Valid Email Checker
Email Validation

How Email Validators Work: The 11-Stage Pipeline

Mara ChenJuly 5, 2026
How Email Validators Work: The 11-Stage Pipeline

Your list has 15,000 addresses. You've written the campaign. You're ready to send. What you don't know is that roughly 2,000 of those addresses will bounce, 300 belong to disposable inboxes, and at least a handful are spamtraps — addresses specifically designed to flag senders who don't clean their lists.

An email validator is the tool that finds all of that before you hit send. Not by sending a test email. Not by guessing. By running every address through a series of checks — syntax, DNS, SMTP handshake, mailbox probe, and more — and returning a status you can act on.

This post explains exactly how that pipeline works, what each of the 10 possible statuses means, and what to do with every one of them. By the end, you'll have a decision tree your whole team can use — no documentation required.

What an email validator actually does

The plain definition: an email validator is software that checks whether an address exists and can receive mail, without sending anything to it.

That last part matters. Sending a test message to verify an address is both impractical and counterproductive — it generates bounces, burns sender reputation, and alerts the recipient. Real validation happens at the protocol level, through a series of checks that mimic what a mail server would do without actually delivering anything.

There's a distinction worth making here: validation and verification are not the same thing. Validation typically refers to syntax and DNS checks — confirming the address is formatted correctly and that the domain has a mail server. Verification goes further, adding an SMTP handshake and a mailbox-existence probe to confirm the specific inbox responds. Most tools that call themselves "validators" actually do both, but some stop at DNS. That gap is where dead mailboxes slip through.

A syntactically valid address like john.doe@legit-company.com passes a basic format check every time. But if john left the company two years ago and his inbox was disabled, that address is a guaranteed hard bounce. Only a full SMTP probe catches it. This is why the multi-stage pipeline exists — and why skipping later stages leaves dangerous addresses in your list.

Isometric diagram of 11 sequential validation checkpoints flowing left to right, branching into outcome categories.
Every validation result maps to a clear action: send, suppress, or retry. The decision tree is the part most validators skip explaining.

The 11 checks that happen when you validate an email

Most validators present a single result. What happens behind that result is a sequential pipeline — each stage gatekeeping the next. Here's how it runs.

  1. Syntax check

    The address is tested against the format rules in RFC 5321 and RFC 5322. Local part, @ symbol, domain — all must be present and correctly structured. This is the cheapest check and catches obvious garbage (user@@domain, nodomain, user@). It does not catch anything that looks valid but isn't real.

  2. MX record lookup

    The validator queries DNS for MX records on the domain. No MX records means no mail server — the domain can't receive email regardless of what the address says. This eliminates domains that exist as websites but have no mail infrastructure.

  3. SMTP handshake

    The validator opens a connection to the domain's mail server and initiates the SMTP conversation — without sending a message. If the server refuses connections or returns a permanent error, the address is unreachable.

  4. Mailbox-existence probe

    The validator sends a RCPT TO command for the specific address. The server responds with a 250 (accepted), 550 (no such user), or something in between. This is the stage that distinguishes a real inbox from a well-formatted but nonexistent address.

  5. Catch-all detection

    Some servers accept every RCPT TO regardless of whether the mailbox exists — this is a catch-all configuration. The validator probes with a known-fake address to test for this behavior. If the server accepts the fake address, the specific mailbox can't be confirmed individually.

  6. Role address detection

    Addresses like info@, admin@, support@, and hello@ are flagged as role-based. These typically land in shared inboxes managed by teams, not individual recipients. Engagement rates are low; unsubscribe and complaint rates are higher.

  7. Disposable domain check

    The domain is cross-referenced against a continuously updated list of disposable email providers — services that issue temporary addresses that expire in minutes or hours. These are almost always worth suppressing from any list.

  8. Spamtrap detection

    Known spamtrap addresses are flagged. Spamtraps are real addresses maintained by inbox providers and anti-spam organizations specifically to identify senders with poor list hygiene. A single spamtrap hit can trigger a blacklisting.

  9. Inbox-full detection

    The server signals that the mailbox exists but is over quota and can't accept new mail. This is a soft, temporary condition — the address is real, but delivery will fail until the user clears space.

  10. Disabled-account detection

    The server signals that the account has been permanently disabled by the provider — typically when a user leaves an organization or closes an account. Unlike inbox-full, this is not recoverable.

  11. Final classification

    All signals from the previous stages are weighted and combined into a single status. This is the output your campaign tool, CRM, or suppression logic acts on.

Any validator that stops before stage 5 is missing catch-all behavior. Any that stops before stage 8 is missing spamtraps. A pipeline with fewer than 8 stages is leaving measurable risk in your list. The full technical walkthrough lives in our 11-step verification engine guide.

