How to Detect Disposable Email Addresses in PHP

Steven Carver
Blog
Tutorials
How to Detect Disposable Email Addresses in PHP

Fake signups using disposable email addresses are one of the most common forms of abuse on SaaS products.

A user registers with a throwaway address from Mailinator or Guerrilla Mail, burns through your free trial, and disappears when the inbox expires. The fix is straightforward: check the email address at signup before it ever enters your database. This guide shows you how to do that in PHP using the Spamova API.

What You Will Need

A Spamova API key from your account. The API uses Bearer token authentication over HTTPS. Your API key must be kept server-side and never exposed in client-facing code.

Checking a Single Email Address

The /api/v1/check endpoint accepts a POST request with a single email address and returns a result object with everything you need to make a decision at signup.

$ch = curl_init('https://spamova.com/api/v1/check');   curl_setopt_array($ch, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_POST => true, CURLOPT_HTTPHEADER => [ 'Authorization: Bearer YOUR_API_KEY', 'Content-Type: application/json', ], CURLOPT_POSTFIELDS => json_encode([ 'email' => 'james847@mailinator.com', ]), ]);   $result = json_decode(curl_exec($ch), true);

The response looks like this:

{ "email": "james847@mailinator.com", "syntax": "valid", "is_disposable": true, "risk_score": 98, "mx": "valid", "website_status": "redirect" }

Every field is useful. syntax tells you whether the email is validly formatted. is_disposable is your primary signal. risk_score gives you a 0-100 confidence level - useful for handling edge cases where the domain is suspicious but not yet confirmed disposable. mx tells you whether the domain has real mail servers. website_status tells you whether the domain has a live website, redirects elsewhere, or resolves to nothing.

Integrating at Signup

Here is a practical example of how to use the result in a signup handler:

function checkEmail(string $email, string $apiKey): array { $ch = curl_init('https://spamova.com/api/v1/check'); curl_setopt_array($ch, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_POST => true, CURLOPT_HTTPHEADER => [ 'Authorization: Bearer ' . $apiKey, 'Content-Type: application/json', ], CURLOPT_POSTFIELDS => json_encode(['email' => $email]), CURLOPT_TIMEOUT => 3, ]); $response = curl_exec($ch); curl_close($ch); return json_decode($response, true) ?? []; }   // In your signup handler: $email = $_POST['email'] ?? ''; $result = checkEmail($email, $_ENV['SPAMOVA_API_KEY']);   if ($result['syntax'] === 'invalid') { // Reject - malformed email address }   if ($result['is_disposable'] === true || $result['risk_score'] >= 70) { // Reject - disposable or high-risk domain }   // Safe to proceed with registration

The risk_score threshold is yours to define. 70 is a reasonable starting point - aggressive enough to catch most suspicious domains without blocking legitimate users. Adjust based on how much abuse you are seeing versus how much friction you are willing to add.

Checking Multiple Emails at Once

If you need to check a batch of existing users or a list of imported contacts, use the /api/v1/bulk endpoint. It accepts up to 100 emails per request and returns a results array with one result per email, plus a meta object showing checks used and checks remaining.

$ch = curl_init('https://spamova.com/api/v1/bulk');   curl_setopt_array($ch, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_POST => true, CURLOPT_HTTPHEADER => [ 'Authorization: Bearer YOUR_API_KEY', 'Content-Type: application/json', ], CURLOPT_POSTFIELDS => json_encode([ 'emails' => [ 'james847@mailinator.com', 'sarah115@tempmail.com', 'steve.wozniak@gmail.com', ], ]), ]);   $result = json_decode(curl_exec($ch), true);

The bulk endpoint rejects requests with more than 100 emails in full - no partial processing. Split larger batches into chunks of 100 before sending.

A Note on API Key Security

Your API key must never appear in client-side code. Store it in an environment variable and reference it server-side only.

$apiKey = $_ENV['SPAMOVA_API_KEY'];

Get Started

Get your API key from your account, drop it into the code above, and disposable email detection is live at your signup form.

Get your API key →