StopReg is a powerful email validation API that helps you
detect and block disposable, temporary, and fake email
addresses in real-time. This documentation will guide you
through integrating StopReg into your application to protect
your platform from spam, fraud, and abuse.
What is StopReg?
StopReg provides businesses and individuals with tools and
resources for detecting and blocking disposable email
providers. Our API validates email addresses instantly
(typically within milliseconds), allowing you to block
disposable emails during signup, checkout, or form submission.
Key Features
Real-time Validation: Instant email
checking with millisecond response times
Extensive DEA Coverage: Detect disposable emails using our large and constantly
growing domain database
Privacy-Focused: We don't store full email
addresses - only check the domain part
Easy Integration: Simple REST API that
works with any programming language
Whitelisting Support: Whitelist trusted
domains to ensure legitimate users are never blocked
Blacklisting Support: Blacklist unwanted domains to prevent fake signups and
low-quality registrations.
Role, Alias & Relay Detection: Identify role-based, alias, and relay email addresses
for cleaner user data.
Make your first API call to validate an email address
The API endpoint is simple and secure. You'll use a
GET request with your API token in the header and the email/domain in the query string. Continue reading
the
next sections to learn about
authentication, endpoints, and code examples.
API Authentication
StopReg uses API token-based authentication. Your API token is
unique to your account and should be kept secure. Never share
your API token publicly or commit it to version control
systems.
Navigate to the API section or locate the API token on
your Dashboard home
Copy your API token (you can regenerate it at any time if
needed)
Using Your API Token
We recommend using the x-api-token header for all requests. This keeps your token out of
URL logs and follows industry standards.
Headers:x-api-token: YOUR_API_TOKEN
Security Best Practices
Keep it Secret: Treat your API token like a
password - never expose it in client-side code
Use Environment Variables: Store your API
token in environment variables, not in your source code
Regenerate if Compromised: If you suspect
your token has been exposed, regenerate it immediately from
your dashboard
Server-Side Only: Always make API calls
from your server-side code, never from the browser
Rate Limits
Rate limits depend on your subscription plan. Free trial
accounts have limited requests per day, while paid plans offer
higher limits or unlimited requests. Check your dashboard for
your current rate limit status.
API Endpoints
StopReg provides a simple REST API endpoint for email
validation. All endpoints use HTTPS and return JSON responses.
Email Verification
Endpoint:
GET https://api.stopreg.com/api/v1/verify/email/{email}
Domain Verification
Endpoint:
GET https://api.stopreg.com/api/v1/verify/domain/{domain}
Path Parameters
{email} (string, required for /email): The
email address to validate.
{domain} (string, required for /domain): The
domain name to validate (e.g., example.com).
Request Examples
Email Verification
GET https://api.stopreg.com/api/v1/verify/email/[email protected]Headers:x-api-token: YOUR_API_TOKEN
Domain Verification
GET https://api.stopreg.com/api/v1/verify/domain/example.com
Headers:x-api-token: YOUR_API_TOKEN
Response Format
The API returns a JSON response with the following structure:
The API response is structured into several nested objects. Below is a detailed technical reference for
each field in the payload.
Top-Level Fields
Field
Type
Description
statusInteger
200, 400, 401, etc.
The HTTP status code. Indicates the overall success or failure of the request.
messageString
"success" | "error"
A short string indicating the result state of the API operation.
descriptionString
Text
A human-readable summary of the verification result or the specific reason for an error.
dataObject
Payload
The container for all verification intelligence. Details are broken down in the sections
below.
Domain & Registry Analytics (data.domain)
Field
Type
Description
rootString
Value
The root domain extracted from your input (e.g., google.com).
is_subdomainBoolean
true / false
true if the input contained a subdomain prefix (e.g.,
mail.google.com); false if the input was already a root domain.
email_providerString |
null
Host
The identified email provider for this domain if a match is found in either the Email Domains
table or MX Matching table. Returns null if no provider match is found or provider
is "Unknown" (e.g., "Google", "Mailinator", "Zoho").