The 10 statuses a validator should return (and what to do with each)

A single yes/no output is not enough. The action you take on a catch_all address is different from the action on a disabled one, and both are different from spamtrap. Here's what each status means and the right response to each. For the full deep-dive, see The 10 Email Verification Statuses Explained.

  • Safe — Real mailbox, will accept mail. Send freely.
  • Risky — Real mailbox with elevated bounce probability (low-engagement domain, recent migration, unusual server behavior). Send with caution; exclude from cold outreach.
  • Invalid — Syntax, MX, or SMTP rejected the address. Guaranteed hard bounce. Remove immediately — no exceptions.
  • Unknown — Both verification attempts returned a non-definitive answer. The address might exist or might not. A validator that charges you for this result is taking your money for nothing; the only fair policy is an automatic credit refund.
  • Catch-all — The domain accepts all mail regardless of whether the mailbox exists. Suppress from cold outreach; keep for warm audiences where you have engagement history.
  • Disposable — Burner address from a temporary email provider. Almost always worth suppressing unless you're running a use-case where temporary access is acceptable.
  • Role — Shared inbox (info@, admin@, support@, hello@). Suppress from mass marketing sends; keep for direct B2B transactional mail where the role address is the correct contact.
  • Spamtrap — Remove on sight. One hit can trigger a blacklisting. Don't retry, don't segment — remove.
  • Disabled — Account permanently closed by the provider. Remove; this address will never be deliverable again.
  • Inbox full — Temporarily over quota. The address is real — retry in 7–14 days before making a permanent suppress decision.
!

Unknown results and your credits

If a validator can't return a definitive answer, charging you for the attempt is indefensible. Valid Email Checker automatically refunds every Unknown result — no support ticket, no fine print. The refund posts to your Credits History immediately. Most competitors don't do this; check before you commit to a plan.

Why bounce rate is the number that ties everything together

Inbox providers — Gmail, Outlook, Yahoo — use bounce rate as one of their primary sender-reputation signals. Cross it above roughly 2% and deliverability starts degrading. Your messages get routed to spam folders, or not delivered at all, before your next campaign even launches.

The compounding effect is what makes this dangerous. One bad campaign raises your bounce rate. A higher bounce rate suppresses future campaigns — inbox providers throttle or filter your sends. Throttled sends produce lower open rates. Lower open rates are another reputation signal. The cycle feeds itself.

Here's a concrete example. You send to 10,000 addresses. 2,300 bounce — a 23% bounce rate. Over the next 30 days, Gmail's Postmaster Tools will show your IP's domain reputation dropping from High to Medium or Low. Google's sender guidelines explicitly flag bulk senders at this level for filtering. Recovering from a Low reputation takes weeks of careful, low-volume sending — not days.

Hard bounces (Invalid, Disabled) and soft bounces (Inbox Full) require different responses. Hard bounces should be permanently suppressed — there is no scenario where resending to an Invalid address produces a different outcome. Soft bounces from inbox-full addresses are worth a retry after 7–14 days. The distinction matters because treating all bounces as permanent inflates your suppression list unnecessarily, while treating all bounces as temporary keeps bad addresses in circulation.

Validating before you send breaks the cycle at the source. The full framework for keeping bounce rate below 2% is covered in our guide on how to reduce email bounce rate below 2%.

Test an address before your next send

Paste any email address and see the full 11-stage result in seconds — no account required.

Powered by Valid Email Checker — full SMTP handshake, disposable + role detection, no card required.

Single-address validation vs. bulk list cleaning — when to use each

These are two different workflows with different triggers.

Single-address validation happens in real time, at the point of capture. A user types their email into a signup form; the validator checks it via API before the form submits. The response is sub-second. Bad addresses never enter your list in the first place. This is the most cost-effective place to validate — one credit per address, one time, at the moment it matters most.

Bulk list cleaning is for the addresses you already have — imported lists, CRM contacts, ESP audiences that have been accumulating for months or years. You upload the list, the job runs asynchronously (queue-and-poll), and you download the results when it's done. For large lists this is not a limitation — it's the correct architecture. Trying to run 200,000 addresses synchronously would time out every HTTP client in existence.

The rule of thumb: validate at capture, clean in bulk before every major send. If you're running campaigns on a list older than 90 days without a cleaning run in between, you're sending to decay — email lists lose roughly 20–25% of their valid addresses per year through job changes, domain shutdowns, and account closures.

When budget is limited and you can't clean the whole list at once, prioritize by last-engagement date. Addresses that haven't opened or clicked in 180+ days are the highest-risk segment. Clean those first. The full walkthrough for bulk jobs is in our bulk verification guide.

