Picking email validation in 2026 is harder than the accuracy claims suggest
I compared five validation APIs plus a self-hosted blocklist approach: ZeroBounce, Kickbox, Mailgun Validate, Abstract API, Hunter, and a local disposable-domain layer. The Reddit-style “just use X, it claims 99% accuracy” answers mostly ignore that vendors do not score catch-alls, unknown results, and greylisting the same way. A conservative validator can look worse in a benchmark while being safer for sender reputation.
My default for a typical indie signup form is not an API at all. It is a hybrid: block obvious throwaway and policy-disallowed addresses locally first, then call a validation API only when you need mailbox certainty, catch-all handling, or pre-campaign list cleaning. For the first layer in this ecosystem I use ded.merginit.com, our disposable email domains checker. It looks up domains against a maintained list without sending every candidate address to a third-party SMTP probe. Privacy-friendly, fast, and enough for abuse prevention on trials, coupons, and community signups.
When I do need an API, ZeroBounce is the deepest standalone validator in this set: real-time and bulk workflows, high published throughput, and a long compliance credential list. It is also the most expensive at low volume, and you should read the EU endpoint docs carefully before assuming EU-only processing. Mailgun Validate wins if you are already on Mailgun. Abstract API is the budget self-serve pick. Kickbox has clean developer ergonomics but weaker public pricing and legal transparency in the material I reviewed. Hunter is excellent for B2B prospecting, not generic consumer signup gates.
You cannot compare these on accuracy alone
People collapse four different jobs into “email validation.” Vendors in this list cover more than syntax. A blocklist usually covers only the policy layer unless you add DNS and SMTP logic yourself.
| Job | Blocklist | API vendors |
|---|---|---|
| Syntax | Local regex | All five |
| Domain / MX | Optional DNS lookup | All five |
| Mailbox / provider | No | All five |
| Policy (disposable, role, free-mail) | Yes | All five |
Vendors also meter different units. Pick the wrong mental model and you will mis-budget.
| Mental model | Tools | What burns quota |
|---|---|---|
| Validation credits | ZeroBounce, Kickbox, Abstract | Every API call, bulk file rows |
| Half-credit verifications | Hunter | One verification = 0.5 credit |
| Bundled send/optimize units | Mailgun Validate | Validations inside Mailgun or Optimize plans |
| Maintenance time | Self-hosted blocklist | List refresh, false positive tuning |
Blocking junk signups? A blocklist may be enough. Cleaning a list before a marketing send where bounces hurt domain reputation? Watch API credits and bulk pricing. Building a B2B outbound pipeline? Hunter’s economics only make sense if you already live in that workflow.
You will not get a perfect apples-to-apples table. Use the numbers below as directional, then test against addresses that actually show up in your product.
Free tiers at a glance
| Option | Free tier | Entry pricing | Bulk vs real-time | Rate limits | GDPR / residency | Feature depth | Best fit |
|---|---|---|---|---|---|---|---|
| Self-hosted blocklist | Effectively unlimited once deployed | Near-zero per lookup; maintenance is the real cost | Both trivial at local speed | Your stack | Strongest privacy; addresses need not leave your infra | Policy checks only unless you add MX/SMTP | Abuse prevention, privacy-first signups |
| ZeroBounce | 100 free monthly verifications on freemium accounts | PAYG from $39 for 2,000 credits; ZeroBounce ONE $99/mo for 10,000 credits | Real-time single, real-time batch, bulk file workflows; >200 emails should use bulk | Up to 80,000 validation requests in 10 seconds published; batch up to 100 emails/request | Strong formal compliance stack; DPA says EU-only endpoint required for EU-only processing; some endpoint pages still mention US processing | Syntax, MX, SMTP-derived status, disposable/role/catch-all, typo suggestions, scoring | Deepest standalone validator when you need bulk and compliance artifacts |
| Kickbox | Secondary sources report ~100 free verifications for new accounts; official terms not directly verified here | Secondary sources report ~$5/500, ~$10/1,000, ~$80/10,000; credit expiry terms conflict across sources | Real-time single API plus async batch with job polling | Official SDKs expose response-time headers; parallel request limits not verified on current official site | US and EU endpoints exist in reviewed material; no accessible public DPA found | Result, reason, role, free, disposable, accept_all, typo suggestion, Sendex score | Simple developer API if you can tolerate weaker public commercial/legal docs |
| Mailgun Validate | No generous standalone free validation tier; bundled in Mailgun plans | Basic send overages from $1.20 per 100 validations; Optimize Pilot 2,500 validations for $49/mo | Real-time single and async bulk; CSV/gzip up to 25 MB, 5 parallel jobs | Single validation rate-limited by active requests; numeric limit not published | US and EU validation servers; data can remain in chosen region | Disposable, role, mailbox/provider lookup, catch_all, risk, engagement | Best inside Mailgun or a broader deliverability stack |
| Abstract API | 100 requests free | Starter $17/mo for 5,000 requests | Real-time API plus bulk CSV upload | 3 requests/second on self-serve plans | DPA exists with US transfer terms; weak public region-specific hosting story | Deliverability, SMTP/MX validity, sender, domain, quality, catch-all, risk, breaches | Budget low-volume apps wanting one rich API response |
| Hunter | 50 credits/month free; verification costs 0.5 credit (= 100 verifications) | Starter €49/mo for 2,000 credits (= 4,000 verifications); Scale €299/mo for 25,000 credits (= 50,000 verifications) | Real-time API plus bulk verifier | 10 req/s and 300 req/min on Email Verifier API | Main servers in Belgium; SCCs for non-EU subprocessors; DPA in terms | Regexp, gibberish, disposable, webmail, MX, SMTP check, accept_all, score | B2B prospecting and outreach, not generic signup hygiene |
Kickbox pricing and credit policy in this table come from consistent secondary sources, not contract-grade official pages I could retrieve with the same confidence as ZeroBounce, Mailgun, Hunter, or Abstract. Re-check inside the product before you buy.
