide, which ranks and compares the verification tools themselves. This page is about the API: the endpoints, the response codes, and the code that wires them in.

Disclosure: I am the CEO of Overloop, an outbound platform with verification built into the workflow. I recommend Overloop where it fits, but this guide is provider-agnostic on the API mechanics, because the response codes and integration patterns are the same whichever vendor you wire in.

How an Email Verification API Works

Clean inputs start with a simple pattern: your app sends an email address to a verification endpoint, and the API returns a structured verdict you can act on. Most providers expose the same building blocks, even if they label results differently. A typical real-time call is a single HTTP request:

curl -s https://api.example.com/v1/verify \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "email": "j.doe@acme.com" }'

And a typical response is a small JSON object your code can branch on:

{
  "email": "j.doe@acme.com",
  "status": "valid",
  "sub_status": "mailbox_exists",
  "checks": {
    "syntax": true,
    "domain": true,
    "mx": true,
    "smtp": true
  },
  "signals": {
    "disposable": false,
    "role_based": false,
    "catch_all": false,
    "free": false
  }
}

Under the hood the endpoint runs a layered set of checks. Each layer answers a different question, and each maps to a different action in your pipeline:

Syntax check. Confirms the address matches basic email formatting rules (a missing "@" or illegal characters). Outcome: reject clear typos instantly, before you spend a network round-trip.
Domain check. Confirms the domain exists and resolves in DNS. Outcome: catch dead or misspelled domains like gamil.com.
MX record check. Verifies the domain publishes mail-exchange (MX) records. Outcome: flag domains that cannot receive email at all.
SMTP check. Connects to the recipient mail server to see whether it will accept mail for that mailbox, without sending a message. Outcome: identifies many non-existent inboxes, but returns "unknown" when servers block probing.
Disposable detection. Detects temporary inbox providers such as 10 Minute Mail and Guerrilla Mail. Outcome: suppress addresses that often lead to low engagement and higher complaint risk.
Role-based detection. Flags shared inboxes like sales@, support@, or info@. Outcome: treat as higher risk for B2B outbound and route to different messaging rules.
Catch-all detection. Detects domains configured to accept mail for any address. Outcome: mark as "risky," because SMTP cannot confirm the mailbox exists.

The flow inside a single verification call is always the same five steps: your system collects an email, you call the API with the address and optional metadata (IP, timeout preference, idempotency key), the API runs the layered checks, it returns a status plus signals, and your code decides what to do, accept, block, ask for confirmation, or route to a review queue.

Real-Time vs Batch Verification

The same endpoint family shows up in two shapes, and they have different performance contracts. Pick the wrong one and you either block live signups on a slow call or hammer a synchronous endpoint with a million-row CSV.

Real-time verification

Real-time verification happens inside user flows, usually on lead-capture forms and product signups. The goal is low latency and clear UX. You verify on blur (when the user leaves the email field) or on submit, then show a targeted message like "Check the domain" or "Use a work email."

The tradeoffs are straightforward: you need fast responses (a few hundred milliseconds to a couple of seconds), solid rate limiting, and safe fallbacks when the API returns unknown or times out. Blocking too aggressively costs you B2B leads, especially when a company uses catch-all mailboxes.

Batch (bulk) verification

Batch verification cleans lists: CRM exports, event leads, scraped prospects, or old outbound databases. You send a batch, poll for completion, then segment results into "send," "suppress," and "retry later." Bulk jobs can take minutes to hours because providers pace SMTP checks to reduce false signals and avoid triggering provider defenses. A batch flow uses a job ID rather than a single synchronous response:

# 1. Submit the batch
POST /v1/batch
{ "emails": ["a@acme.com", "b@beta.io", "c@gamma.co"] }
-> { "job_id": "job_8fK2", "status": "queued" }

# 2. Poll (or receive a webhook) until done
GET /v1/batch/job_8fK2
-> { "job_id": "job_8fK2", "status": "completed", "results_url": "..." }

Bulk tradeoffs look different: you care about throughput, price per verification, and stable result codes you can map into your pipeline. You also want exportable metadata for suppression lists and re-verification rules, for example recheck unknowns in 7 to 14 days, and suppress hard invalids immediately. Prefer webhooks over polling for completion: polling works but adds operational noise and cost.

Most teams run both. Real-time when a rep or user adds a single address, batch when importing a list or syncing from a CRM. In outbound platforms this is exactly how it works: real-time on add, bulk on import, so campaigns start with fewer hard bounces.

Response and Result Codes

The whole point of the API is the response, so it is worth being precise about what each status means and what to do with it. Nearly every verifier returns a top-level status of valid, invalid, risky, or unknown, plus boolean signals. The trick is mapping those into your own operational buckets, not letting the vendor's taxonomy leak into your business logic.