Input Intelligence (data.input)
Field
Type
Description
email | domainString
Raw Value
The original input provided in your request. Use this to map the response back to your local
records.
normalizedString
Canonical
The standardized version of your input. This value is lowercased, trimmed, and stripped of
sub-addressing (e.g., user+tag@ becomes user@).
suggestionString
Correction
If a common typo is detected (e.g., gnail.com), this provides the corrected domain
(gmail.com). Returns null if no correction is needed.
Infrastructure Analytics (data.mail_server)
Field
Type
Description
mx_foundBoolean
Status
true if valid Mail Exchange (MX) records were found for the domain. If
false, the email is likely undeliverable.
mx_recordsArray
List
An ordered array of MX records resolved from the domain's DNS settings, sorted by priority
(lowest number = highest precedence). Each entry contains:
hostname: The mail exchange hostname (e.g.,
"aspmx.l.google.com").
priority: The DNS priority value — lower numbers receive mail first.
mx_providerArray
Providers
Multi-Provider Intelligence. A prioritized list of all infrastructure
providers detected behind the email (e.g., Zoho + Namecheap). Contains:
slug: Identifier (e.g., "zoho corporation").
service_type:mailbox, hosting,
relay, or disposable.
grade: Professionalism tier (e.g., professional).
Strategic Classification (data.classification)
Field
Type
Description
is_disposableBoolean
High Risk
Critical Flag.true if the domain belongs to a temporary,
throwaway, or 10-minute mail provider. High correlation with fraud.
is_relayBoolean
Low Risk
true if the provider is a forwarding service or alias system (e.g., iCloud Hide
My Email). Common among privacy-conscious users.
is_unresolvedBoolean
Neutral
Zero-Trust Flag.true for unknown, non-major domains that proxy
through professional mail hosts. High correlation with "Stealth Disposable" providers.
is_publicBoolean
Neutral
true for common free consumers providers (Gmail, Outlook, Yahoo). Generally safe
for B2C registrations.
is_role_basedBoolean
Caution
true for address intended for groups (e.g., admin@, support@). Not
ideal for personal account signups.
is_aliasBoolean
Low Risk
true if sub-addressing was detected (e.g., [email protected]). Often used
to track source of signups.
Custom Policy Logic (data.policy)
Field
Type
Description
blocklistedBoolean
Custom
true if the input matches a domain or email explicitly blocked in your StopReg
Dashboard.
allowlistedBoolean
Custom
true if the input matches a trusted domain in your Dashboard, bypassing all
disposable checks.
Error Responses
If an error occurs, the API returns a JSON response with standardized error codes:
{
"status": 401,
"message": "error",
"description": "The provided API token is invalid.",
"data": {
"error": "invalid_token"
}
}
HTTP Status Codes
200 OK: Request successful
400 Bad Request: Invalid parameters (e.g., invalid_email,
invalid_domain)
429 Too Many Requests: Rate limit exceeded (rate_limited) or quota
exhausted (token_exhausted)
500 Internal Server Error: Unexpected server error
Official Libraries
We provide official SDKs for popular programming languages and frameworks.
For a detailed comparison and quick-start guide for all available libraries, visit our
Official Libraries Hub.
Node.js SDK (NPM)
Our Node.js SDK is designed for high-performance and zero-dependency security. It includes full
TypeScript support and robust error handling.
The official Laravel package integrates seamlessly with the Laravel Service Container and provides a
clean Facade for instant verification.
composer require stopreg/laravel
Email Verification:
use StopReg\Laravel\Facades\StopReg;
try {
$result = StopReg::checkEmail('[email protected]');
// Dump the result to see full intelligence datadd($result);
$isBlocked = $result['data']['classification']['is_disposable'] || ($result['data']['policy']['blocklisted'] ?? false) === true;
if ($isBlocked) {
returnback()->withErrors(['email' => 'This email is not allowed.']);
}
} catch (StopRegException $e) {
// Handle error
}
Domain Verification:
use StopReg\Laravel\Facades\StopReg;
try {
$result = StopReg::checkDomain('test.com');
// Dump the result to see full intelligence datadd($result);
$isBlocked = $result['data']['classification']['is_disposable'] || ($result['data']['policy']['blocklisted'] ?? false) === true;
if ($isBlocked) {
returnback()->withErrors(['domain' => 'This domain is not allowed.']);
}
} catch (StopRegException $e) {
// Handle error
}
Code Examples
Here are code examples for integrating StopReg API in various
programming languages. Replace
YOUR_API_TOKEN with your actual API token.
