Picking email validation in 2026 is harder than the accuracy claims suggest

I compared five validation APIs plus a self-hosted blocklist approach: ZeroBounce, Kickbox, Mailgun Validate, Abstract API, Hunter, and a local disposable-domain layer. The Reddit-style “just use X, it claims 99% accuracy” answers mostly ignore that vendors do not score catch-alls, unknown results, and greylisting the same way. A conservative validator can look worse in a benchmark while being safer for sender reputation.

My default for a typical indie signup form is not an API at all. It is a hybrid: block obvious throwaway and policy-disallowed addresses locally first, then call a validation API only when you need mailbox certainty, catch-all handling, or pre-campaign list cleaning. For the first layer in this ecosystem I use ded.merginit.com, our disposable email domains checker. It looks up domains against a maintained list without sending every candidate address to a third-party SMTP probe. Privacy-friendly, fast, and enough for abuse prevention on trials, coupons, and community signups.

When I do need an API, ZeroBounce is the deepest standalone validator in this set: real-time and bulk workflows, high published throughput, and a long compliance credential list. It is also the most expensive at low volume, and you should read the EU endpoint docs carefully before assuming EU-only processing. Mailgun Validate wins if you are already on Mailgun. Abstract API is the budget self-serve pick. Kickbox has clean developer ergonomics but weaker public pricing and legal transparency in the material I reviewed. Hunter is excellent for B2B prospecting, not generic consumer signup gates.

You cannot compare these on accuracy alone

People collapse four different jobs into “email validation.” Vendors in this list cover more than syntax. A blocklist usually covers only the policy layer unless you add DNS and SMTP logic yourself.

JobBlocklistAPI vendors
SyntaxLocal regexAll five
Domain / MXOptional DNS lookupAll five
Mailbox / providerNoAll five
Policy (disposable, role, free-mail)YesAll five

Vendors also meter different units. Pick the wrong mental model and you will mis-budget.

Mental modelToolsWhat burns quota
Validation creditsZeroBounce, Kickbox, AbstractEvery API call, bulk file rows
Half-credit verificationsHunterOne verification = 0.5 credit
Bundled send/optimize unitsMailgun ValidateValidations inside Mailgun or Optimize plans
Maintenance timeSelf-hosted blocklistList refresh, false positive tuning

Blocking junk signups? A blocklist may be enough. Cleaning a list before a marketing send where bounces hurt domain reputation? Watch API credits and bulk pricing. Building a B2B outbound pipeline? Hunter’s economics only make sense if you already live in that workflow.

You will not get a perfect apples-to-apples table. Use the numbers below as directional, then test against addresses that actually show up in your product.

Free tiers at a glance

OptionFree tierEntry pricingBulk vs real-timeRate limitsGDPR / residencyFeature depthBest fit
Self-hosted blocklistEffectively unlimited once deployedNear-zero per lookup; maintenance is the real costBoth trivial at local speedYour stackStrongest privacy; addresses need not leave your infraPolicy checks only unless you add MX/SMTPAbuse prevention, privacy-first signups
ZeroBounce100 free monthly verifications on freemium accountsPAYG from $39 for 2,000 credits; ZeroBounce ONE $99/mo for 10,000 creditsReal-time single, real-time batch, bulk file workflows; >200 emails should use bulkUp to 80,000 validation requests in 10 seconds published; batch up to 100 emails/requestStrong formal compliance stack; DPA says EU-only endpoint required for EU-only processing; some endpoint pages still mention US processingSyntax, MX, SMTP-derived status, disposable/role/catch-all, typo suggestions, scoringDeepest standalone validator when you need bulk and compliance artifacts
KickboxSecondary sources report ~100 free verifications for new accounts; official terms not directly verified hereSecondary sources report ~$5/500, ~$10/1,000, ~$80/10,000; credit expiry terms conflict across sourcesReal-time single API plus async batch with job pollingOfficial SDKs expose response-time headers; parallel request limits not verified on current official siteUS and EU endpoints exist in reviewed material; no accessible public DPA foundResult, reason, role, free, disposable, accept_all, typo suggestion, Sendex scoreSimple developer API if you can tolerate weaker public commercial/legal docs
Mailgun ValidateNo generous standalone free validation tier; bundled in Mailgun plansBasic send overages from $1.20 per 100 validations; Optimize Pilot 2,500 validations for $49/moReal-time single and async bulk; CSV/gzip up to 25 MB, 5 parallel jobsSingle validation rate-limited by active requests; numeric limit not publishedUS and EU validation servers; data can remain in chosen regionDisposable, role, mailbox/provider lookup, catch_all, risk, engagementBest inside Mailgun or a broader deliverability stack
Abstract API100 requests freeStarter $17/mo for 5,000 requestsReal-time API plus bulk CSV upload3 requests/second on self-serve plansDPA exists with US transfer terms; weak public region-specific hosting storyDeliverability, SMTP/MX validity, sender, domain, quality, catch-all, risk, breachesBudget low-volume apps wanting one rich API response
Hunter50 credits/month free; verification costs 0.5 credit (= 100 verifications)Starter €49/mo for 2,000 credits (= 4,000 verifications); Scale €299/mo for 25,000 credits (= 50,000 verifications)Real-time API plus bulk verifier10 req/s and 300 req/min on Email Verifier APIMain servers in Belgium; SCCs for non-EU subprocessors; DPA in termsRegexp, gibberish, disposable, webmail, MX, SMTP check, accept_all, scoreB2B prospecting and outreach, not generic signup hygiene

