Don't allow people with these email domains to sign up for your SaaS!
Hello fellow indie hackers 👋
Whenever there's an interesting email domain that signs up for my software I check it out. This shows me cool startups or web agencies. It's fun!
So this weekend when I got another interesting sounding one, "owlymail.com". I checked it out and...
...it's a site that lets people create disposable temporary email addresses!
Welp. I knew these existed but I hadn't quite made the link that other people could use them to sign up for my app. 😅
Besides disposable emails meaning they won't get any of the onboarding emails, I also send them emails when they request a new license. I can't do that if their email is already gone, leaving them with an app that doesn't work.
So this morning I looked for a good list of disposable email domains and pretty quickly I came across disposable-email-domains. That list is huge, and gets updated often.
Now when someone tries to sign up for my app with an email domain that matches this list I give a warning explaining why I need a real email address instead.
If your SaaS depends on users receiving emails, prevent users signing up with a disposable email!
You can try mail-check dot tech(cannot add a link so😅), it's not just a simple list of disposable email domains that will fail for any new disposable email services, It's an API service that goes beyond simple syntax checks and will accurately identify disposable emails, signUp for the website and try it for yourself.
I often use disposable emails for testing. They still allow you to receive email. Why would you want to block them? I oftentimes wouldn't sign up at all if I couldn't use my disposable email.
In my experience, people who use disposable emails are disproportionately troublesome for the revenue they bring.
They're not quite more trouble than they're worth but despite being a small portion of my users, they make up nearly 100% of attempted spam, 75% of attempted fraud, and much of the overall customer support time.
Sometimes it's totally innocent, too! Especially German users, for some reason, often sign up with a fake email, use the service as intended, then later contact me from their real email asking for help with their account. Usually it's about failed credit card transactions or help with my feature voting system. Since the email is from an address I've never seen before, I often have no idea what they're talking about and have to do an extra back and forth to get the email they used with their account or user ID, etc.
Oh you mean the 0 revenue they bring?
Exactly this is my reason as well. A disposable email means they'll be locked out of their account with no way for them to prove their account is theirs. For credit card transactions but more importantly for getting licenses to use my app.
I agree with this. You don't want to block them, because they aren't spam, they're generally legitimate people testing your site to see if they're interested. If they like what they see, how do you know that they won't sign up with their real email address? Spammers don't use temporary email addresses. That would be utterly pointless. You are alarmed for no reason.
This comment was deleted 3 years ago.
Disposable email are still usable btw for a long time commonly, if the person want to. Depending on "costs" of a user for you, I get it, but also think about possibly legitimate future users that are more privacy and spam aware testing the waters slowly... There are also other email tricks people can play...
As long as it's not mass sign ups for an obvious reason to abuse, I wouldn't get too worked up about it.
Do you know for similar reasons there are also shared login sites, what if one of you users is listed there?
I get that, but my SaaS is a desktop app that sends license keys to your email if you install on a new machine. If you don't have that email, you wont get your license key so you can't use the app. I'd rather prevent people from being locked out of their own subscription.
Instead of outright blocking them, use the same mechanisms to notify them at checkout or whatever and say "Hey we noticed you're using a disposable email, we send your license key to that email, so it could hinder your ability to use the software you purchase, here's our privacy policy if you're concerned about spam, etc."
Yes, people who use disposable emails mostly know their stuff, so you need not to block them IMHO.
This is exactly what the OP says he does if the person enters an email address that's on the list of disposable emails, not blocking the user altogether.
You should probably try to use a disposable email service yourself at least once to see what it really is about
I don't blame people for staying anonymous. Sharing email is dangerous as it is uniquely personally identifiable. In addition, many company have poor data security and are vulnerable to hacking, or even purposefully sell or share people's private information. Not to mention a large percentage of companies harass people with email.
My point is to say people are definitely justified for using disposable email. It's their wish to be able to see your product or service before they endanger themselves by sharing their real intimate details. So simply let them demo Polypane without an email. Simple solution. If they are interested, they'll come back.
Here is a good list of disposable email domains: https://github.com/martenson/disposable-email-domains/blob/master/disposable_email_blocklist.conf
Just want to raise my hand and point you to www.block-disposable-email.com. This is a service I run with more than 100k blacklisted dea domains. I'd say it is the most complete "list" out there. Free for NGO's.
While you're there, make sure you allow the user to delete its account. I use disposable emails to when I want to evaluate something.
I would delete that account if the option was available but more often than not, there's no option, which re-enforces me to keep using them.
Alternatively I would suggest (if applicable) to let the user test the product without singing-up. Like "Login with demo/demo user" or something like that.
That open API endpoint from Kickbox is a pretty cool find.
Our https://ritekit.com/api-demo/disposable-email-detection is a comprehensive solution.