When integrating StopReg into your registration or signup
forms, validate the email address before allowing the user to
complete registration. If data.classification.is_disposable is
true, show an error message asking the user to
use a valid email address.
Best Practices & Troubleshooting
Follow these best practices to ensure optimal performance and
reliability when using the StopReg API.
Best Practices
Validate on Server-Side: Always perform
email validation on your server, never in client-side
JavaScript. This protects your API token and ensures
security.
Handle Errors Gracefully: Implement proper
error handling for network failures, rate limits, and API
errors. Provide user-friendly error messages.
Cache Results When Appropriate: For
frequently checked domains, consider caching results to
reduce API calls and improve performance.
Use Whitelisting: Whitelist trusted
corporate domains to prevent false positives and ensure
legitimate users are never blocked.
Monitor Rate Limits: Keep track of your API
usage to avoid hitting rate limits. Upgrade your plan if
needed.
Validate Email Format First: Check basic
email format before calling the API to save unnecessary
requests.
Common Use Cases
Registration Forms: Validate emails during
user signup to prevent fake accounts
Checkout Processes: Block disposable emails
during e-commerce checkout
Free Trial Signups: Prevent abuse of free
trial offers
Support Ticket Systems: Verify contact
emails for support requests
Troubleshooting
API Returns Error
Verify your API token is correct and active
Check that the email parameter is properly URL-encoded
Ensure you're using the correct endpoint URL
Slow Response Times
Check your network connection
Verify you're using HTTPS (not HTTP)
Consider implementing request timeouts and retries
False Positives
Use the whitelist feature for trusted domains
Report false positives through your dashboard
Check if the domain is actually disposable before blocking
Recommended Validation Configurations
Below are common StopReg validation configurations that can be used depending on your registration
requirements.
Each configuration uses fields from the data.classification and
data.mail_server objects in the API response.
1. Block Disposable Email Domains Only
Recommended if you want to block temporary and disposable email providers while allowing most
legitimate users.
Recommended if you want to allow Gmail, Yahoo, Outlook, and custom business domains while blocking
risky email types.
constresult = awaitclient.verification.checkEmail(email);
const { classification, mail_server } = result.data;
// Allow public email providers and custom domainsif (classification.is_disposable) {
thrownewError('Disposable email addresses are not allowed.');
}
if (classification.is_relay) {
thrownewError('Relay email addresses are not allowed.');
}
if (classification.is_alias) {
thrownewError('Email aliases are not allowed.');
}
if (classification.is_role_based) {
thrownewError('Role-based email addresses are not allowed.');
}
if (!mail_server.mx_found) {
thrownewError('Email domain has no mail server.');
}
import requests
response = requests.get(
f'https://api.stopreg.com/api/v1/verify/email/{email}',
headers={'x-api-token': api_token}
)
data = response.json()['data']
classification = data['classification']
mail_server = data['mail_server']
# Allow public email providers and custom domainsifclassification.get('is_disposable'):
raiseValueError('Disposable email addresses are not allowed.')
ifclassification.get('is_relay'):
raiseValueError('Relay email addresses are not allowed.')
ifclassification.get('is_alias'):
raiseValueError('Email aliases are not allowed.')
ifclassification.get('is_role_based'):
raiseValueError('Role-based email addresses are not allowed.')
ifnotmail_server.get('mx_found'):
raiseValueError('Email domain has no mail server.')