API status	What it means	Your bucket	Action
`valid`	Syntax, domain, and MX pass, and SMTP confirms or does not reject the mailbox (many valid verdicts rest on syntax, domain, and MX when SMTP is inconclusive)	Send	Accept and sequence normally
`invalid`	Syntax fail, dead domain, no MX, or explicit "mailbox does not exist"	Suppress	Block immediately, add to suppression list
`risky` (catch-all)	Domain accepts any address, SMTP cannot confirm the mailbox	Low-volume lane	Send low volume from a warmed mailbox, stop on first bounce
`risky` (disposable)	Temporary inbox provider	Suppress (B2B)	Block for outbound and trials, ask for a work email
`risky` (role-based)	Shared inbox (sales@, info@)	Separate track	Route to company-level messaging, do not auto-delete
`unknown`	SMTP could not complete (greylisting, tarpit, rate limit, gateway)	Retry queue	Retry 1 to 3 times over 24 to 72 hours, then review

A clean integration normalizes the provider response into four outcomes of your own and stores the raw signals for audit:

function bucket(res) {
  if (res.status === "invalid") return "suppress";
  if (res.signals.disposable)  return "suppress";   // B2B outbound
  if (res.status === "valid")  return "send";
  if (res.signals.catch_all)   return "low_volume";
  if (res.status === "unknown") return "retry";
  return "review";
}

Treat "unknown" as a workflow state, not a rejection. Unknown means the verifier could not complete the SMTP step. It is not invalid. For signup forms, accept the address but require double opt-in before you send marketing. For outbound, queue it for retry and stop after the first bounce. SMTP-based "invalid" is only definitive when you also have a deterministic failure (no domain, no MX) or repeated bounces from that domain.

The signup form is where API response codes turn into UX that keeps good leads and blocks junk. A few rules keep it cheap and fast:

Verify on blur, not on every keystroke. Trigger when the user leaves the email field, then verify again on submit. This catches paste errors without spamming your API.
Debounce the call. Wait 400 to 800 ms after the last change before you send a request. Cancel in-flight requests when the user edits again (use AbortController in modern browsers).
Send minimal context. Post the email plus an idempotency key (for caching) and a short timeout preference. Do not send the full form payload to a verifier.
Map provider codes into four outcomes. Keep it simple: accept, block, accept-with-confirmation, manual-review. Store raw signals (disposable, role, catch-all, smtp code) for debugging.
Write UX messages that explain the fix. "That domain cannot receive email" beats "Invalid email." If you detect a typo domain (gamil.com), suggest the correction.
Cache results. Cache by lowercased email for 24 hours (or your risk tolerance). This cuts cost and improves latency on repeat attempts.

Real-time verification fails in predictable ways: corporate gateways block SMTP probing, consumer providers throttle, and mobile users sit behind flaky networks. Handle each result with a default that protects pipeline:

Unknown: accept the signup, then require email confirmation (double opt-in) before enabling marketing or outbound. For a product signup, allow limited access until confirmation.
Catch-all: accept if intent looks real (recent session, completed form), then confirm by email. For B2B lead capture, catch-all often hides valid work emails behind Microsoft 365 or Google Workspace gateways.
Disposable: block for trials, freemium abuse control, and outbound lead forms. Offer a clear alternative: "Use a work email."
Role-based: accept, but tag it. Route onboarding and outbound to a company-level track.

Bulk List Cleaning Without Killing Pipeline

Bulk cleaning works when you treat verification as a production job, not a one-off CSV check. The goal: suppress deterministic invalids immediately, then route everything else so reps keep sending to good prospects while your system absorbs uncertainty with retries and segmentation.

Export or ingest with stable IDs. Pull leads from HubSpot, Salesforce, Pipedrive, or a warehouse table and keep a unique key (the CRM record ID) so you can write results back and avoid re-verifying the same address.
Normalize before you pay. Lowercase, trim whitespace, remove trailing dots, split obvious junk, and drop duplicates by email. On messy lists this alone often cuts 5 to 20% of the checks you would have paid for.
Submit as a batch job. Use the provider's bulk endpoint (job ID plus polling or webhook) and set a realistic SMTP timeout policy so the job finishes predictably.
Segment into operational buckets. Map provider codes into buckets your sending system understands (Send, Suppress, Retry, Review) and store raw signals for audits.
Write back and enforce suppression. Update CRM fields and add suppressed emails to a global suppression list in your ESP or outbound tool (for example the Amazon SES suppression list, Mailgun suppressions, or your internal do-not-send table).

Set retry rules that protect reputation without stalling campaigns: retry unknown 1 to 3 times over 24 to 72 hours, cache the last result, then either move to Review or send one message and stop after the first bounce. Re-verify older "Send" results on a schedule, because B2B mailboxes churn fast. Validity estimates B2B data decays at roughly 22.5% per year as people change jobs, so a list verified six months ago is already partly stale. For the wider playbook on keeping a sending domain healthy, see our guide on how to improve email deliverability.

