How to test or audit a validation vendor?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Auditing a validation vendor is the same job as auditing any vendor that grades your data. You build a known-answer test, run it through the vendor blind, then score the vendor against truth. If you skip this step you are trusting marketing copy with your sender reputation.

Here is the procedure we use at RME when we benchmark a vendor.

Build a seed list of 1,000 to 2,000 addresses

Mix the seeds in known proportions so you can score precision and recall by category. A useful split:

  • 40% known-good addresses. Real mailboxes you own or control across Gmail, Outlook, Yahoo, and at least one Google Workspace and one Microsoft 365 tenant. These must come back as valid. Anything else is a false positive that will cost you real subscribers.
  • 15% hard bounces you have confirmed. Pull addresses that returned an SMTP 550 5.1.1 "user unknown" from your last send. The vendor should flag every one of these. See RFC 5321 section 4.2.2 for the reply code definitions.
  • 10% role accounts. info@, sales@, support@, postmaster@, abuse@. These are deliverable but high-risk. A good vendor labels them as role, not valid.
  • 10% disposable domains. Pull current lists from mailinator.com, guerrillamail.com, tempmail variants. Disposable lists change weekly so use fresh ones.
  • 10% catch-all domains. Domains you own where every address accepts mail. The vendor cannot prove a specific mailbox exists on a catch-all. Honest vendors say "accept-all" or "risky." Vendors that return "valid" on every catch-all address are guessing.
  • 5% spamtraps you control. Set up addresses on a domain you own, never publish them anywhere, then drop them into the test list. A vendor that returns "valid" on an address that has never received legitimate signup traffic is not running deep checks. Do not use real third-party traps. That gets you blocklisted.
  • 5% throttled or greylisting servers. Pick small business domains on hosts known to rate-limit verification probes (some Plesk and cPanel setups, certain regional ISPs). A vendor that calls these "invalid" because the SMTP probe timed out is going to nuke deliverable subscribers from your list. This is one of the "silent" hygiene issues that bleeds your list quietly.
  • 5% typo domains. gmial.com, hotnail.com, yaoo.com. Good vendors flag and suggest corrections.

Run the test twice, a week apart

Upload the same list to the vendor on day 1 and day 7. Compare verdicts row by row. If more than 2% of addresses flip verdict between runs without you changing anything, the vendor's internal data is noisy. We have seen vendors flip 8 to 12% of verdicts week to week, which means their "valid" label is closer to a coin flip than a verdict.

Also send a 10% sample through a second vendor in parallel. Disagreement rate above 15% on the same addresses means at least one of them is wrong. Usually both are partly wrong.

Score against truth

Build a confusion matrix for each category. The pass thresholds we use:

  • False positives on known-good: under 1%. Anything higher will shrink your sendable audience for no reason.
  • True positives on confirmed bounces: above 95%.
  • Catch-all handling: 100% labeled as accept-all or risky, never "valid."
  • Disposable detection: above 90% on a list refreshed in the last 30 days.
  • Run-to-run consistency: above 98% identical verdicts between day 1 and day 7.

Check the method, not just the result

Ask the vendor in writing whether they do live SMTP RCPT TO probes, MX record lookups only, or pattern matching against historical bounce data. SMTP probing is the only method that can confirm a specific mailbox exists at this moment, and even that is unreliable against catch-alls and Microsoft 365 tenants that accept everything at the connection layer. The Microsoft 365 behavior is documented in their admin docs on directory-based edge blocking. A vendor that claims 99% accuracy on M365 domains without explaining how is overselling.

Also ask whether they suppress trap-suspected addresses or just label them. "Label only" puts the risk on you.

What to do with the results

If the vendor passes, you have a new baseline. Re-run the audit every quarter, especially after they push platform updates. If they fail on catch-alls or run-to-run consistency, treat their "valid" verdict as a soft signal and combine it with engagement data before sending. If they fail on known-good, switch vendors. False positives are the most expensive failure mode because you never see the revenue you lost.

This is the same logic that sits behind why list hygiene matters for deliverability. A bad validator is worse than no validator because it makes you confident in dirty data.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get step-by-step instructions tailored to your setup.

I read this on the Email Almanac about "How to test or audit a validation vendor": "You can audit a vendor by creating controlled test lists that include known valids, known invalids such as pristine spamtraps you control for testing , catch all domains, disposable domains, role accounts, and throttled servers. Compare results across multiple runs." Give me step-by-step instructions for MY specific setup: 1. What exactly to do (adapted to my tools and domain) 2. Common pitfalls to watch out for 3. How to verify it's working correctly 4. What to do if something goes wrong --- My details (fill in what applies, the more you share, the better the advice): - Email platform/ESP: e.g. Mailchimp, SendGrid, Postmark, HubSpot, custom SMTP - Domain(s): your sending domain(s) - Sending volume: e.g. 5,000/month or 500/day - List size: e.g. 25,000 - How list was built: organic signup, purchased, imported, scraped, mixed - List age: [e.g. 2 years, or "mixed, some contacts from 5+ years ago"] - Signup method: single opt-in / double opt-in / imported - Last cleaned: date or "never" - Bounce rate: e.g. 2.5% - Inactive subscribers: rough % that haven't opened in 6+ months - Segmentation approach: none / basic (active/inactive) / advanced - Validation tool used: e.g. ZeroBounce, NeverBounce, none - Re-engagement campaigns: yes, describe / no / planned - Any spam trap hits?: yes/no/unsure

Edit the yellow boxes, then send to the AI of your choice.