Kickbox pricing and credit policy in this table come from consistent secondary sources, not contract-grade official pages I could retrieve with the same confidence as ZeroBounce, Mailgun, Hunter, or Abstract. Re-check inside the product before you buy.

When a blocklist is enough

A self-hosted blocklist usually means one of three setups. The simplest: normalize the email, extract the domain, compare against a disposable-domain list, optionally reject role prefixes or free-mail domains. Stronger: add DNS/MX checks. Hybrid: keep policy logic local and escalate ambiguous cases to an API.

The business case is obvious. If you only need to stop throwaway domains from polluting trials or coupon redemptions, a local list avoids sending every address to a third party. That matters for GDPR-sensitive products and for latency on hot signup paths. The npm disposable-email-domains package is the common starting point; Kickbox also offers a hosted API version of that dataset. Teams I have seen schedule weekly or monthly refreshes because stale lists miss new disposable domains.

The ceiling is also obvious. A blocklist does not tell you whether the mailbox exists, whether the domain is catch-all, whether there is a typo you can fix, or whether a corporate inbox is risky but not outright invalid. APIs expose those signals. Mailgun has provider lookup, catch-all, role, disposable, and risk. Hunter has MX, SMTP server, SMTP check, accept-all, and score. Abstract exposes is_smtp_valid, is_mx_valid, quality and risk. Kickbox has Sendex and accept_all. ZeroBounce goes deeper on enrichment and scoring.

That gap drives the false-positive and false-negative tradeoff. A stale list misses fresh disposable domains (false negatives). An over-aggressive policy list rejects legitimate addresses on domains that are not actually disposable (false positives). API SMTP logic reduces misses but introduces ambiguity around catch-all and greylisting, which is why unknown exists.

A blocklist is enough when the goal is abuse prevention, not deliverability certification: rejecting obvious disposables, enforcing business-email-only rules, or reducing junk signups where some leakage is acceptable. You need an API when an invalid address will cost money, harm sender reputation, or break onboarding: marketing sends, transactional programs, B2B outbound, high-value trials, or enterprise products where auditability matters. If your question is “is this address worth storing?”, a blocklist may be enough. If it is “can I safely send here at scale?”, you need an API.

For a privacy-first hybrid I would stack three layers: client or edge syntax plus optional local denylist; server-side disposable and policy checks with optional MX lookup; API escalation only for premium signups, transactional-critical paths, or pre-campaign bulk cleaning. ded.merginit.com fits the first two layers without making a vendor the default answer.

What the free tiers actually cost you later

Self-hosted blocklist and ded.merginit.com

ded.merginit.com checks domains against a maintained disposable-email list with a fast lookup UI. Copy-friendly results work for onboarding review. The marginal cost per lookup is effectively zero. The bill is maintenance: refreshing the dataset, tuning role and free-mail rules, and accepting that you will not get catch-all or mailbox certainty.

I reach for this when privacy matters more than perfect classification and when false negatives on brand-new disposable domains are an acceptable tradeoff. Schedule refreshes. Do not treat a six-month-old JSON file as authoritative.

ZeroBounce: depth, throughput, residency footnotes

ZeroBounce’s freemium includes 100 monthly verifications. PAYG starts at $39 for 2,000 credits and drops with volume. ZeroBounce ONE at $99/mo bundles 10,000 validation credits if you validate regularly.

The product depth is real. Real-time single, real-time batch, and bulk file workflows. Published limits are aggressive: up to 80,000 validation requests in 10 seconds, batch endpoint up to 100 emails per request. The API docs say responses can take 1 to 30 seconds, with 96 to 98% of domains returning in 1 to 5 seconds. SOC 2 Type 2, ISO 27001, HIPAA, and a public status page are listed on their site.