Do not turn verification into deliverability probing. Running aggressive SMTP verification at scale to map recipients looks hostile to mail providers, and it triggers blocks that raise your own "unknown" rate. Verify only what you plan to contact, prefer providers that pace SMTP checks and expose a timeout control, and re-verify on a schedule (many teams use 30 to 90 days) instead of rechecking the same address repeatedly.

Choosing a Provider: A Developer Checklist

"Suppress invalids, bucket catch-all and unknown" only works if your API returns stable, actionable signals at the speed and scale your pipeline needs. Before you wire one in, evaluate it against this list:

Accuracy and result taxonomy. Ask for a sample response schema and a mapping guide. You want clear separation between invalid (syntax, no domain, no MX) and risky (catch-all, role-based, disposable), plus a distinct unknown for SMTP-blocked cases. A vendor that collapses everything into valid/invalid will make you over-block B2B leads.
SMTP behavior and timeouts. Confirm whether the API performs SMTP-level checks, how it handles greylisting, and whether you can set per-request timeouts. Many servers intentionally return ambiguous responses to deter probing, so "unknown" needs to be a first-class outcome.
Latency for real-time flows. Measure p50 and p95 response times from your regions, not the vendor's marketing page. Signup UX breaks when p95 runs into seconds. Request a sandbox key and test from both frontend and backend.
Throughput and bulk controls. For list cleaning, look for batch endpoints, job IDs, polling or callbacks, and documented rate limits. Ask how the provider throttles SMTP checks to reduce false positives.
Webhooks and eventing. Prefer webhooks for bulk completion and status changes ("job finished," "export ready"). Polling adds operational noise and cost.
Pricing model and overages. Get clarity on what counts as a "verification" (retries, unknowns, catch-all checks), whether unused credits roll over, and what happens when you spike volume during imports.
Data retention and deletion. Verify default retention windows for submitted emails and logs, and confirm there is a documented deletion process (API or support ticket).
Compliance paperwork. Ask for a Data Processing Agreement, a sub-processor list, and where data is stored. Under GDPR, confirm the vendor's role (processor vs controller) and breach notification terms.
Support and SLAs. For production, require an uptime SLA, a status page, and a support response target for P1 incidents.

Before you commit, run a bake-off on your own data: 500 to 5,000 recent leads with known bounce outcomes. Compare how each API classifies hard bounces, catch-all domains, and "unknown" results, then pick the provider whose signals best match your suppression rules. For a side-by-side of the actual verifiers and their accuracy numbers, our email verification guide ranks twelve tools; this page stays on the integration mechanics.

Don't want to wire and maintain an API?

Overloop verifies addresses inside the same workflow that runs your prospecting and sequences, real-time on add, bulk on import, so deterministic invalids never reach a send.

Try Overloop free →

Security, Privacy, and Compliance

Email verification becomes a data-handling system the moment you store results, cache lookups, or write statuses back to a CRM. Treat the email address as PII and ship with privacy defaults that match your risk buckets:

Minimize what you send. Send the email address and an idempotency key. Avoid sending names, phone numbers, message content, or full lead records to a verifier.
Hash for joins, keep cleartext only where you must. If you only need dedupe and suppression, store a salted hash (for example HMAC-SHA256) for matching. Keep cleartext email only in systems that actually send mail, behind role-based permissions.
Set retention windows by outcome. Keep deterministic invalids longer in a suppression table. Expire "unknown" and catch-all results faster so you can re-verify. Document the windows and make them configurable.
Encrypt everywhere. Require TLS in transit, encrypt at rest with managed keys (AWS KMS, Google Cloud KMS, or Azure Key Vault), and rotate keys on a schedule.
Log safely. Keep audit logs for "who verified what and when," but redact or hash emails in application logs and disable verbose request logging on verification endpoints.
Rate limit and abuse-protect. Add per-IP and per-account limits plus bot protection on forms (Cloudflare Turnstile or reCAPTCHA), so attackers cannot use your verifier as a mailbox-enumeration tool.
Use least-privilege API keys. Separate keys for real-time forms and bulk jobs, stored in a secrets manager (AWS Secrets Manager, Google Secret Manager, HashiCorp Vault), never in frontend code or CI logs.

If you operate under GDPR, map verification to a lawful basis and document it. The European Data Protection Board guidance is a solid reference for internal reviews. Pair this with the rest of your sending hygiene in our roundup of email deliverability tools.

Verification Built Into Overloop

The honest framing: most outbound teams do not actually want to run a verification API. They want fewer hard bounces and a stable sender reputation, and the API is just plumbing to get there. That is why Overloop builds verification into the outbound workflow instead of leaving you to wire and maintain a separate service.

