What is disposable email, and should I block it?

A disposable email address (DEA) is a concept where a user is using unique e-mail addresses for all services they sign up for. Many pages, apps and forums require the user's email to participate, and by using a disposable email address, the user doesn't have to reveal his real email address to the service.

The benefit for the user is that if one of the services is hacked, and user data is leaked, or the owner of the service is malicious, and starts sending spam, they only have the unique email the user gave them, not the real email address.

If the email is leaked or starts to receive spam, the user can easily "dispose of" the email address, and not receive email there anymore. Since it should only have been used at one place, it won't affect the users other accounts or emails they receive.

Disposable email addresses are most often provided as web-mails, browser extensions or apps.

Also read about what is temp mail in our blog.

It's not really black-or-white if you should allow users to sign up with disposable or temporary email addresses. If you get a disposable email at sign-up, the user deliberately does not want to give you his real email address. What is the reason?

You might host a forum or service that receives lots of spam, or maybe have a voting system, or hand out free trials where there is a cost associated to you. Then it might be desirable to get the user's real email, and block the registration of disposable or temporary emails.

Some users are really strict with who they give their email to, and might not even want to sign up unless you allow them to sign up with a disposable or temporary email. And they have the right to feel that way, since many pages both require unnecessary sign-ups, and end up spamming, or leaking the user data otherwise.

If you don't really require the user's real email address, do you even need to ask for it at all? At any rate, blocking or allowing disposable emails can both help and deter service misuse, but it could also affect real users.

The optimal way of doing a user sign-up, is probably to check if the email is valid only, and allow the registration. Then, if the user used a temporary or disposable email, you can entice them to fill out their real information if they actually use the service, or reach a specific part of your on-boarding process.

You could also use this as a way of flagging an account for manual or automatic inspection. If the IP doesn't match the country they signed up with, and they are using a disposable email? Are they coming from a proxy or datacenter? Are they failing captchas? Is it coming from a TOR exit node, or a VPN? Then maybe you should require a valid email.

Blocking disposable emails should be done in the most user-friendly way. If you don't allow them, tell the user why. You need to gain their trust if you want their real email.