The disposable email problem in 2026: 652 providers, one growing list
If you accept email addresses from the open internet — signups, lead forms, newsletter capture, free-trial gates — a meaningful fraction of what you collect is disposable. A disposable email address is a working mailbox at a service that exists specifically to be thrown away: the user gets a confirmation, an OTP, a free trial activation, and the address evaporates an hour later.
The point of this article is to lay out the actual scale of the problem in 2026, how the receiving infrastructure works, and which categories of providers slip past the consumer-grade filters that most signup pages rely on.
How many disposable services exist
The Mailcheq disposable list currently covers 652 domains. That is up from 514 in January 2026 and 387 a year ago. The growth is not because new providers appear constantly — it is because the existing big ones rotate domains aggressively to evade blocklists, and because we add domains as we see them used.
The 652 number understates the underlying provider count by a lot. A single service like Temp-Mail operates 80+ rotating domains. Guerrilla Mail uses about 12. 1mail.lt uses 8. So the actual provider count is somewhere around 80-90 distinct services — they just present as hundreds of domains.
The five categories
| Category | Examples | Why used | Detection difficulty |
|---|---|---|---|
| Browser-based throwaway | 1mail.lt, Mailinator, Temp-Mail, 10minutemail | OTP signups, free trials, "give me your email" gates | Easy — domains are public and well-known |
| Forwarding aliases | SimpleLogin, AnonAddy, Apple Hide My Email | Privacy-conscious users, real mailbox behind | Hard — these are legitimate, deliverable, and used by paying users |
| Plus-tagging | name+test@gmail.com | Same user creating multiple accounts | Trivial — strip everything after + |
| Catch-all custom domains | Self-hosted catch-all + random local-part | Technical users avoiding blocklists | Very hard — domain looks unique each time |
| Subaddressing | name@yopmail.com → name (no signup) | Hash-of-username receives mail without an account | Easy if you have the domain on your list |
How disposable inbox services actually work
Most disposable mail services are surprisingly simple — they're a thin website over a Postfix or a custom SMTP daemon that drops every incoming message into a per-address bucket, accessible by URL. The user visits service.com/inbox/whatever-name-they-picked and sees the latest few messages. Some persist for an hour, some for a day, some forever. Some autodelete after one read.
Behind the scenes:
- A wildcard MX points the whole domain at one server.
- That server runs an SMTP receiver that accepts mail to any local part without authentication.
- Mail lands in a Redis or filesystem bucket keyed by the address.
- A web frontend reads from the bucket.
The infrastructure cost is low — a 1-vCPU VPS can handle 50,000 messages/day at peak. That is why the category keeps expanding: the marginal cost of starting another disposable-mail service is about $10/month.
Why a verification API can detect them
Three signals catch the vast majority:
Signal 1: Domain matches a known list
Maintained lists like the one Mailcheq uses cover the long tail of explicit, intentionally-disposable providers. This catches Temp-Mail, Guerrilla, Mailinator, 10minutemail, YOPmail, and the 80-something other recognised services across their 652 domains.
Signal 2: MX server fingerprint
Some operators run dozens of disposable domains pointing to the same MX server. If mx.disposable-host.example is the MX for one known disposable domain, every other domain pointing at it is almost certainly also disposable, even if we have never seen the domain name before. We add domains to the list this way as they appear.
Signal 3: Catch-all + no SPF + no DMARC
A domain that accepts mail to every random local part, publishes no SPF record, has no DMARC, and has no real website is almost certainly disposable. False positives are non-zero — some hobby domains fit this pattern — so we mark these "risky" rather than "invalid."
What does not work
Blocking Apple Hide My Email
Apple's privacy relay (@privaterelay.appleid.com) looks disposable. It is not. Behind the relay is a real, paying Apple ID owner with a real iCloud mailbox; the relay forwards. Blocking this domain blocks paying customers. We classify privacy-relay forwarders separately from disposable and surface them as "valid + relay" so you can decide.
Blocking plus-tagging
If you treat name+test@gmail.com as a separate identity from name@gmail.com, you make multi-account abuse trivial. Strip the plus-tag during signup normalization (per RFC 5233 for ESPs that support it: Gmail, Fastmail, Apple, ProtonMail). Do not strip it for general email — only for the deduplication key.
Blocking new domains
"This domain was registered last week — must be disposable" sounds like a signal but isn't. Legitimate businesses register domains constantly. Use signal 2 (MX fingerprint) instead.
Which providers slip past consumer filters
Filters that only check against the top-20 disposable domains miss most of the long tail. From our logs the most common "slipped past simple filters" services in 2026 are:
- 1mail.lt — small footprint, rotates 8 domains, not on most blocklists
- internxt.com Mail — privacy product but used disposably
- SkiffMail (now shutting down but still active) — was marketed as legitimate
- Maildrop — long-running, very low profile
- Burner Mail — Chrome extension popular with privacy-conscious users
- 33mail — alias forwarder, but often used disposably
- Spamgourmet — pre-dates Gmail, still active, almost no blocklists carry it
Verify your list before sending
5 checks in under 500ms — syntax, MX, disposable, role-account, live SMTP. Free in your browser, no signup.
Try the verifier →The deliverability cost of not filtering
Why is this worth caring about?
If you collect disposable addresses and then send a newsletter or product update later, that mail goes nowhere. The address holder is not reading. The MX often does not retain the message past 24 hours. Your engagement metrics tank because half your list does not exist. Gmail and Microsoft 365 reputation systems then downgrade your sender — they see low open rates and they conclude your mail is unwanted. The visible effect: your real subscribers stop seeing your newsletter in the primary inbox.
Filter at signup. It is one API call. It saves your sender reputation across every future send.
One free way to check today
The Mailcheq verifier on this site will tell you whether any single address is disposable (and run four other checks at the same time). For bulk validation against the same list, the API will open with the Starter plan — €19/mo for 5,000 validations.
If we are missing a disposable provider you have seen abused, email hello@mailcheq.com and we will add it.