When a blocklist is enough
A self-hosted blocklist usually means one of three setups. The simplest: normalize the email, extract the domain, compare against a disposable-domain list, optionally reject role prefixes or free-mail domains. Stronger: add DNS/MX checks. Hybrid: keep policy logic local and escalate ambiguous cases to an API.
The business case is obvious. If you only need to stop throwaway domains from polluting trials or coupon redemptions, a local list avoids sending every address to a third party. That matters for GDPR-sensitive products and for latency on hot signup paths. The npm disposable-email-domains package is the common starting point; Kickbox also offers a hosted API version of that dataset. Teams I have seen schedule weekly or monthly refreshes because stale lists miss new disposable domains.
The ceiling is also obvious. A blocklist does not tell you whether the mailbox exists, whether the domain is catch-all, whether there is a typo you can fix, or whether a corporate inbox is risky but not outright invalid. APIs expose those signals. Mailgun has provider lookup, catch-all, role, disposable, and risk. Hunter has MX, SMTP server, SMTP check, accept-all, and score. Abstract exposes is_smtp_valid, is_mx_valid, quality and risk. Kickbox has Sendex and accept_all. ZeroBounce goes deeper on enrichment and scoring.
That gap drives the false-positive and false-negative tradeoff. A stale list misses fresh disposable domains (false negatives). An over-aggressive policy list rejects legitimate addresses on domains that are not actually disposable (false positives). API SMTP logic reduces misses but introduces ambiguity around catch-all and greylisting, which is why unknown exists.
A blocklist is enough when the goal is abuse prevention, not deliverability certification: rejecting obvious disposables, enforcing business-email-only rules, or reducing junk signups where some leakage is acceptable. You need an API when an invalid address will cost money, harm sender reputation, or break onboarding: marketing sends, transactional programs, B2B outbound, high-value trials, or enterprise products where auditability matters. If your question is “is this address worth storing?”, a blocklist may be enough. If it is “can I safely send here at scale?”, you need an API.
For a privacy-first hybrid I would stack three layers: client or edge syntax plus optional local denylist; server-side disposable and policy checks with optional MX lookup; API escalation only for premium signups, transactional-critical paths, or pre-campaign bulk cleaning. ded.merginit.com fits the first two layers without making a vendor the default answer.
What the free tiers actually cost you later
Self-hosted blocklist and ded.merginit.com
ded.merginit.com checks domains against a maintained disposable-email list with a fast lookup UI. Copy-friendly results work for onboarding review. The marginal cost per lookup is effectively zero. The bill is maintenance: refreshing the dataset, tuning role and free-mail rules, and accepting that you will not get catch-all or mailbox certainty.
I reach for this when privacy matters more than perfect classification and when false negatives on brand-new disposable domains are an acceptable tradeoff. Schedule refreshes. Do not treat a six-month-old JSON file as authoritative.
ZeroBounce: depth, throughput, residency footnotes
ZeroBounce’s freemium includes 100 monthly verifications. PAYG starts at $39 for 2,000 credits and drops with volume. ZeroBounce ONE at $99/mo bundles 10,000 validation credits if you validate regularly.
