Analysis updated 2026-05-18
Check whether a user's email domain belongs to a known disposable or throwaway email service during signup.
Feed the domain list into a fraud or risk scoring system to flag suspicious account creation.
Block or rate limit signups from addresses on the list instead of hard coding your own domain blocklist.
Pull the daily updated text file automatically so your app's disposable email checks stay current.
| castle/disposable-email-domains | 0xjbb/modulestomped | ahmedhazem02/fifa-world-cup-2026-prediction-agent | |
|---|---|---|---|
| Stars | 34 | 34 | 34 |
| Language | — | C++ | TypeScript |
| Setup difficulty | easy | moderate | moderate |
| Complexity | 1/5 | 4/5 | 3/5 |
| Audience | developer | developer | general |
Figures from each repo's GitHub metadata at analysis time.
Just fetch the plain text file over HTTP, no installation needed.
disposable-email-domains is a curated list of the top 1,000 email domains that belong to disposable or throwaway email services, maintained by the research team at Castle, a company that works on account security and fraud prevention. The list is meant to help other developers spot when someone signs up using a temporary email address instead of a real one. What sets this list apart from similar public lists is how it is built. Instead of collecting submissions from the community and merging them into one large file, Castle verifies every domain independently and only adds it if it is tied to a real disposable email service that has been seen in actual abuse, such as fake signups, promo abuse, spam, or people creating many accounts at once. The team deliberately leaves out privacy focused email providers like Proton Mail or Tuta, since those exist to protect user privacy rather than to enable throwaway accounts. The result is meant to be a small, focused list rather than a sprawling one, which the maintainers say makes it easier to use without triggering false positives. To build the list, Castle scrapes websites of known disposable email providers, studies DNS records to find services that share infrastructure with providers already known to be disposable, and draws on real abuse data observed across the platforms that use Castle's fraud protection tools. The list is regenerated and committed automatically every day, so it stays current without needing manual pull requests. The repository itself is just one plain text file, disposable-email-domains.txt, with one domain per line, sorted so the most frequently abused domains appear first. Because the file is small, it can be loaded entirely into memory and checked against an email address in a single line of code. The README includes short code examples in Python and JavaScript showing how to download the file and check whether an email's domain is in the list. The maintainers are clear that this list only covers the top 1,000 domains they have observed, not every disposable email domain that exists, and that broader coverage requires their paid API. They also note that seeing a disposable domain does not automatically mean an account is malicious, and leave the decision of how strictly to act on a match, whether blocking, scoring risk, or asking for extra verification, up to whoever uses the list. The project is released under the MIT license.
A daily updated, independently verified list of the top 1,000 disposable email domains, built by Castle's fraud research team to help apps detect throwaway signups.
MIT license, use freely for any purpose including commercial use, as long as you keep the copyright notice.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.