<?php$ch = curl_init('https://api.stopreg.com/api/v1/verify/email/' . urlencode($email));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['x-api-token: ' . $apiToken]);
$body = json_decode(curl_exec($ch), true);
curl_close($ch);
$classification = $body['data']['classification'] ?? [];
$mailServer = $body['data']['mail_server'] ?? [];
// Allow public email providers and custom domainsif ($classification['is_disposable'] ?? false) {
thrownewException('Disposable email addresses are not allowed.');
}
if ($classification['is_relay'] ?? false) {
thrownewException('Relay email addresses are not allowed.');
}
if ($classification['is_alias'] ?? false) {
thrownewException('Email aliases are not allowed.');
}
if ($classification['is_role_based'] ?? false) {
thrownewException('Role-based email addresses are not allowed.');
}
if (!($mailServer['mx_found'] ?? false)) {
thrownewException('Email domain has no mail server.');
}
Alternative configuration:
const { classification, mail_server } = result.data;
// Block role and alias emails togetherif (classification.is_role_based || classification.is_alias) {
thrownewError('Role-based or alias email addresses are not allowed.');
}
if (classification.is_disposable || classification.is_relay) {
thrownewError('This email type is not allowed.');
}
if (!mail_server.mx_found) {
thrownewError('Email domain has no mail server.');
}
# Assumes data already fetched from APIclassification = data['classification']
mail_server = data['mail_server']
# Block role and alias emails togetherifclassification.get('is_role_based') orclassification.get('is_alias'):
raiseValueError('Role-based or alias email addresses are not allowed.')
ifclassification.get('is_disposable') orclassification.get('is_relay'):
raiseValueError('This email type is not allowed.')
ifnotmail_server.get('mx_found'):
raiseValueError('Email domain has no mail server.')
<?php// Assumes $body already fetched from API$classification = $body['data']['classification'] ?? [];
$mailServer = $body['data']['mail_server'] ?? [];
// Block role and alias emails togetherif (($classification['is_role_based'] ?? false) || ($classification['is_alias'] ?? false)) {
thrownewException('Role-based or alias email addresses are not allowed.');
}
if (($classification['is_disposable'] ?? false) || ($classification['is_relay'] ?? false)) {
thrownewException('This email type is not allowed.');
}
if (!($mailServer['mx_found'] ?? false)) {
thrownewException('Email domain has no mail server.');
}
3. Allow Business Domains Only
Recommended for B2B platforms that only accept company or business email addresses.
constresult = awaitclient.verification.checkEmail(email);
const { classification, mail_server } = result.data;
// Allow only business/custom domains// Block public email providers (Gmail, Yahoo, Outlook, etc.)if (classification.is_public) {
thrownewError('Please use your company email address.');
}
if (classification.is_disposable) {
thrownewError('Disposable email addresses are not allowed.');
}
if (classification.is_relay) {
thrownewError('Relay email addresses are not allowed.');
}
if (classification.is_role_based) {
thrownewError('Role-based email addresses are not allowed.');
}
if (classification.is_alias) {
thrownewError('Email aliases are not allowed.');
}
if (!mail_server.mx_found) {
thrownewError('Email domain has no mail server.');
}
import requests
response = requests.get(
f'https://api.stopreg.com/api/v1/verify/email/{email}',
headers={'x-api-token': api_token}
)
data = response.json()['data']
classification = data['classification']
mail_server = data['mail_server']
# Allow only business/custom domains# Block public email providers (Gmail, Yahoo, Outlook, etc.)ifclassification.get('is_public'):
raiseValueError('Please use your company email address.')
ifclassification.get('is_disposable'):
raiseValueError('Disposable email addresses are not allowed.')
ifclassification.get('is_relay'):
raiseValueError('Relay email addresses are not allowed.')
ifclassification.get('is_role_based'):
raiseValueError('Role-based email addresses are not allowed.')
ifclassification.get('is_alias'):
raiseValueError('Email aliases are not allowed.')
ifnotmail_server.get('mx_found'):
raiseValueError('Email domain has no mail server.')