The product depth is real. Real-time single, real-time batch, and bulk file workflows. Published limits are aggressive: up to 80,000 validation requests in 10 seconds, batch endpoint up to 100 emails per request. The API docs say responses can take 1 to 30 seconds, with 96 to 98% of domains returning in 1 to 5 seconds. SOC 2 Type 2, ISO 27001, HIPAA, and a public status page are listed on their site.
Where ZeroBounce loses me on procurement is residency wording. The DPA defines an EU-only endpoint for EU-only processing, but some endpoint documentation still mentions US processing. Verify endpoint-by-endpoint in contract, not from marketing copy alone.
Mailgun Validate: ecosystem fit, weak standalone value
Mailgun Validate is mature if you already send through Mailgun. Validation logic exposes risk, catch-all, disposable, role-based, and provider-lookup behavior. US and EU validation servers exist, and Mailgun says data can remain in the region you choose.
As a validation-only purchase it is awkward. Basic send plan overages start around $1.20 per 100 validations. Mailgun Optimize bundles validations into broader deliverability plans. Bulk validation supports CSV/gzip up to 25 MB with five parallel jobs. I would not add Mailgun just for signup form validation unless deliverability ops are already in the same account.
Abstract API: cheap entry, broad payload
Abstract’s email validation API gives 100 free requests and a $17/mo Starter plan for 5,000 requests at 3 req/s. For the price you get a wide response: deliverability, SMTP and MX validity, sender, domain, quality, catch-all, risk, and breach signals. Bulk CSV upload is supported.
Abstract is the pick when you want one REST call with a rich payload on a side project budget. Public docs did not give me a strong regional hosting story or comparable latency numbers. Treat accuracy claims as marketing until you run your own labeled set.
Kickbox: developer-friendly, murky commercial docs
Kickbox has official SDKs in multiple languages, a simple response model (result, reason, role, free, disposable, accept_all, typo suggestion, Sendex score), and async batch with callback headers. The X-Kickbox-Response-Time header and a 6,000 ms default timeout in SDK examples suggest predictable integration ergonomics.
I could not retrieve a current official pricing page or public DPA with the same confidence as the other vendors here. Secondary sources broadly agree on entry pricing around $5 per 500 or $10 per 1,000 verifications and a ~100-verification starter allowance, but they conflict on whether unused credits expire. Technically credible. Commercially, confirm terms inside the product before you commit.
Hunter: B2B verifier, wrong tool for consumer signup
Hunter’s Email Verifier costs 0.5 credits per verification, which makes the free 50 credits/month equal to 100 verifications and makes paid plans more generous than the headline credit count suggests. Scale at €299/mo with 25,000 credits is 50,000 verifications per month if verification is all you do.
Docs are clear: 10 req/s and 300 req/min, servers in Belgium, SCCs for non-EU subprocessors. The verifier exposes regexp, gibberish, disposable, webmail, MX, SMTP server, SMTP check, accept_all, and score. Hunter’s own docs warn that accept_all SMTP checks can produce false positives.
I like Hunter when the problem is professional B2B contact verification inside a sourcing workflow. I would not make it the default gate on a consumer signup form.
Accuracy and benchmarking
There is no clean neutral benchmark in the public material that tests ZeroBounce, Kickbox, Mailgun, Abstract, Hunter, and blocklists on the same dataset under identical scoring rules. Hunter published a 2025 benchmark of 15 verifiers on 3,000 real business addresses. Useful as a methodology reference. Still vendor-authored.
Two caveats matter more than headline scores. Catch-all handling can move reported accuracy by double-digit points. Hunter’s docs say accept_all means SMTP checks can false-positive. ZeroBounce explains that greylisting can force an unknown real-time result that may resolve on bulk revalidation. A conservative vendor looks worse in a benchmark that penalizes unknown, even when that behavior is safer operationally.
Third-party snippets are directional only. One 2026 comparison reports Kickbox around 95.4% real accuracy with ~280 ms latency while labeling catch-alls as unknown. Another synthesis reports ZeroBounce ~97.9%, Kickbox ~97.1%, and Mailgun ~97% in a different test. These are not equivalent studies. They support one conclusion: benchmark outcomes depend heavily on dataset mix and how unknown is scored.
The rigorous approach is a private labeled test set: confirmed valid business inboxes, known dead inboxes, catch-alls, role addresses, fresh disposables, free-mail addresses, and typos. Score false positives, false negatives, unknown rate, and p95 latency. Replay monthly because provider heuristics change.
Cost, privacy, integration, and performance
On low-volume real-time validation, Abstract has the cheapest straightforward self-serve entry at $17 for 5,000 requests, capped at 3 req/s. ZeroBounce is materially more expensive on PAYG at small volumes but can justify the premium if you need bulk throughput and compliance artifacts. Hunter looks expensive until you remember the 0.5-credit mechanics. Mailgun is rarely the cheapest validation-only path.
