How to Protect Your Signup Form from Fake Registrations
Your signup form is the front door of your product. It is also the most commonly abused entry point.
Fake registrations take many forms: disposable email addresses, bot signups, free trial farming, and throwaway accounts created specifically to bypass limits or exploit free tiers. Left unchecked, they pollute your user database, distort your metrics, consume your infrastructure, and cost you money.
The good news is that most fake registrations are opportunistic rather than sophisticated. A few well-placed checks catch the vast majority of them without adding any meaningful friction for legitimate users.
Understand What You Are Actually Protecting Against
Before adding defenses, it helps to understand the threat clearly. Fake signups generally fall into a few categories.
Disposable email signups are the most common. A real human registers with a throwaway address from a service like Mailinator or Temp Mail. They want access to your product without giving you their real contact information. They have no intention of becoming a paying customer and will disappear when the trial ends or the inbox expires.
Bot signups are automated registrations, often run in bulk. These are typically associated with credential stuffing, spam operations, or scraping. The volume can be high and the intent is almost always malicious.
Free trial farming is a more deliberate form of abuse where a user creates multiple accounts to reset their free trial access. They may use different email addresses, sometimes disposable ones, to keep cycling through your trial period indefinitely.
Fabricated addresses are email addresses that look real but do not exist. The domain may be legitimate but the specific mailbox does not. These signups pass a basic format check but bounce immediately when you send to them.
Each type of fake registration requires a slightly different response. The most effective protection combines multiple lightweight checks rather than relying on any single mechanism.
Layer One: Syntax Validation
The first and cheapest check is syntax validation. Before your server does anything else with a submitted email address, verify that it is correctly formatted.
This is not a substitute for any other check, but it eliminates the sloppiest submissions immediately. Malformed addresses, missing @ symbols, invalid TLDs, and obvious garbage strings get rejected before they touch your database or consume any API quota.
Most programming languages and frameworks have built-in email validation. Use it as the first gate, not the only gate.
One additional signal worth capturing at this stage is suspected typos. An address like user@gmial.com or user@yaho.com is syntactically valid but almost certainly a mistake. Rather than silently rejecting it or letting it through, prompt the user to confirm or correct the address. This improves data quality for legitimate users and adds no friction for anyone who entered their address correctly.
Layer Two: Disposable Email Detection
Syntax validation catches formatting errors. Disposable email detection catches intent.
A disposable email check compares the domain of the submitted address against a database of known temporary email providers and applies additional signals to catch providers that are not yet on any public list. The result tells you whether the domain is associated with throwaway inbox services.
The most useful implementations return more than a simple yes or no. A risk score from 0 to 100 gives you a continuous signal to make smarter decisions. A domain that scores 95 is almost certainly disposable. A domain that scores 40 is ambiguous. A domain that scores 5 is almost certainly legitimate. This lets you block high-confidence disposable addresses outright, flag mid-range addresses for additional verification, and let low-risk addresses through without any friction.
Additional signals beyond the blocklist check make detection significantly more accurate. MX record validation tells you whether the domain has real mail servers. Website status tells you whether the domain resolves to a real website or redirects to known disposable infrastructure. Infrastructure fingerprinting identifies domains that share mail servers with known disposable providers, catching newly created throwaway services before they appear on any public list.
The check happens server-side, inline at signup, and adds under 200ms of latency in most cases. The user does not notice it.
Layer Three: MX Record Validation
An MX record check answers a different question than disposable detection. Instead of asking whether the domain is known to be disposable, it asks whether the domain is even capable of receiving email.
A domain with no MX records cannot receive mail. An address on that domain will bounce every time you try to contact the user. Whether the address was submitted intentionally or by mistake, it has no value in your database.
This check catches fabricated addresses that use real-looking but non-functional domains, newly registered domains that have not yet configured mail infrastructure, and simple mistakes where a user typed a plausible but nonexistent domain.
MX validation is fast because it is a DNS lookup, and the results are highly cacheable. Popular domains are queried constantly and their MX records are stable. For less common domains, a lookup takes milliseconds.
Layer Four: Rate Limiting and Behavioral Signals
The previous checks focus on the email address itself. Rate limiting and behavioral signals focus on the registration attempt.
IP-based rate limiting restricts how many signup attempts can come from the same IP address within a given time window. This catches most bot signup operations, which tend to fire requests rapidly from the same source or a small pool of sources.
Velocity checks flag suspicious patterns. Multiple signups from the same IP in a short window, multiple accounts created with addresses from the same domain, or registration attempts that complete unusually quickly (faster than a human can fill out a form) are all signals worth investigating.
CAPTCHA adds friction that bots cannot easily pass. The tradeoff is that it also adds friction for real users. Modern invisible CAPTCHA implementations reduce this cost significantly by only challenging suspicious requests rather than every submission.
Rate limiting and behavioral checks are most important if you are seeing high volumes of bot signups. For most early-stage SaaS products, disposable email detection handles the majority of fake registration problems without needing the additional complexity.
Layer Five: Email Confirmation
Email confirmation is not a signup protection mechanism on its own, but it serves as a final filter. Requiring users to confirm their address before gaining full access to your product ensures that at minimum the inbox existed at the moment of signup and was accessible to the person who registered.
This does not catch disposable email signups - disposable inboxes can receive and act on confirmation emails. But it does catch fabricated addresses, typos, and addresses where the user no longer has access to the inbox.
The important detail is what you gate behind confirmation. If your product is fully functional before confirmation, confirmation offers no protection. If meaningful features or trial access require confirmation, it creates a genuine barrier for anyone submitting an address they cannot access.
How to Combine These Layers
The most effective signup protection stacks these checks in order, from cheapest to most restrictive.
First, validate syntax. Reject immediately if the format is invalid. Flag suspected typos for user confirmation.
Second, check for disposable email. Block high-risk addresses outright. Flag mid-range scores for additional friction or monitoring.
Third, validate MX records. Reject addresses on domains with no mail infrastructure.
Fourth, apply rate limiting. Flag or block requests that exceed reasonable thresholds.
Fifth, require email confirmation before granting full trial access.
You do not need all five layers from day one. Most early-stage products get significant value from just the first two. Add layers as your product grows and the abuse patterns you encounter become clearer.
What Not to Do
A few common mistakes are worth avoiding.
Do not block entire email providers based on reputation alone. Gmail, Outlook, and Yahoo are used by both legitimate users and abusers. Blocking a provider because some of its users abuse free trials will cost you real customers.
Do not rely on a blocklist alone. Public blocklists of disposable email domains are useful but lag behind reality. New disposable services launch constantly. A detection approach that only checks against a static list will miss a meaningful percentage of throwaway signups.
Do not add friction indiscriminately. Every additional step in your signup flow costs you some percentage of legitimate signups. The goal is targeted friction that affects fake registrations without touching real users. A risk-score-based approach that only challenges high-risk submissions is significantly better than blanket restrictions that apply to everyone.
Do not treat confirmation as sufficient protection on its own. A disposable inbox can confirm an email. Confirmation tells you the inbox existed; it does not tell you whether the user intends to pay or engage.
The Cost of Doing Nothing
Fake registrations are not just an annoyance. They consume trial infrastructure, distort the metrics you use to make product decisions, damage your email deliverability over time, and generate support load from users who were never real prospects.
The cost of detection is low. A real-time API check at signup adds minimal latency, requires a few lines of code, and catches the vast majority of disposable and fake registrations before they become your problem.
The cost of not detecting them compounds quietly over time, in every cohort analysis that does not quite add up, every onboarding sequence that fires into expired inboxes, and every conversion rate that is slightly worse than it should be.