Where ZeroBounce loses me on procurement is residency wording. The DPA defines an EU-only endpoint for EU-only processing, but some endpoint documentation still mentions US processing. Verify endpoint-by-endpoint in contract, not from marketing copy alone.

Mailgun Validate: ecosystem fit, weak standalone value

Mailgun Validate is mature if you already send through Mailgun. Validation logic exposes risk, catch-all, disposable, role-based, and provider-lookup behavior. US and EU validation servers exist, and Mailgun says data can remain in the region you choose.

As a validation-only purchase it is awkward. Basic send plan overages start around $1.20 per 100 validations. Mailgun Optimize bundles validations into broader deliverability plans. Bulk validation supports CSV/gzip up to 25 MB with five parallel jobs. I would not add Mailgun just for signup form validation unless deliverability ops are already in the same account.

Abstract API: cheap entry, broad payload

Abstract’s email validation API gives 100 free requests and a $17/mo Starter plan for 5,000 requests at 3 req/s. For the price you get a wide response: deliverability, SMTP and MX validity, sender, domain, quality, catch-all, risk, and breach signals. Bulk CSV upload is supported.

Abstract is the pick when you want one REST call with a rich payload on a side project budget. Public docs did not give me a strong regional hosting story or comparable latency numbers. Treat accuracy claims as marketing until you run your own labeled set.

Kickbox: developer-friendly, murky commercial docs

Kickbox has official SDKs in multiple languages, a simple response model (result, reason, role, free, disposable, accept_all, typo suggestion, Sendex score), and async batch with callback headers. The X-Kickbox-Response-Time header and a 6,000 ms default timeout in SDK examples suggest predictable integration ergonomics.

I could not retrieve a current official pricing page or public DPA with the same confidence as the other vendors here. Secondary sources broadly agree on entry pricing around $5 per 500 or $10 per 1,000 verifications and a ~100-verification starter allowance, but they conflict on whether unused credits expire. Technically credible. Commercially, confirm terms inside the product before you commit.

Hunter: B2B verifier, wrong tool for consumer signup

Hunter’s Email Verifier costs 0.5 credits per verification, which makes the free 50 credits/month equal to 100 verifications and makes paid plans more generous than the headline credit count suggests. Scale at €299/mo with 25,000 credits is 50,000 verifications per month if verification is all you do.

Docs are clear: 10 req/s and 300 req/min, servers in Belgium, SCCs for non-EU subprocessors. The verifier exposes regexp, gibberish, disposable, webmail, MX, SMTP server, SMTP check, accept_all, and score. Hunter’s own docs warn that accept_all SMTP checks can produce false positives.

I like Hunter when the problem is professional B2B contact verification inside a sourcing workflow. I would not make it the default gate on a consumer signup form.

Accuracy and benchmarking

There is no clean neutral benchmark in the public material that tests ZeroBounce, Kickbox, Mailgun, Abstract, Hunter, and blocklists on the same dataset under identical scoring rules. Hunter published a 2025 benchmark of 15 verifiers on 3,000 real business addresses. Useful as a methodology reference. Still vendor-authored.

Two caveats matter more than headline scores. Catch-all handling can move reported accuracy by double-digit points. Hunter’s docs say accept_all means SMTP checks can false-positive. ZeroBounce explains that greylisting can force an unknown real-time result that may resolve on bulk revalidation. A conservative vendor looks worse in a benchmark that penalizes unknown, even when that behavior is safer operationally.

Third-party snippets are directional only. One 2026 comparison reports Kickbox around 95.4% real accuracy with ~280 ms latency while labeling catch-alls as unknown. Another synthesis reports ZeroBounce ~97.9%, Kickbox ~97.1%, and Mailgun ~97% in a different test. These are not equivalent studies. They support one conclusion: benchmark outcomes depend heavily on dataset mix and how unknown is scored.

The rigorous approach is a private labeled test set: confirmed valid business inboxes, known dead inboxes, catch-alls, role addresses, fresh disposables, free-mail addresses, and typos. Score false positives, false negatives, unknown rate, and p95 latency. Replay monthly because provider heuristics change.

Cost, privacy, integration, and performance

On low-volume real-time validation, Abstract has the cheapest straightforward self-serve entry at $17 for 5,000 requests, capped at 3 req/s. ZeroBounce is materially more expensive on PAYG at small volumes but can justify the premium if you need bulk throughput and compliance artifacts. Hunter looks expensive until you remember the 0.5-credit mechanics. Mailgun is rarely the cheapest validation-only path.