How to read a validation result without second-guessing it

Most teams overthink this. The decision tree is simpler than it looks.

Send: Safe, Risky (warm audiences only). Suppress immediately: Invalid, Spamtrap, Disabled. Retry in 7–14 days: Inbox Full. Context-dependent: Catch-all, Role, Unknown.

Catch-all addresses are the most debated. The domain accepts everything, so you can't confirm the specific mailbox. For cold outreach — where you have no prior relationship and no engagement data — suppress them. The bounce risk is unquantifiable. For warm audiences where the address has opened or clicked before, the prior engagement is stronger evidence than the catch-all flag. Keep it. For a complete treatment, see our catch-all emails guide.

Role addresses follow a similar logic. info@company.com on a mass marketing list is almost certainly wasted — shared inboxes managed by a team rarely generate meaningful engagement, and complaint rates are higher because no single person owns the inbox. But billing@company.com on a transactional send for an invoice is correct — that's exactly who should receive it. The question is whether the address is the right contact for this specific message.

Unknown results mean neither of the two verification attempts returned a definitive answer. The address might exist; it might not. The technical reasons include servers that return ambiguous SMTP codes, rate-limiting that prevents a full probe, and configurations that deliberately obscure mailbox existence. The right response is to not send to Unknown addresses from cold lists, and to not pay for the result. Our refund policy handles the latter automatically.

Technical diagram of an email address being probed by two parallel SMTP verification paths, with one yielding a definitive result and the other returning an ambiguous Unknown outcome.
Validating at the signup form is the cheapest intervention — one credit, at the moment of capture, before the bad address ever touches your list.

Integrating an email validator into your existing stack

There are three integration patterns, and the right one depends on where in your workflow the addresses enter.

API integration is for real-time validation at signup. One POST to the single verification endpoint, sub-second response, decision made before the user leaves the page. The API uses Bearer token auth and returns the full status plus sub-scores. Full documentation is at our API overview and single verification endpoint pages. If you're building this for the first time, the quick start guide gets you to a working integration in under five minutes.

ESP one-click sync is for cleaning existing audiences directly. Connect your ESP, select the list, run the job, and the cleaned list lands back in the same audience — invalid addresses removed, results logged. Valid Email Checker connects directly to 17 ESPs including Mailchimp, HubSpot, Klaviyo, SendGrid, and ConvertKit. The integrations overview covers all 17.

Scheduled bulk runs are for ongoing CRM hygiene. Rather than one-time fixes, schedule a bulk verification run every 60–90 days against your full active contacts. The list decays continuously; the cleaning cadence should match. After each run, you'll have three segments to handle: safe (keep), invalid/spamtrap/disabled (permanent suppress), and the context-dependent statuses (catch-all, role, unknown) for manual review or rule-based automation.

Free tool · no signup

Full SMTP verification — 11 stages, instant result

Paste a single address or upload a list. Unknown results are refunded automatically.

Try it free

What to look for when choosing an email validator

The market is full of tools that call themselves validators while running three or four checks and calling it done. Here's how to tell the difference.

Number of verification stages. Anything under 8 is missing meaningful risk categories. Spamtrap detection, catch-all identification, and disabled-account detection each require dedicated stages. A tool that skips them will pass those addresses as valid.

How Unknown results are handled. This is the single most revealing question you can ask a vendor. If they charge for Unknown results, they're billing you for a non-answer. The only defensible policy is an automatic credit refund — which is what Valid Email Checker does, on every Unknown result, without a support ticket. Most competitors don't. This is worth verifying before you buy.

Catch-all handling. Does the tool attempt secondary signals — domain age, engagement proxies, sending history — or does it just label the address catch_all and move on? The latter is honest but limited. Better tools surface additional context.

Accuracy claims. Any vendor claiming 99.5%+ accuracy without publishing a methodology, test dataset, and measurement protocol is overstating. There is no industry-standard accuracy benchmark for email verification. We don't publish a number either — because the honest answer is that accuracy varies by domain type, industry, and list age. Be skeptical of vendors who claim otherwise.

Pricing model. Pay-as-you-go credits work well for irregular sending schedules — you buy what you need, credits don't expire on a monthly reset. Subscriptions work better for teams with consistent monthly volume. Most tools offer both; the right choice depends on your send cadence, not the vendor's default. Checkout our pricing here.

Free tier. Any validator worth evaluating should let you verify a real sample before you commit. Valid Email Checker gives new accounts 150 free credits — enough to run a meaningful test on a cold list segment and see the full breakdown. No card required to start.