Nice tip! Thanks for the link.
I just randomly came across this thread and decided to put my two cents in. I have a SaaS business as well, and I totally agree. I think it's very important to identify fake and disposable emails. Of course, there's nothing wrong with using a disposable email address for privacy or other reasons. But unfortunately, such addresses are widely used for SaaS abuse.
I can recommend this service https://emailverification.whoisxmlapi.com/disposable-email-domains . I've been using it for a while now, and it's been quite helpful. Their list of disposable email domains is updated daily. It allows me to block fake sign-ups plus manage my campaign expenses better.
I have a disposable email from my domain to try out services for first time.. For this year it is [email protected]. I use it to try the services. Once I like it, I sign up with my real email address.
I see many people using [email protected] for example. I think that's clever enough, makes it easy to block email from apps and it also means they still have access to that email (or can regain access to an email, like you)
Hi,
Using packages like this mentioned in the post is good for avoiding disposable as well as temporary emails.
But when you are working production,, you have to maintain an up-to-date list of disposable & temporary emails so that you can have healthy email list for your future email campaigns.
One should opt for email verification API services like bouncebadger.com to avoid disposable emails during sign-up process. this API not only verifies disposable emails but also checks if mailbox exists or not.
All the best!
emailondeck.com is one of the hard to detect disposable services and changes domains every 3 days. This list might help you to keep track: https://github.com/GeroldSetz/emailondeck.com-domains/
I understand many use temp emails to test a new product without risking seeing their real emails or that password they reuse all the time in one of those deep web list of leaked data.
Yes, these people are not your customer now, but that doesn't mean they will never be.
So, instead of blocking, why no creating an asynchronous jobs that clean these emails from your database after a few days?
I could do that , but what if they legitimately end up using my app with that now-gone e-mail address? Deleting that outright would not be great either.
If your SaaS depends on users receiving emails, you should have a system to notify users in case the email bounces, right?
If they legitimately end up using with that fake email (my guess they would switch to a real email by then), then you should notify them on the website itself. Preferably with some sort of deadline!
I would not purposely block disposable email for sign up. That is wasting my time to develop feature to block it. Of course if your SaaS costing is directly proportional to sign up user, then you need block it.
I once had someone subscribe for $9 to my product with a disposable email. Not sure I would block them, to be honest 😅
That's all fun and games until they can't cancel because they can't access their email, and issue a chargeback instead, right?
My integration allows users to use a different email for stripe billing and also to cancel the subscription from the app itself without email access.
There's some good opinions here from different sides.
Personally, I don't block these in my app - although it would be fairly simple to do using an open source list of disposable email domains
But I also don't regard these users as quality leads.
At least in my own experience, when I use a disposable email address I'm really just interested in trying out a product purely for research purposes - I'm 99% sure I would never become a customer. In contrast, when I'm trying out a product because I'm actually evaluating it as a potential customer, I always use my real email address.
Not everyone is like me, but at least this is how I use disposable emails and therefore my attitude to them when I see them crop up in my own database.
Oh, this is a nice list!
I wouldn't block them, but rather mark them as non-convertible leads, and you have some kind of ML model for lead scoring, certainly these would be penalized.
My two cents.
Very handy, thanks! Will bookmark.
As someone who runs an email privacy service that offers disposable email addresses, I strongly urge you to reconsider your stance on blocking these types of services. Email addresses are a big personal privacy hole. Your email address is a semi-permanent piece of personally identifiable information that between services selling them to data brokers and services leaking them through bad security practices constantly end up being made public without any regard for user privacy.
Stalkers can use email addresses to track people down on social media, phishers and hackers can use them to try to compromise all sorts of accounts, and the proliferation of spam can make your inbox unusable. Just as not reusing passwords across multiple sites has become best practice, it's my belief that not reusing an email address across multiple sites also needs to become best practice. The idea behind disposable email addresses is that if one of your disposable addresses is compromised in some way you can simply delete that one address without needing to change your email address everywhere you've ever given it out.
Disposable doesn't necessarily mean temporary and it certainly doesn't mean that the user will never receive the email you send to it. I mean if that was the case why would they even bother to use a service, the user could just give you a completely made-up email address.
Account verification is typically linked to email accounts. So user can use 100 disposable email domains to create 100 "fake" accounts on my site. No thank you.
Yes some use it for good, but bad use cases are more. And also is my responsibility to
to protect user email address.
This comment was deleted 4 years ago.
This comment was deleted 3 years ago.
I import the NPM package in my code and use that to check signups. I suppose I'll have to update that every once in a while, but that sounds like a better idea than sending email domains to a third party.
They do have an api though, it's listed at that link.
This comment was deleted 3 years ago.
And that's a great reason you're probably not the target services target market :)
This comment was deleted 3 years ago.