<?php$ch = curl_init('https://api.stopreg.com/api/v1/verify/email/' . urlencode($email));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['x-api-token: ' . $apiToken]);
$body = json_decode(curl_exec($ch), true);
curl_close($ch);
$classification = $body['data']['classification'] ?? [];
$mailServer = $body['data']['mail_server'] ?? [];
// Allow only business/custom domains// Block public email providers (Gmail, Yahoo, Outlook, etc.)if ($classification['is_public'] ?? false) {
thrownewException('Please use your company email address.');
}
if ($classification['is_disposable'] ?? false) {
thrownewException('Disposable email addresses are not allowed.');
}
if ($classification['is_relay'] ?? false) {
thrownewException('Relay email addresses are not allowed.');
}
if ($classification['is_role_based'] ?? false) {
thrownewException('Role-based email addresses are not allowed.');
}
if ($classification['is_alias'] ?? false) {
thrownewException('Email aliases are not allowed.');
}
if (!($mailServer['mx_found'] ?? false)) {
thrownewException('Email domain has no mail server.');
}
Alternative configuration:
const { classification, mail_server } = result.data;
// Allow only business domainsif (classification.is_public || classification.is_disposable || classification.is_relay) {
thrownewError('Please use a business email address.');
}
if (classification.is_role_based || classification.is_alias) {
thrownewError('Role-based or alias email addresses are not allowed.');
}
if (!mail_server.mx_found) {
thrownewError('Email domain has no mail server.');
}
# Assumes data already fetched from APIclassification = data['classification']
mail_server = data['mail_server']
# Allow only business domainsifclassification.get('is_public') orclassification.get('is_disposable') orclassification.get('is_relay'):
raiseValueError('Please use a business email address.')
ifclassification.get('is_role_based') orclassification.get('is_alias'):
raiseValueError('Role-based or alias email addresses are not allowed.')
ifnotmail_server.get('mx_found'):
raiseValueError('Email domain has no mail server.')
<?php// Assumes $body already fetched from API$classification = $body['data']['classification'] ?? [];
$mailServer = $body['data']['mail_server'] ?? [];
// Allow only business domainsif (($classification['is_public'] ?? false) || ($classification['is_disposable'] ?? false) || ($classification['is_relay'] ?? false)) {
thrownewException('Please use a business email address.');
}
if (($classification['is_role_based'] ?? false) || ($classification['is_alias'] ?? false)) {
thrownewException('Role-based or alias email addresses are not allowed.');
}
if (!($mailServer['mx_found'] ?? false)) {
thrownewException('Email domain has no mail server.');
}
4. Allow Public Email Providers Only
Recommended if you only want to allow Gmail, Yahoo, Outlook, and other free public email providers.
constresult = awaitclient.verification.checkEmail(email);
const { classification, mail_server } = result.data;
// Allow public email providers only (Gmail, Yahoo, Outlook, etc.)// Block business/custom domainsif (!classification.is_public) {
thrownewError('Only public email providers (Gmail, Yahoo, Outlook) are accepted.');
}
if (classification.is_disposable) {
thrownewError('Disposable email addresses are not allowed.');
}
if (classification.is_relay) {
thrownewError('Relay email addresses are not allowed.');
}
if (classification.is_role_based) {
thrownewError('Role-based email addresses are not allowed.');
}
if (classification.is_alias) {
thrownewError('Email aliases are not allowed.');
}
if (!mail_server.mx_found) {
thrownewError('Email domain has no mail server.');
}
import requests
response = requests.get(
f'https://api.stopreg.com/api/v1/verify/email/{email}',
headers={'x-api-token': api_token}
)
data = response.json()['data']
classification = data['classification']
mail_server = data['mail_server']
# Allow public email providers only (Gmail, Yahoo, Outlook, etc.)# Block business/custom domainsifnotclassification.get('is_public'):
raiseValueError('Only public email providers (Gmail, Yahoo, Outlook) are accepted.')
ifclassification.get('is_disposable'):
raiseValueError('Disposable email addresses are not allowed.')
ifclassification.get('is_relay'):
raiseValueError('Relay email addresses are not allowed.')
ifclassification.get('is_role_based'):
raiseValueError('Role-based email addresses are not allowed.')
ifclassification.get('is_alias'):
raiseValueError('Email aliases are not allowed.')
ifnotmail_server.get('mx_found'):
raiseValueError('Email domain has no mail server.')
