@emailalias/disposable-email-detector
v0.1.2
Published
Detect disposable / temporary email addresses, and distinguish them from legitimate forwarding aliases (EmailAlias.io, SimpleLogin, addy.io, DuckDuckGo, Firefox Relay, Apple Hide My Email).
Maintainers
Readme
@emailalias/disposable-email-detector
Detect disposable / temporary email addresses, and tell them apart from legitimate forwarding aliases like EmailAlias.io, SimpleLogin, addy.io, DuckDuckGo Email Protection, Firefox Relay, and Sign in with Apple's Hide My Email.
Most disposable-email blocklists treat every "unusual" email domain the same. This one separates two distinct categories:
| Category | Example | Action |
|---|---|---|
| Disposable — mailbox expires, abandoned by design | [email protected], [email protected] | Block at signup |
| Forwarding alias — permanent address, forwards to a real inbox the user controls | [email protected], [email protected], [email protected] | Do NOT block — this is a real customer using privacy tooling |
| OK — unknown / probably legit mailbox | [email protected] | Allow |
Try the hosted checker at emailalias.io/tools/disposable-email-checker.
Install
npm install @emailalias/disposable-email-detectorNode 18+. ESM. No runtime dependencies.
Usage
import { check, isDisposable, isForwardingAlias } from "@emailalias/disposable-email-detector";
isDisposable("[email protected]"); // true
isDisposable("[email protected]"); // false — it's a forwarding alias
isForwardingAlias("[email protected]"); // true
const result = check("[email protected]");
// {
// verdict: "forwarding_alias",
// provider: "EmailAlias.io",
// reason: "Address is a forwarding alias … Do NOT treat as disposable.",
// email: "[email protected]",
// domain: "emailalias.io",
// local: "user"
// }check() returns one of: "disposable" | "forwarding_alias" | "suspicious" | "ok" | "invalid".
What gets detected
- Disposable domain list (~74,000 providers — Mailinator, 10MinuteMail, GuerrillaMail, YOPmail, Temp-Mail, and the long tail of obscure throwaway services). Synced weekly from upstream MIT-licensed community lists.
- Personally-observed list — domains seen directly in EmailAlias.io abuse logs, with provenance notes (Cloudflare Email Routing MX, NameSilo mail-only, etc.). Survives every upstream refresh.
- Forwarding-alias provider list — used to flip the verdict from
disposabletoforwarding_aliasand tell the integrator who NOT to block. - Heuristics on the local part and TLD:
- Suspicious TLDs:
.tk,.ml,.ga,.cf,.gq - Local part looks randomly generated
- Local part starts with a throwaway keyword (
temp,throw,trash,spam,junk, …)
- Suspicious TLDs:
Two or more heuristic hits flips the verdict to suspicious. One hit alone is left at ok — single signals are too noisy on real addresses.
Why split disposable from forwarding alias?
Mail to a Mailinator address lands in a public inbox that anyone can read. Mail to a DuckDuckGo or EmailAlias.io address forwards to the user's real inbox. Site owners blocking both end up rejecting privacy-conscious customers — exactly the audience least likely to come back. Splitting the verdict lets you block disposable and allow forwarding_alias with one library.
License
MIT. Source and bug reports: github.com/emailalias/disposable-email-detector. The Python sibling package is at disposable-email-detector on PyPI.