FeatureMinimum acceptableWhat Valid Email Checker does
Verification stages8+11 stages across two providers in failover
Unknown result handlingRefund the creditAutomatic refund, no ticket required
Catch-all detectionLabel + flagDedicated stage with secondary probe
Spamtrap detectionMust haveDedicated stage
Disposable domain checkMust have207,219 domains, refreshed weekly
Free tierEnough to test150 credits, no card required
ESP integrationsMajor ESPs20 ESPs, one-click OAuth or API key
Accuracy claimsHonest (no inflated %)99.5% accuracy
The gap between "minimum acceptable" and what a good validator actually does is mostly in the later stages — the ones that catch spamtraps, disabled accounts, and Unknown results.

For a deeper comparison of what free tiers actually include — and what most validators hide in the fine print — see our post on what you actually get from a free email verifier.

Free tool · no signup

Check a single email address right now

Real-time result. No account needed for the first check.

Try it free

Bounce rate is the metric that warns you your list is degrading. Validation is what stops the degradation before it starts. Run a sample of your next campaign through a full 11-stage verifier, read the status breakdown, and you'll know exactly which segment is putting your sender reputation at risk — and what to do about it.

Frequently asked questions

What is the difference between email validation and email verification?
Validation typically covers syntax and DNS checks — confirming the address is formatted correctly and the domain has a mail server. Verification goes further, adding an SMTP handshake and a mailbox-existence probe to confirm the specific inbox responds. Most professional tools do both, but some free validators stop at DNS, which means dead mailboxes with valid-looking addresses pass through unchecked.
How does an email validator check if an address exists without sending an email?
It uses the SMTP protocol directly. The validator connects to the domain's mail server, initiates the SMTP conversation, and sends a RCPT TO command for the specific address. The server responds with a 250 (mailbox accepted) or 550 (no such user) — or an ambiguous code that produces an Unknown result. No message is actually delivered at any point.
What should I do with catch-all email addresses?
It depends on your relationship with the recipient. For cold outreach — no prior engagement — suppress catch-all addresses. The bounce risk is unquantifiable because the server accepts everything regardless of whether the mailbox exists. For warm audiences where the address has opened or clicked before, prior engagement outweighs the catch-all flag and the address is worth keeping.
Why does my email validator return 'Unknown' for some addresses?
Unknown means neither verification attempt returned a definitive answer. Common causes: the server rate-limited the probe, the server returned an ambiguous SMTP response code, or the server is configured to obscure mailbox existence intentionally. The address may or may not exist. A validator that charges for this result is billing you for a non-answer — Valid Email Checker automatically refunds every Unknown credit.
How often should I clean my email list?
At minimum, before every major campaign send. For ongoing CRM hygiene, a bulk verification run every 60–90 days is a reasonable cadence. Email lists decay at roughly 20–25% per year through job changes, domain shutdowns, and account closures — so a list you verified six months ago already has meaningful decay. Validating at the signup form reduces the baseline decay rate by keeping bad addresses out from the start.
What bounce rate is considered dangerous for sender reputation?
Above roughly 2%, inbox providers begin to treat your sending IP as a reputation risk. Google's sender guidelines flag bulk senders at elevated bounce rates for filtering or deferral. A single campaign at 23% bounce rate can drop a domain's reputation from High to Low in Google Postmaster Tools within 30 days — and recovery takes weeks of careful low-volume sending.
Can I validate emails in real time at a signup form?
Yes. The single verification API endpoint returns a result in sub-second time for most addresses, making it practical to validate before the form submits. The user gets immediate feedback on a bad address, and your list never receives the invalid entry. See the single verification endpoint documentation for implementation details.
Are role-based email addresses (info@, support@) worth keeping on a marketing list?
Generally no, for mass marketing. Role addresses land in shared inboxes managed by teams, not individuals — engagement rates are low and complaint rates are higher because no single person owns the inbox. The exception is direct B2B transactional mail where the role address is genuinely the right contact for that specific message, such as sending an invoice to billing@ or a support request to help@.

Try Valid Email Checker free

Verify any email in under a second

Get 150 free verifications. No credit card. Auto-refund on every Unknown result — the only verifier we know that does this.

  • 150 free credits when you sign up
  • Auto-refund every Unknown verification (we're the only ones that do)
  • 11-stage flow catches what 1-step checkers miss
  • Drop-in integrations for Mailchimp, HubSpot, SendGrid, 14 more
Share:

Written by

Mara Chen

PLACEHOLDER EDITORIAL TEAM. Senior deliverability writer at VEC. Former ESP customer support lead. Replace this bio via /admin/blog/authors before publishing posts under this byline.