<?php$ch = curl_init('https://api.stopreg.com/api/v1/verify/email/' . urlencode($email));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['x-api-token: ' . $apiToken]);
$body = json_decode(curl_exec($ch), true);
curl_close($ch);
$classification = $body['data']['classification'] ?? [];
$mailServer = $body['data']['mail_server'] ?? [];
// Allow public email providers only (Gmail, Yahoo, Outlook, etc.)// Block business/custom domainsif (!($classification['is_public'] ?? false)) {
thrownewException('Only public email providers (Gmail, Yahoo, Outlook) are accepted.');
}
if ($classification['is_disposable'] ?? false) {
thrownewException('Disposable email addresses are not allowed.');
}
if ($classification['is_relay'] ?? false) {
thrownewException('Relay email addresses are not allowed.');
}
if ($classification['is_role_based'] ?? false) {
thrownewException('Role-based email addresses are not allowed.');
}
if ($classification['is_alias'] ?? false) {
thrownewException('Email aliases are not allowed.');
}
if (!($mailServer['mx_found'] ?? false)) {
thrownewException('Email domain has no mail server.');
}
Alternative configuration:
const { classification, mail_server } = result.data;
// Allow public email providersif (!classification.is_public || classification.is_disposable || classification.is_relay) {
thrownewError('Only public email providers are accepted.');
}
if (classification.is_role_based || classification.is_alias) {
thrownewError('Role-based or alias email addresses are not allowed.');
}
if (!mail_server.mx_found) {
thrownewError('Email domain has no mail server.');
}
# Assumes data already fetched from APIclassification = data['classification']
mail_server = data['mail_server']
# Allow public email providersifnotclassification.get('is_public') orclassification.get('is_disposable') orclassification.get('is_relay'):
raiseValueError('Only public email providers are accepted.')
ifclassification.get('is_role_based') orclassification.get('is_alias'):
raiseValueError('Role-based or alias email addresses are not allowed.')
ifnotmail_server.get('mx_found'):
raiseValueError('Email domain has no mail server.')
<?php// Assumes $body already fetched from API$classification = $body['data']['classification'] ?? [];
$mailServer = $body['data']['mail_server'] ?? [];
// Allow public email providersif (!($classification['is_public'] ?? false) || ($classification['is_disposable'] ?? false) || ($classification['is_relay'] ?? false)) {
thrownewException('Only public email providers are accepted.');
}
if (($classification['is_role_based'] ?? false) || ($classification['is_alias'] ?? false)) {
thrownewException('Role-based or alias email addresses are not allowed.');
}
if (!($mailServer['mx_found'] ?? false)) {
thrownewException('Email domain has no mail server.');
}
5. Block Relay Emails
Use this check to reject email addresses routed through relay or privacy-forwarding services such as
Apple Hide My Email, SimpleLogin, or AnonAddy.
Use this check to reject email addresses from domains that cannot be verified — unknown registrations,
expired domains, or domains with no DNS records.
constresult = awaitclient.verification.checkEmail(email);
const { classification } = result.data;
// Block unresolved domainsif (classification.is_unresolved) {
thrownewError('Email domain could not be verified. Please use a different address.');
}
import requests
response = requests.get(
f'https://api.stopreg.com/api/v1/verify/email/{email}',
headers={'x-api-token': api_token}
)
classification = response.json()['data']['classification']
# Block unresolved domainsifclassification.get('is_unresolved'):
raiseValueError('Email domain could not be verified. Please use a different address.')
