Skip to main content

Validation Flow

When you send an email to Vouch for validation, it goes through a sophisticated multi-stage pipeline designed for both speed and accuracy.
1

Authentication & Authorization

Vouch validates your API key, checks project permissions, and verifies rate limits and quotas
2

Smart Parallel Validation

All 9 validation checks start simultaneously with intelligent early-exit optimization
3

Risk Aggregation

Individual signals are combined into a final recommendation based on your project configuration
4

Logging & Analytics

Results are logged (with encrypted emails) for analytics and usage tracking

Smart Early-Exit Strategy

Vouch uses an intelligent validation strategy that minimizes latency while maximizing data quality:

BLOCK Checks (Promise.race)

These checks can immediately reject an email if they fail:
  • Syntax validation
  • Disposable email detection
  • MX records verification
// Pseudo-code illustration
const blockChecks = Promise.race([
  checkSyntax(),
  checkDisposable(),
  checkMX()
]);

// Returns immediately on first failure
// Or waits for all to succeed
If any BLOCK check fails, Vouch can return immediately without waiting for other checks to complete.

FLAG Checks (Promise.all)

These checks run to completion to gather maximum intelligence:
  • SMTP verification
  • Catch-all detection
  • Role email detection
  • Alias detection
  • Device fingerprinting
  • IP reputation
// Pseudo-code illustration
const flagChecks = await Promise.all([
  checkSMTP(),
  checkCatchall(),
  checkRoleEmail(),
  checkAlias(),
  checkDeviceFingerprint(),
  checkIPReputation()
]);

// Waits for all checks to complete
This approach typically returns results in 200-500ms while still gathering comprehensive fraud signals.

The 9 Validation Types

1. Syntax Validation

Action: BLOCKValidates email format against RFC 5322 standards:
  • Local part validation (before @)
  • Domain part validation (after @)
  • Special character handling
  • Length limits
Example failures:
  • [email protected] (consecutive dots)
  • @example.com (missing local part)
  • user@ (missing domain)
Action: BLOCKChecks against a constantly-updated database of 100,000+ disposable email domains:
  • Temporary email services (10minutemail, guerrillamail)
  • Throwaway email providers
  • Synced daily from multiple sources
Example domains:
  • tempmail.com
  • 10minutemail.com
  • guerrillamail.com
Action: BLOCKPerforms DNS lookup to verify the domain has mail servers:
  • Queries MX records via Google DNS API
  • Cached for 24 hours for performance
  • Ensures domain can receive email
Fails if:
  • No MX records exist
  • MX records point to invalid hosts
  • DNS lookup times out
Action: FLAG (optional)Connects to the mail server to verify the mailbox exists:
  • Performs SMTP handshake
  • Sends RCPT TO command
  • Doesn’t send actual email
Use case: High-security applications where you need to verify the exact mailbox exists
Action: FLAGIdentifies domains configured to accept emails to any address:
  • Tests with random addresses
  • Flags for review (not automatic block)
Why it matters: Catch-all domains make it impossible to verify specific mailboxes exist
Action: ALLOW (configurable)Identifies generic business emails:
  • admin@, support@, info@, contact@
  • Useful for B2B applications
  • Can be configured to FLAG or BLOCK
Configurable patterns in your dashboard
Action: FLAGDetects email aliases and plus-addressing:Why it matters: Users can create infinite aliases from one mailbox
Action: FLAGTracks devices across multiple email validations:
  • Collects 40+ browser/device signals
  • Generates stable fingerprint hash
  • Detects reuse patterns
Signals collected:
  • Screen resolution, color depth
  • Canvas/WebGL fingerprints
  • System fonts
  • Hardware info
  • Timezone, language
See Device Fingerprinting for details
Action: FLAGChecks IP address against fraud databases:
  • VPN detection
  • Tor exit node identification
  • Known fraud IP lists
  • Updated daily
Detects:
  • Commercial VPN providers
  • Datacenter IPs
  • Tor network
  • Known bot networks

Risk Scoring & Recommendations

After all validations complete, Vouch aggregates the signals into a final recommendation:

Recommendation Logic

function determineRecommendation(result: ValidationResponse) {
  // Check if validation succeeded
  if (!result.success || !result.data) {
    return 'block'; // Failed validation
  }

  const { checks } = result.data;

  // Any critical check fails = BLOCK
  if (!checks.syntax?.pass) {
    return 'block'; // Invalid syntax
  }

  if (!checks.disposable?.pass) {
    return 'block'; // Disposable email
  }

  if (!checks.mx?.pass) {
    return 'block'; // No mail servers
  }

  // Apply whitelist/blacklist
  if (isWhitelisted(email)) return 'allow';
  if (isBlacklisted(email)) return 'block';

  // Count failed checks
  const failedChecks = Object.values(checks).filter(
    check => !check.pass
  ).length;

  if (failedChecks >= threshold) {
    return 'flag'; // Review recommended
  }

  return 'allow';
}

Configuration Options

You can customize validation behavior per project:

Enable/Disable Checks

Turn individual validations on/off based on your use case

Set Actions

Configure each check to ALLOW, FLAG, or BLOCK

Whitelist Domains

Always allow specific email domains

Blacklist Domains

Always block specific email domains

Caching Strategy

Vouch uses multi-layer caching for optimal performance:

What’s Cached

  • Project Settings
  • MX Records
  • Disposable Domains
  • IP Lists
  • Device Fingerprints
TTL: Until webhook invalidation
  • Validation toggles
  • Whitelist/blacklist rules
  • Risk thresholds
  • API keys

Edge Computing Architecture

Vouch is built on Cloudflare Workers for global performance:

275+ Data Centers

Deployed to Cloudflare’s global network

Sub-50ms Latency

Requests routed to nearest edge location

Auto-scaling

Handles millions of requests automatically

99.99% Uptime

No servers to manage or crash

Request Flow

Data Security

Email Encryption

All validation logs encrypt email addresses: 
// Emails are encrypted before storage
const encrypted = await encrypt(email, projectKey);

// SHA-256 hash for indexing
const hash = sha256(email);

// Store both
await db.insert({
  email_hash: hash,
  email_encrypted: encrypted,
  signals: validationResults
});

API Key Security

  • API keys are SHA-256 hashed before storage
  • Server keys blocked from browsers (Origin/Referer/User-Agent detection)
  • Client keys validated against allowed domains
  • Separate test/live environments
Never commit API keys to version control. Use environment variables instead.

Performance Characteristics

Typical validation times:
ScenarioTime
Cache hit (repeated domain)50-100ms
All checks enabled200-500ms
SMTP verification enabled500-2000ms
Early exit (syntax fail)10-50ms
Disable SMTP verification in production unless you need mailbox-level certainty. It’s the slowest check (500-2000ms) and can have false positives.

Next Steps

Explore Validation Types

Deep dive into each validation check

API Reference

Complete API documentation

Device Fingerprinting

How fingerprinting works

Best Practices

Production optimization tips