Trumailo — Email Verification

Trumailo verifies every email address submitted to your WordPress site — in real time, with one drop-in plugin — and stops fake, throwaway, mistyped, and risky addresses before they touch your CRM, mailing list, or order pipeline.

Why bother

• Spam signups inflate your list and tank deliverability.
• Disposable inboxes (Mailinator, 10MinuteMail, etc.) never convert.
• Typo’d emails (gmial.com, yhaoo.com) are lost forever.
• Role addresses (admin@, info@) hurt sender reputation.

Trumailo catches all of those at the form, with a friendly inline message.

Works out of the box with

• WordPress core (registration, comments, REST users)
• WooCommerce (classic checkout, block checkout, registration)
• Easy Digital Downloads
• Contact Form 7
• WPForms
• Gravity Forms
• Ninja Forms
• Fluent Forms
• Elementor Pro Forms
• Forminator
• Formidable Forms
• MailPoet
• FluentCRM
• Mailchimp for WordPress
• Newsletter (by Stefano Lissa)
• Groundhogg
• BuddyPress
• Ultimate Member
• MemberPress
• LearnDash

No configuration per integration — add your API key, the plugin detects what’s installed and starts verifying.

Features

• Server-side blocking — survives JavaScript-disabled bots; the rejection happens during form validation.
• Real-time inline validation — debounced typing check with “did you mean” suggestions and accessible status badges.
• Per-status policy — choose what to block: invalid, disposable, risky, role addresses, or anything below a quality threshold.
• Whitelist / blacklist — skip the API for trusted internal domains; always reject specific bad ones.
• Cache — repeat verifications served instantly from local transients (configurable TTL).
• Fail-open by default — if the API is unreachable, submissions go through (configurable to fail-closed).
• Verification log — opt-in, with optional email-hashing for GDPR compliance and configurable retention.
• Dashboard — counts of allowed, blocked, cached, and per-day trend.
• REST endpoint — for custom front-ends and third-party integrations (/wp-json/trumailo/v1/verify).
• Multisite-aware, i18n-ready, GPL-2.0.

Getting started

1. Install and activate the plugin.
2. Get an API key at https://trumailo.com.
3. Settings → Trumailo → paste the key.
4. Done — every supported form on your site is now verifying emails.

External services

This plugin connects to the Trumailo email-verification API to determine whether each submitted email address is deliverable. The API is provided by Trumailo (https://trumailo.com), the same vendor that publishes this plugin.

What the service is and what it is used for

Trumailo is a real-time email-verification API. It checks an address for syntactically-valid format, MX records, disposable / role / catch-all signals, and (where the recipient mail server cooperates) an SMTP-level deliverability probe. The plugin uses it so your site can reject invalid, disposable, and risky addresses before they enter your forms, lists, or checkout.

What data is sent and when

• The plugin sends the email address being verified to https://api.trumailo.com/v1/verify over HTTPS, together with your API key in the Authorization: Bearer header. This happens every time a supported form is submitted with a value the plugin hasn’t already cached.
• The plugin sends a lightweight request to https://api.trumailo.com/v1/account to read the calling key’s remaining monthly credits. This is used to populate the credits gauge on the plugin dashboard and is polled at most every 5 minutes.
• No other personal data, form fields, page URLs, or visitor identifiers are transmitted.
• Verification results are cached locally in WordPress transients to minimise repeat API calls; you can configure the TTL and toggle full-email vs hashed-email storage in the plugin settings.

Service provider, terms, and privacy

• Service: Trumailo — https://trumailo.com
• Terms of Service: https://trumailo.com/terms
• Privacy Policy: https://trumailo.com/privacy

Use of this plugin requires that you (the site owner) agree to Trumailo’s Terms of Service and Privacy Policy linked above. You should disclose Trumailo as a sub-processor in your own site’s privacy notice if you operate in a jurisdiction that requires such disclosure.