On bulk cleaning, ZeroBounce PAYG price drops sharply with volume and bulk workflows are explicitly optimized for larger jobs. Hunter’s subscription math gets attractive at Scale because repeated verifications count once per billing period. Mailgun bulk validation is capable but pricing is naturally understood as part of Optimize or sending plans.

For GDPR and data residency, Hunter (Belgium) and Mailgun (US plus EU validation servers) have the cleanest public stories in the material I reviewed. ZeroBounce has a strong DPA and EU-only endpoint, but endpoint-page wording still needs contractual verification. Abstract has a DPA with explicit US transfer terms but not a strong regional hosting story. Kickbox may support EU endpoints, but legal and residency posture was not transparent enough to evaluate with the same confidence.

Integration transparency favors Hunter and Mailgun on documentation quality. ZeroBounce has many integrations but a wider product surface. Kickbox SDKs are a plus. Abstract is probably the simplest single-REST-call choice for a greenfield team.

Latency is not directly comparable across the board. ZeroBounce publishes 1 to 30 second API times with most domains in 1 to 5 seconds. Hunter allows up to 20 seconds then returns 202 for polling. Kickbox appeared around 280 ms in one third-party 2026 test. Mailgun emphasizes cached send data but does not publish p95 validation timings in the docs I read. Abstract does not publish comparable latency metrics either.

What I would pick

flowchart TD
    start[What is the main goal?] --> abuse{Block throwaway or policy emails only?}
    abuse -->|Yes| certainty{Need mailbox certainty or catch-all handling?}
    certainty -->|No| blocklist[Self-hosted blocklist or ded.merginit.com]
    certainty -->|Yes| api[Use a validation API]
    abuse -->|No| api
    api --> mailgun{Already on Mailgun?}
    mailgun -->|Yes| mg[Mailgun Validate]
    mailgun -->|No| eu{EU residency especially sensitive?}
    eu -->|Yes| zb[ZeroBounce with endpoint review]
    eu -->|No| b2b{B2B prospecting workflow?}
    b2b -->|Yes| hunter[Hunter]
    b2b -->|No| budget{Lowest cost low volume?}
    budget -->|Yes| abstract[Abstract API]
    budget -->|No| kickbox[Kickbox or ZeroBounce]

For a hobby signup form where the main fear is disposable abuse, I would start with a local blocklist or ded.merginit.com and skip API costs entirely. I escalate to Abstract when I need SMTP-level signals on a tight budget, or ZeroBounce when bulk cleaning and compliance paperwork matter.

Startups split on stack. Already on Mailgun for transactional mail: Mailgun Validate before adding another vendor. B2B outbound with Hunter for sourcing: use Hunter’s verifier inside that pipeline, not as a generic gate. Privacy-sensitive EU product with occasional need for mailbox checks: ZeroBounce with contractual EU-only endpoint review, or Mailgun EU if the send stack is already there.

Enterprise teams should not treat free tiers as production destinations. Run a labeled private benchmark quarterly. Put blocklist policy in your own infra for data minimization. Buy validation credits at volume with a DPA that matches your residency requirements. Kickbox and Abstract can work, but procurement will want clearer legal docs than I found in public for Kickbox.

For a bootstrapped web app I would ship ded.merginit.com or a self-hosted disposable list on day one, add typo hints client-side, and wire ZeroBounce or Abstract only on the signup paths where a bad address actually costs money.

Gaps in the public docs

No independent study tested all five APIs plus blocklist approaches on the same dataset with the same scoring rules. Benchmark evidence is fragmented, especially around how unknown and catch-all verdicts get counted.

Kickbox pricing and DPA pages were harder to verify than ZeroBounce, Mailgun, Hunter, and Abstract. Kickbox commercial terms here come from consistent secondary sources, not primary pages I could rely on equally.

Latency is not apples-to-apples. ZeroBounce and Hunter publish useful timing detail. Kickbox exposes response-time headers and looked fast in one third-party test. Mailgun and Abstract do not publish comparable p95 or p99 numbers. Run your own addresses through whichever providers you shortlist before you commit.

Sources

ded.merginit.com

Disposable Email Domains Checker
GitHub repository

ZeroBounce

ZeroBounce pricing
API documentation
Batch validation
Status page

Kickbox

Kickbox
Kickbox API documentation
Kickbox GitHub

Mailgun Validate

Mailgun Validate overview
Single validation
Bulk validation
Mailgun pricing

Abstract API

Email validation API
Abstract pricing

Hunter

Hunter Email Verifier
Email Verifier API documentation
Hunter pricing

Disposable domain lists

disposable-email-domains on npm