Blog/Guides

Can You Verify an Email Address is Real?

Is it possible to check if an email exists without actually sending a message? The short answer is yes. The long answer is... complicated.

The short answer is yes.

The long answer involves a journey through 40-year-old internet protocols, a lot of patience, and a bit of detective work.

When developers first try to solve the "is this email valid" problem, they almost always start with Regular Expressions. You find that massive, 80-character regex string on StackOverflow that looks like someone fell asleep on their keyboard, paste it into your code, and call it a day.

And to be fair, that catches the obvious stuff. It stops bob@@gmail.com or alice name@domain. But it doesn't tell you if [email protected] actually belongs to a human named Bob, or if that account was deleted three years ago. It just tells you the shape of the string is correct.

So, you go a layer deeper. You check the DNS.

You look up the MX (Mail Exchange) records for the domain. This tells you if the domain is actually set up to receive email. If company.com has no MX records, you know [email protected] is fake. This is a great step, and it catches a surprising amount of bad data, especially from typos like gmil.com (which often doesn't have mail servers set up).

But we still haven't answered the core question: Does the user exist?

To figure that out without actually annoying the user with a "Verify your email" link, we have to talk to the mail server directly. This is where it gets fun.

The protocol is called SMTP (Simple Mail Transfer Protocol). It’s the handshake servers use to deliver mail. The trick is to start the handshake but never finish it.

  1. Connect to the server (e.g., gmail-smtp-in.l.google.com).
  2. Say HELO (yes, it's actually spelled like that).
  3. Say MAIL FROM: <[email protected]>.
  4. Say RCPT TO: <[email protected]>.

At this exact moment, the server will reply. If it says 250 OK, the user exists! If it says 550 User not found, they don't. You then strictly send a RSET or QUIT command to disconnect before sending any actual message data.

It sounds perfect, right?

Well, not quite. The internet is a hostile place, and mail servers are paranoid.

Some servers (like many corporate firewalls) are configured as "Catch-all." They will say 250 OK to everything, because they don't want to leak which employees work there to spammers. Others use "Greylisting," where they temporarily reject you just to see if you're a real server that will retry later. And almost all of them will ban your IP address if you open too many connections too quickly without sending emails.

And here is the kicker: even if you get a 250 OK, it doesn't guarantee a human is watching that inbox. It just means the server is willing to accept the message. The mailbox could be full, abandoned, or a "black hole" routing rule.

So, can you verify an email address is real? Yes, to a high degree of confidence. But the only way to be 100% sure a human is on the other end is to send them an email and have them click a link.

However, SMTP verification is the best tool we have to weed out the ghosts, typos, and fakes before you hit send. It is a fascinating engineering challenge if you have the time for it. But if you'd rather focus on building your actual product, we've already done the heavy lifting for you.

← Back to all posts