Can you verify email addresses in real time?
In a recent discussion about spamtraps and address lists and data collection a participant commented, “[E]very site should be utilizing a real-time email address hygiene and correction service on the front end.” He went on to explain that real time hygiene prevents undeliverable addresses and spamtraps and all sorts of list problems. I was skeptical to say the least.
Yes, there are APIs that can be queried at some of the larger ISPs to identify if an account name is taken, but this doesn’t mean that there is an associated email address. Yes, senders can do a real time SMTP transaction, but ISPs are quick to block SMTP transactions that quit before DATA.
I decided to check out one service to see how accurate it was. I’m somewhat lucky in that I created a username at Yahoo Groups over a dozen years ago but never activated the associated email address. This means that the account is shown as taken and no one else can register that address at Yahoo. But the address doesn’t accept any mail.

I next sent an email to both Yahoo accounts. Yahoo accepted mail to my working account but bounced mail to the Yahoo Groups only account.
Final-Recipient: rfc822; biskybabe@yahoo.com Original-Recipient: rfc822;biskybabe@yahoo.com Action: failed Status: 5.0.0 Remote-MTA: dns; mta5.am0.yahoodns.net Diagnostic-Code: smtp; 554 delivery error: dd This user doesn't have a yahoo.com account (biskybabe@yahoo.com) [-5] - mta1289.mail.ac4.yahoo.com
This tells me that for Yahoo addresses, Briteverify is using some sort of API call to identify whether or not an account name is taken. But just because an account name is taken doesn’t specifically mean that an account is a valid email address. It’s probably better than no verification, but usage of all real time verification isn’t going to help in all cases.
What about email accounts that don’t provide an API or a way to check the validity of an account? In that case it appears that they are using an aborted SMTP transaction. we tested
Jan 24 15:20:00 misc postfix/smtpd[28917]: connect from smtpout9.briteverify.com[107.20.232.98] Jan 24 15:20:01 misc postfix/smtpd[28917]: NOQUEUE: reject: RCPT from smtpout9.briteverify.com[107.20.232.98]: 550 5.1.1 <mu/er9w9kmbyg+s5uehqdxqe@blighty.com>: Recipient address rejected: User unknown in virtual alias table; from=<admin@origindata.com> to=<mu/er9w9kmbyg+s5uehqdxqe@blighty.com> proto=SMTP helo=<emailver.briteleads.com> Jan 24 15:20:01 misc postfix/smtpd[28917]: lost connection after RCPT from smtpout9.briteverify.com[107.20.232.98] Jan 24 15:20:01 misc postfix/smtpd[28917]: disconnect from smtpout9.briteverify.com[107.20.232.98] Jan 24 15:20:01 misc postfix/smtpd[28915]: connect from smtpout7.briteverify.com[184.73.155.120] Jan 24 15:20:01 misc postfix/smtpd[28915]: NOQUEUE: reject: RCPT from smtpout7.briteverify.com[184.73.155.120]: 550 5.1.1 <aardvark@blighty.com>: Recipient address rejected: User unknown in virtual alias table; from=<admin@origindata.com> to=<aardvark@blighty.com> proto=SMTP helo=<emailver.briteleads.com> Jan 24 15:20:01 misc postfix/smtpd[28915]: lost connection after RCPT from smtpout7.briteverify.com[184.73.155.120] Jan 24 15:20:01 misc postfix/smtpd[28915]: disconnect from smtpout7.briteverify.com[184.73.155.120]
The verification service did correctly identify both addresses as invalid. However, this is exactly the kind of SMTP behaviour that is blocked by many places.
Real time address verification for 100% of addresses is incredibly difficult. As I demonstrated above, their use of testing APIs makes the assumption that everyone with a login at Yahoo (or google or other places) has an email address, but this isn’t necessarily true.
There are other assumptions that realtime address verification makes.
- No one ever typos the left hand side of their email address into an address of another user at the site. This isn’t true, for instance, I entered a common typo of my email address into the form and the service verified it as accurate. It probably is a valid, deliverable account but that doesn’t mean that it’s a good address.
- Spamtraps are always undeliverable addresses. This is not true and the above form did verify a spamtrap address that a friendly blocklist admin checked for me.
- No one typos the right hand side of an address to a valid domain. This is not true. For instance, I know a number of spamtrap domains used by Trend Micro. The form validates addresses there and tells me I’m good to send.
I’m not trying to knock the real time address verification services, I think what they’re attempting to do is good. I think the glossy marketing, though, will lead senders into a false sense of security. Just because a 3rd party service tells you an address is deliverable, doesn’t mean that the address is deliverable or that the address is safe to mail.
I do think potential verification customers deserve to understand how the services work so that they can make good decisions about purchasing those services.