How to Detect Disposable Email Addresses in Node.js

Steven Carver
Blog
Tutorials
How to Detect Disposable Email Addresses in Node.js

Disposable email addresses are a persistent problem for SaaS products.

Users register with throwaway addresses from services like Mailinator or Temp Mail, exploit your free tier, and vanish. The inbox expires, your onboarding sequence bounces, and your user data is compromised with signups that were never real.

The right place to stop this is at the point of signup, before the address ever touches your database. This guide shows you how to integrate disposable email detection into a Node.js application using the Spamova API.

What You Will Need

A Spamova API key from your account. Authentication is via Bearer token in the Authorization header. Your API key must always be kept server-side - never include it in browser-facing JavaScript.

Checking a Single Email Address

The /api/v1/check endpoint accepts a POST request with a single email and returns a detailed result object. The native fetch API works perfectly here - no additional libraries required.

// Run this server-side. Never expose your API key in browser JavaScript. const response = await fetch('https://spamova.com/api/v1/check', { method: 'POST', headers: { 'Authorization': 'Bearer YOUR_API_KEY', 'Content-Type': 'application/json' }, body: JSON.stringify({ email: 'james847@mailinator.com' }) });   const result = await response.json();

The response looks like this:

{ "email": "james847@mailinator.com", "syntax": "valid", "is_disposable": true, "risk_score": 98, "mx": "valid", "website_status": "redirect" }

syntax catches malformed addresses before any network logic runs. is_disposable is your primary signal. risk_score is a 0-100 confidence level that lets you handle ambiguous domains - ones that are suspicious but not yet confirmed on any list. mx validates that the domain has real mail infrastructure. website_status tells you whether the domain has an active website, redirects to another domain, or resolves to nothing.

Integrating at Signup

Here is a complete signup handler using Express:

async function checkEmail(email) { const response = await fetch('https://spamova.com/api/v1/check', { method: 'POST', headers: { 'Authorization': `Bearer ${process.env.SPAMOVA_API_KEY}`, 'Content-Type': 'application/json' }, body: JSON.stringify({ email }), signal: AbortSignal.timeout(3000) }); return response.json(); }   // Express signup route app.post('/signup', async (req, res) => { const { email } = req.body; const result = await checkEmail(email);   if (result.syntax === 'invalid') { return res.status(400).json({ error: 'Invalid email address.' }); }   if (result.is_disposable || result.risk_score >= 70) { return res.status(400).json({ error: 'Disposable email addresses are not allowed.' }); }   // Safe to proceed });

The 3-second timeout via AbortSignal ensures a slow DNS lookup never hangs your signup response. If the API call times out, decide in advance whether to fail open (allow the signup) or fail closed (block it). For most products, failing open is the safer default - a missed disposable email is less damaging than blocking a real user.

Checking Multiple Emails at Once

To check an existing user list or batch of imported contacts, use the /api/v1/bulk endpoint. Send up to 100 emails per request and receive a results array alongside a meta object with your remaining quota.

const response = await fetch('https://spamova.com/api/v1/bulk', { method: 'POST', headers: { 'Authorization': `Bearer ${process.env.SPAMOVA_API_KEY}`, 'Content-Type': 'application/json' }, body: JSON.stringify({ emails: [ 'james847@mailinator.com', 'sarah115@tempmail.com', 'steve.wozniak@gmail.com' ] }) });   const result = await response.json(); // result.results - array of check results // result.meta.checks_remaining - remaining quota

Requests with more than 100 emails are rejected entirely - no partial processing. For larger batches, chunk your array into groups of 100 before sending.

A Note on API Key Security

Store your API key in an environment variable and never hardcode it.

// .env SPAMOVA_API_KEY=your_api_key_here   // Usage process.env.SPAMOVA_API_KEY

Never include your API key in any code that runs in the browser. The check must happen server-side.

Get Started

Get your API key from your account and drop it into the code above. Your first check runs in minutes.

Get your API key →