SaaS signups have three persistent problems: fake accounts from bots, trial abuse from disposable emails, and typo signups that never activate. Each one inflates your top-of-funnel metrics, costs you support time, and skews retention analysis. Real-time email verification fixes all three with a single API call. Here is the playbook.
The three failure modes
Bots filling forms
Most signup spam comes from automated tools probing for vulnerabilities or generating fake accounts to scrape. They submit gibberish addresses (sd7gh2jk@gmail.com) or typo domains (name@gmial.com).
Trial abuse
One human signs up multiple times using disposable addresses to bypass per-account limits. Looks like 50 signups; actually one user gaming you.
Typo signups
Real human, fat-finger typo. They never get the welcome email, never activate, and look like a churned user in your analytics.
The five-line fix
Server-side, before account creation:
const verify = await fetch('https://mailoclean.com/api/v1/verify', {
method: 'POST',
headers: { 'Authorization': `Bearer ${process.env.MAILOCLEAN_KEY}`, 'Content-Type': 'application/json' },
body: JSON.stringify({ email })
}).then(r => r.json());
if (['invalid', 'disposable'].includes(verify.status)) {
return res.status(422).json({ error: 'Please use a valid, permanent email address.' });
}That handles all three failure modes. Bot signups fail because their generated addresses are invalid. Trial abusers fail because disposable domains are blocked. Typo signups fail because the domain does not resolve.
What to allow, warn, or block
| Status | Action |
|---|---|
| valid | Create account |
| invalid | Block, show error |
| disposable | Block, ask for permanent address |
| catch_all | Create account, tag for engagement monitoring |
| role_based | Create account, soft warning ("consider using personal email") |
| unknown | Create account, reverify in background |
UX patterns that work
- Inline validation on blur. Show the error as soon as the user leaves the field, not after they submit.
- Suggest a correction. If they type
name@gmial.com, ask "did you mean name@gmail.com?". A library likemailcheckdoes this client-side. - Always allow override. Some users have unusual addresses. Two failed verifications + an "I am sure this is right" button accepts with a flag.
- Never validate on every keystroke. The signup form is not the place for live-as-you-type validation.
Measuring the impact
Track these metrics before and after rollout:
- Total signups (will drop 5 to 25% depending on how leaky your form was).
- Activation rate (will rise: fewer dead emails means more users who actually get the activation email).
- Bounce rate on welcome emails (will drop dramatically).
- Cost per acquired user (often improves: fewer signups but each one is more likely to convert).
FAQ
Will I lose real signups to false positives?
MailoClean false positive rate is below 0.05%. Most "false positives" turn out to be users who really did sign up with a disposable or invalid address.
Does this protect against credential stuffing?
Indirectly. It removes the easiest source of fake accounts. For real credential stuffing protection, layer rate limiting and CAPTCHA on top.
How fast is the API?
Median 1.4 seconds. Run it asynchronously after form submission with a clear "creating your account" state.
Plug it in
Five-line fix above. Get your API key, paste, deploy. Most SaaS teams see fake-signup rate drop 60%+ in the first week.