What an Email Address Reveals About a User

A new user types an email at signup. It looks like a string. It is not.

Before you ask for a document or run a face match, that address is already telling you things: whether the inbox is real, whether the domain accepts mail, whether the provider is a throwaway service, and whether the address has appeared in data-breach dumps. None of that requires the user to do anything — you get it the moment they enter the string.

This post explains what those signals mean, how fraud teams act on them, and how Didit Email Verification packages them into a $0.03 check you can put at the front of any onboarding flow.

Key takeaways

• An email address is a multi-dimensional fraud signal: deliverability, provider type, domain reputation, and breach exposure each catch different risk patterns.
• Disposable emails can be flagged before a single KYC check is paid for.
• Breach exposure correlates with credential-stuffing and account-takeover risk; high breach count at signup is a different profile than a fresh corporate address.
• Email intelligence is a low-friction filter — legitimate users barely notice it, while users gaming your onboarding have fewer cheap options.
• Didit Email Verification runs OTP delivery plus risk signals — BREACHED_EMAIL, DISPOSABLE_EMAIL, UNDELIVERABLE_EMAIL, INVALID_EMAIL, DUPLICATED_EMAIL — in one $0.03 call, configurable per warning to approve, review, or decline.

What an email address actually contains

Strip away the @ and you have two parts: the local part and the domain. Both carry signal.

The local part can indicate automation. Sequential strings, keyboard patterns, or long random alphanumeric strings are unusual for real users. Fraud rings creating accounts at volume often generate local parts programmatically.

The domain tells you whether the inbox is real and reachable — MX record health and DNS configuration matter. A domain registered three months ago with no prior mail history looks very different from gmail.com or acme-corp.com.

The provider tells you about intent. Disposable-email providers — services built to generate throwaway addresses that expire within minutes — are abnormal everywhere. There are thousands of them, and the list grows as fraud tooling evolves.

The four fraud signals in an email address

1. Deliverability and MX validity

If the domain has no valid MX records, the syntax is malformed, or the mailbox is known to bounce, the address is undeliverable — the OTP won't land and there's no point proceeding. Catching this early saves the full verification cost and avoids onboarding a user you cannot contact.

2. Disposable-provider detection

Disposable email services exist for one purpose: completing a signup without leaving a traceable identity. Users who genuinely want an account have no reason to use them. Users abusing referral programs, farming free trials, or cycling through banned accounts do. Detecting disposable providers requires a maintained, up-to-date database of known services — Didit keeps this as part of the risk assessment on every check.

3. Breach exposure

When databases leak, the exposed records contain email addresses paired with passwords or personal data. An address appearing in many known breaches shifts the risk profile: it is old, widely used, and may have credentials in circulation. For account-takeover risk, high breach count at signup is worth a closer look. For synthetic-account fraud, the opposite often applies — throwaway addresses created for fraud tend to have zero breach history.

4. Duplicate use

An email already enrolled under a different user identity is either a mistake or multi-accounting. Duplicate email is typically a review signal rather than a hard decline — families sometimes share an address — but it surfaces the pattern early.

Why email is a first-filter, not a final verdict

Email intelligence runs in sub-2 seconds, requires no user effort, and stops low-effort fraud before you spend on document analysis or liveness checks. At $0.03 in front of a $0.33 KYC core flow, catching a disposable email saves $0.30 per blocked attempt — and keeps fraudulent documents out of your review queue entirely.

Email alone is not a complete picture — legitimate users can use Gmail, appear in old breach databases, or hit odd MX behavior. It calibrates your downstream spend; it does not replace document and biometric verification.

How Didit helps

Didit Email Verification combines OTP delivery with a full risk assessment at $0.03 per check. Didit sends a time-limited code to the address (6 digits, configurable 4–8), codes expire in 5 minutes, and up to 3 entry attempts are allowed per session.

Alongside the OTP, Didit surfaces four risk warnings:

Warning	What it means
BREACHED_EMAIL	The address appears in one or more known data-breach databases; the response lists the exposed services.
DISPOSABLE_EMAIL	The address belongs to a known temporary or throwaway email provider.
UNDELIVERABLE_EMAIL	The address cannot receive mail — bad domain, no MX records, or known-bounce address.
INVALID_EMAIL	The address is syntactically malformed.
DUPLICATED_EMAIL	The address has already been enrolled under a different user identity in your workspace.

Each warning is independently configurable — set duplicated_email_action, breached_email_action, and disposable_email_action to APPROVE, REVIEW, or DECLINE in the Workflow Builder. Both a session-based mode (hosted Didit flow) and a standalone API mode (POST /v3/email/send/ → POST /v3/email/check/) are available.

Use cases

Consumer fintech onboarding — disposable and undeliverable checks stop low-effort account fraud before any document check is paid. Breach exposure flags recycled credentials at signup.

Marketplace seller verification — a freshly created email domain on a seller account is a yellow flag before KYB. Email intelligence gives a fast, cheap signal before the expensive checks.

Referral and promotion abuse — disposable email detection is the primary countermeasure for referral-farming: bad actors cycling through throwaway addresses to collect sign-up bonuses.

Step-up flows — if a user's email changes mid-lifecycle, re-running the check catches substitution to a disposable provider — a common step in account-takeover prep.

How to integrate with Didit

Session-based (hosted flow)

1. In the Business Console, add the EMAIL feature to your workflow and configure the three risk actions.
2. Create a session — POST /v3/session/ with workflow_id, vendor_data, and callback.
3. Open session.url for the user — email collection, OTP, and risk assessment happen in-band.
4. Read the result via GET /v3/session/{sessionId}/decision/ or session.status.updated. Email results land in email_verifications[].

Standalone API (server-to-server OTP pair)

# Step 1 — send the code
curl -X POST 'https://verification.didit.me/v3/email/send/' \
  -H "Authorization: Bearer $DIDIT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "email": "alice@example.com", "vendor_data": "user-1234" }'

# Step 2 — check the code (after user enters it in your UI)
curl -X POST 'https://verification.didit.me/v3/email/check/' \
  -H "Authorization: Bearer $DIDIT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "email": "alice@example.com", "code": "123456", "disposable_email_action": "DECLINE" }'

The check response always includes the full email metadata: breaches[] with exposed services, disposable flag, and deliverable flag.

Full reference: Email Verification overview, warnings catalogue, report schema.

Frequently asked questions

Does email verification replace document verification?

No — it's a pre-filter that stops low-effort fraud before you spend on document and biometric checks.

What counts as a disposable email provider?

Didit maintains a live database of known temporary email services, updated continuously. Generic free webmail (Gmail, Outlook) is not flagged as disposable; separate reputation signals cover those patterns.

Can a breached email address still be legitimate?

Yes. Breach exposure means the address appeared in a leaked database, not that the user is a fraudster. How aggressively you act on BREACHED_EMAIL depends on your risk tolerance and the breach count the response returns.

What if the user's email is undeliverable?

The OTP is not sent and the check stops there. Consult your billing agreement for how undeliverable detections are counted.

How does the duplicate-email check work?

DUPLICATED_EMAIL fires when the same address is enrolled under a different vendor_data in your workspace. The same user re-verifying does not trigger it.

Ready to get started?

Email verification is one layer in Didit's broader fraud surface — pair it with IP and device analysis, document verification, biometrics, and AML screening, all composable in a single workflow.

• Learn the feature → Email Verification docs
• See it in the platform → User Verification
• Check the price → Pricing — Email Verification at $0.03, 500 free verifications/month
• Start free → business.didit.me