<?php$ch = curl_init('https://api.stopreg.com/api/v1/verify/email/' . urlencode($email));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['x-api-token: ' . $apiToken]);
$body = json_decode(curl_exec($ch), true);
curl_close($ch);
$classification = $body['data']['classification'] ?? [];
// Block unresolved domainsif ($classification['is_unresolved'] ?? false) {
thrownewException('Email domain could not be verified. Please use a different address.');
}
7. Block Public Email Providers
Use this check to reject free public email providers such as Gmail, Yahoo, and Outlook. Useful for B2B
sign-up forms that require a company email address.
constresult = awaitclient.verification.checkEmail(email);
const { classification } = result.data;
// Block public email providersif (classification.is_public) {
thrownewError('Please use your company email address.');
}
import requests
response = requests.get(
f'https://api.stopreg.com/api/v1/verify/email/{email}',
headers={'x-api-token': api_token}
)
classification = response.json()['data']['classification']
# Block public email providersifclassification.get('is_public'):
raiseValueError('Please use your company email address.')
<?php$ch = curl_init('https://api.stopreg.com/api/v1/verify/email/' . urlencode($email));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['x-api-token: ' . $apiToken]);
$body = json_decode(curl_exec($ch), true);
curl_close($ch);
$classification = $body['data']['classification'] ?? [];
// Block public email providersif ($classification['is_public'] ?? false) {
thrownewException('Please use your company email address.');
}
8. Block Role-Based Emails
Use this check to reject role-based addresses such as admin@, support@,
info@, and noreply@ that are shared across teams and not tied to an individual
user.
constresult = awaitclient.verification.checkEmail(email);
const { classification } = result.data;
// Block role-based emailsif (classification.is_role_based) {
thrownewError('Role-based email addresses are not allowed. Please use a personal email.');
}
import requests
response = requests.get(
f'https://api.stopreg.com/api/v1/verify/email/{email}',
headers={'x-api-token': api_token}
)
classification = response.json()['data']['classification']
# Block role-based emailsifclassification.get('is_role_based'):
raiseValueError('Role-based email addresses are not allowed. Please use a personal email.')
<?php$ch = curl_init('https://api.stopreg.com/api/v1/verify/email/' . urlencode($email));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['x-api-token: ' . $apiToken]);
$body = json_decode(curl_exec($ch), true);
curl_close($ch);
$classification = $body['data']['classification'] ?? [];
// Block role-based emailsif ($classification['is_role_based'] ?? false) {
thrownewException('Role-based email addresses are not allowed. Please use a personal email.');
}
9. Block Alias Emails
Use this check to reject email aliases — addresses containing a + suffix (e.g.
[email protected]) that could be used to bypass uniqueness checks or track your signup
form.
constresult = awaitclient.verification.checkEmail(email);
const { classification } = result.data;
// Block alias emailsif (classification.is_alias) {
thrownewError('Email aliases are not allowed. Please use your primary email address.');
}
import requests
response = requests.get(
f'https://api.stopreg.com/api/v1/verify/email/{email}',
headers={'x-api-token': api_token}
)
classification = response.json()['data']['classification']
# Block alias emailsifclassification.get('is_alias'):
raiseValueError('Email aliases are not allowed. Please use your primary email address.')
<?php$ch = curl_init('https://api.stopreg.com/api/v1/verify/email/' . urlencode($email));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['x-api-token: ' . $apiToken]);
$body = json_decode(curl_exec($ch), true);
curl_close($ch);
$classification = $body['data']['classification'] ?? [];
// Block alias emailsif ($classification['is_alias'] ?? false) {
thrownewException('Email aliases are not allowed. Please use your primary email address.');
}
Allowing Trusted Domains
To allow specific domain names regardless of their classification, add them to the Allow
List from the
Manage Domains page.
Domains added to the allow list will bypass validation restrictions and Form Abuse Shield checks
entirely. This is useful for internal tools, partner organisations, or known corporate domains that may
be flagged by classification rules.
Example trusted domains:
example.com
company.org
business.net
Form Abuse Shield
To prevent abuse from unresolved or suspicious custom domains, configure Form Abuse
Shield from the
Manage Domains page.
The Abuse Shield system works based on your selected validation configuration and detection rules.
