If you’re dealing with fake or temporary emails in your sign-up forms, you know they create issues. Whether it’s clogging up your database, wasting resources, or spamming.
We see a lot of bogus signups on RightBlogger for people trying to abuse our free tier. So I thought I would share some of my best tips and insights.
In this post, I’ll show you how to block disposable emails using JavaScript with a few API calls.
This method is useful if you want to keep things clean and prevent users from abusing sign-ups with throwaway accounts. Let’s get into it.
Full Code Snippet
Since you’re here for the code, here’s the full snippet I use to check for disposable emails with a few API calls:
How it Works
Each API checks the email’s authenticity differently:
- Debounce.io: Detects disposable email providers instantly (free API).
- VerifyMail.io (optional): Confirms whether the domain is known for disposable emails (paid API).
- StopForumSpam: Adds extra checks for known spam emails and IP addresses with high confidence scores (free API).
Using all three helps make sure no temporary email services slips through. I still have seen plenty of ones not on these lists but I will prevent a lot from just using these.
Additional Checks for Users Signing Up
Even with these APIs, people are persistent, so here are a few more tips you can add to your signup flow to prevent bad signups.
Other tips for preventing bad signups:
- Limit Sign-Ups per IP: Allowing up to two sign-ups per IP per week can prevent repeat sign-ups from the same person. This can easily be do this with an Upstash Rate Limit.
- Restrict Dot Variations: Some people create multiple accounts by adding dots in Gmail addresses (like [email protected]). Counting periods and blocking emails with three or more can help cut down on abuse. You can also normalize all Gmail addresses by removing the periods before the @ symbol, but ensure that your login/signup flows factor this in, so no one gets locked out of an account.
- Watch for ‘+’: Users might add “+something” to the end of their email name (e.g., [email protected]). You could strip any “+” and everything after it in the username to get the base email for verification. I wouldn’t outright block + usage since people like to do +yourservice but just something to look out for.
Wrapping It Up
Blocking disposable emails with JavaScript is straightforward with the right APIs. By combining these methods, you’ll have a solid way to prevent temporary emails in your sign-up form, making your user base more authentic and manageable.