Score Signup Email Domains Before You Activate the Account
One API call evaluates the domain behind a signup email — domain age, MX records, SPF, DMARC, disposable providers, freemail mailboxes, and EPP status — then returns a risk score, recommendation, and routing action your product can enforce immediately.
Evaluate a Signup Email
Enter a business email or domain. We score the domain — not the mailbox.
Email verification proves inbox control — not business legitimacy
Trial abuse, fake B2B signups, and coupon fraud often use custom domains registered days ago with just enough DNS to pass verification. You need domain intelligence at signup time, not after support hears about it.
What this API does
- Scores the domain behind an email address or domain name
- Detects disposable and freemail providers instantly
- Combines WHOIS/RDAP age, MX, SPF, DMARC, EPP status
- Returns explicit signals with score impact
- Suggests a routing action: allow, verify, step-up, block
What this API does not do
- Does not verify mailbox existence or SMTP deliverability
- Does not replace disposable-email vendors like ZeroBounce
- Does not prove company identity or KYC compliance
- Does not check DKIM without known selectors
Use it as a signup routing layer alongside email verification and your own fraud rules. Read the full guide →
From signup email to enforcement decision
WHOIS + DNS analysis
We query registration age, nameservers, MX, TXT, SPF, DMARC, MTA-STS, and EPP status in parallel. Freemail and disposable domains skip unnecessary lookups.
Route the signup
UseriskScore,recommendation, androuting.suggestedAction to allow, challenge, or block before activating trials or premium features.
Structured JSON built for product logic
Every response includes explainable signals so your team can tune thresholds without guessing why a domain was flagged.
/api/v1/domain/email-intelligenceBase URL:https://whoisjson.com/api/v1 · Auth:Authorization: TOKEN=<API_KEY>
{
"domain": "fresh-startup.io",
"domainCategory": "business",
"riskScore": 70,
"riskLevel": "high",
"recommendation": "review",
"routing": {
"suggestedAction": "step_up_verification",
"confidence": "medium"
},
"signals": [
{
"code": "DOMAIN_AGE_LT_7_DAYS",
"severity": "high",
"scoreImpact": 40,
"message": "Domain was registered less than 7 days ago."
},
{
"code": "NO_DMARC_RECORD",
"severity": "medium",
"scoreImpact": 12,
"message": "No DMARC record found for this domain."
}
],
"checks": { "...": "domain, dns, emailSecurity" },
"meta": {
"scoringVersion": "2026-07-06",
"cached": false
}
}
Turn scores into signup policy
Do not treat the score as a verdict. Userouting.suggestedAction to apply progressive friction that matches your business model.
| suggestedAction | Typical use | Example trigger |
|---|---|---|
allow | Create account normally | Mature business domain with healthy mail DNS |
verify_email | Email verification + monitoring | Medium risk, missing DMARC on younger domain |
step_up_verification | Require card, company details, or manual review queue | Domain < 30 days, weak mail posture |
require_business_email | Reject freemail on B2B-only flows | gmail.com,outlook.com, etc. |
manual_review | Security or fraud team queue | Critical risk score on custom domain |
block | Hard reject at signup | Disposable domain or unregistered domain |
What we evaluate on business domains
Registration age
Domain created in the last 7, 30, or 90 days is weighted heavily — a common trial-abuse pattern.
MX & SPF
Business domains without inbound mail infrastructure are higher risk for fake company signups.
DMARC policy
Missing or weak DMARC is a confidence signal. Reject policies reduce risk score on mature domains.
EPP status
Hold, redemption, and pending-delete states can indicate unstable or abusive infrastructure.
Built for teams that route signups by risk
SaaS free trials
Stop throwaway domains and same-day registrations from consuming premium trials before your sales team qualifies the lead.
Fintech & marketplaces
Add a lightweight domain-risk gate before KYB, payouts, or seller onboarding workflows.
B2B lead capture
Require a company-owned domain on demo requests, partner applications, and enterprise contact forms.
Fraud & trust teams
Complement domain reputation workflows with a single endpoint instead of stitching WHOIS and DNS calls yourself.
Start scoring in minutes
curl -s "https://whoisjson.com/api/v1/domain/[email protected]" \
-H "Authorization: TOKEN=YOUR_API_KEY"import requests
r = requests.get(
"https://whoisjson.com/api/v1/domain/email-intelligence",
headers={"Authorization": "TOKEN=YOUR_API_KEY"},
params={"email": "[email protected]"},
timeout=15,
)
r.raise_for_status()
data = r.json()
if data["routing"]["suggestedAction"] == "block":
raise SignupRejected(data["signals"])
if data["routing"]["suggestedAction"] == "require_business_email":
require_company_email()
Email Domain Intelligence FAQ
domainCategory: "freemail" withrouting.suggestedAction: "require_business_email". The domain is not marked fraudulent, but it is not treated as a company-owned identity for B2B-only flows.Add signup domain risk scoring to your product
Create your free account, call one endpoint, and route signups with confidence.