The system monitors unresolved custom domains and automatically performs the configured action —
block or notify — once the detection threshold is reached.
Domains added to the allow list are excluded from Abuse Shield monitoring.
Support
If you need additional help or have questions, contact our
support team at
[email protected]
or visit your dashboard for more resources.
Form Abuse Shield
Form Abuse Shield is a premium feature that automatically detects and blocks suspicious email domains from registering on your platform. It works alongside email validation to provide an additional layer of protection against form abuse, spam registrations, and fraudulent activity.
What is Form Abuse Shield?
Form Abuse Shield monitors unresolved and suspicious domains that reach your configured threshold. When a domain exceeds the threshold, the system automatically:
Notify mode: Automatically adds the domain to your allowlist and sends you an alert
Block mode: Automatically blocks the domain from further registrations
Key Features
Automatic Detection: Monitors unresolved domains and suspicious registration patterns
Configurable Threshold: Set the number of unresolved requests before action is triggered (2-50 requests)
Flexible Time Window: Choose your monitoring period (1, 3, or 7 days)
Two Action Modes: Notify (alert + allowlist) or Block (automatic blocking)
Manual Override Protection: Manually allowlisted domains are never auto-blocked, permanently protected
Dashboard Control: Manage, review, and adjust abuse shield settings anytime
How Form Abuse Shield Works
Step 1: Enable and Configure
Navigate to Manage Domains and configure your abuse shield settings:
Detection Rule: Set the threshold (e.g., block after 5 unresolved requests)
Time Window: Choose your lookback period (1, 3, or 7 days)
Action: Select Notify (alert only) or Block (automatic blocking)
Step 2: Monitoring Begins
Once configured, Form Abuse Shield continuously monitors incoming domain registrations:
Counts unresolved requests for each domain within your specified time window
Tracks suspicious patterns and registration velocity
Compares metrics against your configured threshold
Step 3: Automatic Action Triggered
When a domain reaches your threshold:
Notify Mode: Domain is automatically added to your allowlist and you receive an email alert with domain details and threshold information
Block Mode: Domain is automatically added to your blocklist and further registrations from that domain are rejected
Notify Mode vs. Block Mode
Feature
Notify Mode
Block Mode
Action
Auto-adds domain to allowlist
Auto-blocks domain from registering
Email Alert
✓ You receive notification
✓ You receive notification
Use Case
Review suspicious domains before making decisions
Automatically reject high-risk domains
Flexibility
Domain allowed; you can adjust later
Domain blocked; manually unblock if needed
Manual Allowlist Protection
Critical Protection: Domains that you manually allowlist are permanently protected and will never be automatically blocked by Form Abuse Shield, regardless of:
How many unresolved requests they receive
Whether you switch from Notify to Block mode
How high your threshold is configured
This ensures that manually allowlisted domains remain permanently trusted and are never blocked by any request made through your account.
Manual Blocklist Protection
Similarly, domains that you manually block will remain blocked permanently and cannot be unblocked by any automatic process.
Configuration Examples
Balanced Setup (Recommended)
Threshold: 5 unresolved requests
Window: 3 days
Action: Notify
Result: Good balance between security and false positive reduction
FAQ
Q: Can I manually allowlist a domain to prevent auto-blocking?
A: Yes! Manually allowlisted domains are permanently protected and will never be auto-blocked, regardless of Form Abuse Shield settings.
Q: What happens if I switch from Notify to Block mode?
A: Domains previously auto-added to the allowlist in Notify mode may be auto-blocked if they continue to receive unresolved requests and reach your threshold. However, manually allowlisted domains will remain protected.
Q: Can I unblock an automatically blocked domain?
A: Yes, you can manually remove it from your blocklist at any time from the dashboard.
Q: Is Form Abuse Shield available on all plans?
A: Form Abuse Shield is a premium feature available to paid plan subscribers. Free accounts do not have access to automatic abuse detection.
Support
If you have questions about Form Abuse Shield or need help configuring it, contact our support team at
[email protected]
or visit the Manage Domains page to get started.