On bulk cleaning, ZeroBounce PAYG price drops sharply with volume and bulk workflows are explicitly optimized for larger jobs. Hunter’s subscription math gets attractive at Scale because repeated verifications count once per billing period. Mailgun bulk validation is capable but pricing is naturally understood as part of Optimize or sending plans.
For GDPR and data residency, Hunter (Belgium) and Mailgun (US plus EU validation servers) have the cleanest public stories in the material I reviewed. ZeroBounce has a strong DPA and EU-only endpoint, but endpoint-page wording still needs contractual verification. Abstract has a DPA with explicit US transfer terms but not a strong regional hosting story. Kickbox may support EU endpoints, but legal and residency posture was not transparent enough to evaluate with the same confidence.
Integration transparency favors Hunter and Mailgun on documentation quality. ZeroBounce has many integrations but a wider product surface. Kickbox SDKs are a plus. Abstract is probably the simplest single-REST-call choice for a greenfield team.
Latency is not directly comparable across the board. ZeroBounce publishes 1 to 30 second API times with most domains in 1 to 5 seconds. Hunter allows up to 20 seconds then returns 202 for polling. Kickbox appeared around 280 ms in one third-party 2026 test. Mailgun emphasizes cached send data but does not publish p95 validation timings in the docs I read. Abstract does not publish comparable latency metrics either.
What I would pick
flowchart TD
start[What is the main goal?] --> abuse{Block throwaway or policy emails only?}
abuse -->|Yes| certainty{Need mailbox certainty or catch-all handling?}
certainty -->|No| blocklist[Self-hosted blocklist or ded.merginit.com]
certainty -->|Yes| api[Use a validation API]
abuse -->|No| api
api --> mailgun{Already on Mailgun?}
mailgun -->|Yes| mg[Mailgun Validate]
mailgun -->|No| eu{EU residency especially sensitive?}
eu -->|Yes| zb[ZeroBounce with endpoint review]
eu -->|No| b2b{B2B prospecting workflow?}
b2b -->|Yes| hunter[Hunter]
b2b -->|No| budget{Lowest cost low volume?}
budget -->|Yes| abstract[Abstract API]
budget -->|No| kickbox[Kickbox or ZeroBounce] For a hobby signup form where the main fear is disposable abuse, I would start with a local blocklist or ded.merginit.com and skip API costs entirely. I escalate to Abstract when I need SMTP-level signals on a tight budget, or ZeroBounce when bulk cleaning and compliance paperwork matter.
Startups split on stack. Already on Mailgun for transactional mail: Mailgun Validate before adding another vendor. B2B outbound with Hunter for sourcing: use Hunter’s verifier inside that pipeline, not as a generic gate. Privacy-sensitive EU product with occasional need for mailbox checks: ZeroBounce with contractual EU-only endpoint review, or Mailgun EU if the send stack is already there.
Enterprise teams should not treat free tiers as production destinations. Run a labeled private benchmark quarterly. Put blocklist policy in your own infra for data minimization. Buy validation credits at volume with a DPA that matches your residency requirements. Kickbox and Abstract can work, but procurement will want clearer legal docs than I found in public for Kickbox.
For a bootstrapped web app I would ship ded.merginit.com or a self-hosted disposable list on day one, add typo hints client-side, and wire ZeroBounce or Abstract only on the signup paths where a bad address actually costs money.
Gaps in the public docs
No independent study tested all five APIs plus blocklist approaches on the same dataset with the same scoring rules. Benchmark evidence is fragmented, especially around how unknown and catch-all verdicts get counted.
Kickbox pricing and DPA pages were harder to verify than ZeroBounce, Mailgun, Hunter, and Abstract. Kickbox commercial terms here come from consistent secondary sources, not primary pages I could rely on equally.
Latency is not apples-to-apples. ZeroBounce and Hunter publish useful timing detail. Kickbox exposes response-time headers and looked fast in one third-party test. Mailgun and Abstract do not publish comparable p95 or p99 numbers. Run your own addresses through whichever providers you shortlist before you commit.
Sources
ded.merginit.com
Disposable Email Domains Checker
GitHub repository
ZeroBounce
ZeroBounce pricing
API documentation
Batch validation
Status page
Kickbox
Kickbox
Kickbox API documentation
Kickbox GitHub
Mailgun Validate
Mailgun Validate overview
Single validation
Bulk validation
Mailgun pricing
Abstract API
Email validation API
Abstract pricing
Hunter
Hunter Email Verifier
Email Verifier API documentation
Hunter pricing