If you’re dealing with fake or temporary emails in your sign-up forms, you know they create issues. Whether it’s clogging up your database, wasting resources, or spamming.
We see a lot of bogus signups on RightBlogger for people trying to abuse our free tier. So I thought I would share some of my best tips and insights.
In this post, I’ll show you how to block disposable emails using JavaScript with a few API calls. This runs server-side, so your API keys stay private. No matter your programming language, some of the tips here will still apply.
This method is useful if you want to keep things clean and prevent users from abusing sign-ups with throwaway accounts. Let’s get into it.
Full Code Snippet to Block Disposable Emails
Since you’re here for the code, here’s the full snippet I use to check for disposable emails with a few API calls:
How it Works
The snippet runs three checks in sequence. Each API catches different things, so combining them covers more ground than any single check would.
Debounce.io (free): Checks whether the email domain is a known disposable provider. Get a free API key at debounce.io. No credit card required.
VerifyMail.io (optional, paid): A secondary check that confirms whether the domain is associated with throwaway addresses. Useful if you want extra coverage beyond Debounce. Sign up at verifymail.io.
StopForumSpam (free): Cross-references the email and IP against a database of known spammers. No API key needed. It’s especially good at catching repeat abusers who rotate disposable emails but reuse the same IP.
One thing worth knowing: running three sequential API calls adds a small delay at signup. If latency matters to you, run Debounce and StopForumSpam in parallel with Promise.all() and only call VerifyMail as a fallback. Most signups get flagged by one of the free checks anyway.
Additional Checks for Users Signing Up
Even with these APIs, people are persistent. Here are a few more things you can layer into your signup flow.
- Limit Sign-Ups per IP: Allowing up to two sign-ups per IP per week cuts down on repeat abuse from the same person. You can set this up easily with an Upstash Rate Limit.
- Restrict Dot Variations: Some people create multiple accounts by adding dots in Gmail addresses (like [email protected]). Counting periods and blocking emails with three or more can help cut down on abuse. You can also normalize all Gmail addresses by removing the periods before the @ symbol, but make sure your login/signup flows account for this so no one gets locked out.
- Watch for ‘+’: Users might add “+something” to the end of their email (e.g., [email protected]). Stripping the “+” and everything after it gives you the base email for deduplication. I wouldn’t block + usage outright since plenty of people use it legitimately, but it’s worth normalizing before you store or check the address.
Is It Worth the Setup?
None of this stops every bad signup. Determined users will find workarounds, and new disposable email providers pop up faster than any blocklist can track them. But you don’t need perfection. Cutting out 80-90% of throwaway signups is enough to make your free tier sustainable and your user data actually useful. Since Debounce and StopForumSpam are both free, the only real cost is an hour of implementation. If fake accounts are eating into your product, that’s an easy tradeoff.