In Overloop, verification sits between prospecting and sending as a routing layer: it decides who enters a sequence, who gets suppressed, and who needs a safer lane. Teams use it at two moments, when a rep adds a prospect (real-time) and when a team imports or syncs a list (bulk), so sender reputation stays stable as volume grows.

Build or import a list. Source prospects from Overloop's 450M B2B contact database or import from a CRM like HubSpot or Salesforce.
Verify before sequencing. Verification runs automatically on new records, so you never start a sequence with a deterministic failure (dead domain, no MX, explicit "mailbox does not exist").
Bucket results into send lanes. Valid goes to normal sequences, risky goes to lower volume and tighter targeting, unknown goes to a retry or low-volume lane.
Launch with volume controls. Send safe leads at normal volume, risky leads at lower volume from warmed mailboxes.
Enforce bounce-based suppression. If an address bounces, it is suppressed immediately so it cannot re-enter future sequences.

This is where teams win: they stop paying for obvious bounces, and they keep pipeline by treating catch-all and unknown as risk buckets instead of rejects. Because Overloop stores its contact data in Brussels, the verification step keeps your GDPR posture clean when you process European contacts. Verification works best alongside a warmed sending domain, so if you are spinning up new mailboxes, pair it with email warmup first, and read the email deliverability pillar for the full picture.

The bottom line

An email verification API is a routing tool, not a magic gate. Suppress deterministic invalids (syntax, no domain, no MX, explicit "mailbox does not exist"), treat catch-all and unknown as risk buckets with retries and lower volume, and never let SMTP-based "invalid" be your only signal. Map the provider's status codes into your own four buckets, store the raw signals for audit, and verify only what you plan to contact.

If you would rather not build and maintain that pipeline, the verification is already wired into Overloop's outbound workflow, real-time on add and bulk on import, so your sequences start clean. The fastest payoff: ship a four-bucket policy (Send, Suppress, Retry, Review), then measure bounce rate by bucket and by domain for two weeks. Your data will tell you where verification helps and where your rules are blocking revenue.

Frequently Asked Questions

What is an email verification API?

An email verification API is an HTTP endpoint your application calls with an email address. It runs syntax, domain, MX, and SMTP-level checks, then returns a structured verdict (valid, invalid, risky, or unknown) plus signals like disposable, role-based, and catch-all. Your code uses that response to accept, block, confirm, or queue the address before it ever enters a sending pipeline. For a comparison of the tools that expose these APIs, see our email verification guide.

What is the difference between real-time and bulk email verification?

Real-time verification runs inside a user flow, usually a signup or lead-capture form, and needs a single synchronous response in a few hundred milliseconds to a couple of seconds. Bulk verification cleans whole lists through a batch endpoint: you submit a job, get a job ID, then poll or receive a webhook when results are ready. Bulk jobs take minutes to hours because providers pace SMTP checks to avoid false signals and recipient defenses.

What response codes does an email verification API return?

Most APIs return a top-level status of valid, invalid, risky, or unknown, plus boolean signals such as disposable, role_based, catch_all, and free. Map invalid (syntax, no domain, no MX, mailbox does not exist) to Suppress, valid to Send, catch-all and disposable to a Risk lane, and unknown to a Retry queue. Always store the raw signals so you can audit and re-bucket later.

Does Overloop have email verification built in?

Yes. Overloop verifies addresses inside its outbound workflow, both when a rep adds a single prospect (real-time) and when a team imports or syncs a list (bulk). Verification sits between prospecting and sending as a routing layer, so deterministic invalids are suppressed before a sequence starts. Teams that run outbound in Overloop do not need to wire a separate verification API to keep bounces down.

Can SMTP verification hurt my deliverability?

It can if you do it aggressively. Large-scale SMTP probing looks like mailbox enumeration to providers and security gateways such as Proofpoint, Mimecast, and Barracuda, which can block you and raise your unknown rate. Verify only addresses you plan to contact, use a provider that paces SMTP checks and exposes timeout controls, and cache results so you do not re-probe the same address repeatedly.

Does email verification guarantee inbox placement?

No. Verification reduces hard bounces and filters high-risk addresses, but inbox placement depends on sender reputation, authentication (SPF, DKIM, DMARC), content, engagement, and complaint rates. According to Validity's deliverability research, average inbox placement sits around 85%, so roughly one in six legitimate emails still misses the inbox. Use verification to keep your inputs clean, then let sending discipline protect the domain.

How an Email Verification API Works

Real-Time vs Batch Verification

Real-time verification

Batch (bulk) verification

Response and Result Codes

Real-Time Verification in Signup Forms

Bulk List Cleaning Without Killing Pipeline

Choosing a Provider: A Developer Checklist

Don't want to wire and maintain an API?

Security, Privacy, and Compliance

Verification Built Into Overloop

Frequently Asked Questions

Skip the API. Verify inside Overloop