How to Detect Fake Emails at Shopify Checkout

The Email Problem in Ecommerce

Email addresses are the primary identifier in Shopify's customer system. When a customer checks out, their email is how Shopify tracks who they are, whether they are a returning buyer, and whether they have already used a particular discount code.

This makes email the most important signal for checkout protection — and also the most commonly exploited one. If a customer can present a different email address, they appear as a completely different person to your store.

According to Signifyd's 2025 research, 53% of merchants report increasing promotional abuse, and email manipulation is the most common tactic. This article covers the technical approaches to detecting fake, disposable, and aliased emails at the point of checkout, before a fraudulent discount redemption costs you money.

Types of Fake Emails

Not all fake emails are created equal. Understanding the different types helps you build appropriate detection for each.

Aliased Emails (Same Person, Different Address)

These are real email addresses that deliver to a real inbox, but they are variations of the same base address. The most common aliasing mechanisms are:

Gmail dot trick: Gmail ignores dots in the local part of the address. "[email protected]" and "[email protected]" and "[email protected]" are all the same mailbox. This gives a single Gmail user access to dozens of valid email variations.

Plus alias: Many email providers (Gmail, Outlook, Yahoo, Fastmail, ProtonMail, and others) support the "+" character in the local part. Everything between "+" and "@" is ignored for delivery purposes. "[email protected]" delivers to "[email protected]." This provides essentially unlimited unique addresses per mailbox.

Domain aliases: Some email providers have multiple domains that all point to the same system. Gmail addresses work on both gmail.com and googlemail.com. Microsoft addresses work across outlook.com, hotmail.com, live.com, and others. A customer can use different domains to appear as different people.

Disposable Emails (Temporary, No Real Person)

Disposable email services provide temporary mailboxes that require no registration. A user visits the service, gets a random email address, uses it for a single purpose, and the address expires. Common providers include:

• Tempmail / temp-mail.org
• Guerrillamail
• Mailinator
• ThrowAwayMail
• Yopmail
• 10MinuteMail

There are over 3,000 known disposable email providers operating under various domains. Many of these services rotate through domains frequently to evade blocklists, making them a moving target.

Programmatically Generated Emails

More sophisticated abusers use custom domains or self-hosted email servers to generate unique addresses on the fly. This is harder to detect because the domain is legitimate (it has valid MX records, it accepts mail) but the addresses are created solely for abuse.

Detection Techniques

Technique 1: Email Normalization

Email normalization transforms an email address into its canonical form by reversing the aliasing tricks described above. Here is what a comprehensive normalization process looks like:

Step 1: Lowercase the entire address. Email local parts are technically case-sensitive per RFC 5321, but virtually no email provider enforces this. Converting to lowercase eliminates "[email protected]" vs "[email protected]" as separate identities.

Step 2: Identify the email provider. Different providers support different aliasing mechanisms. You need to know whether the domain is Gmail, Outlook, Yahoo, or another provider to apply the correct normalization rules.

Step 3: Remove dots for Gmail addresses. Strip all dots from the local part: "j.o.h.n.d.o.e" becomes "johndoe."

Step 4: Strip plus aliases. For providers that support it, remove everything from the first "+" to the "@": "user+promo" becomes "user."

Step 5: Resolve domain aliases. Map alternate domains to their primary: "googlemail.com" becomes "gmail.com," "hotmail.com" becomes "outlook.com," etc.

Step 6: Store and compare the normalized form. Keep the original address for communication but use the normalized form for identity comparison.

After normalization, "[email protected]" resolves to "[email protected]," correctly identifying it as the same person as "[email protected]."

Technique 2: Disposable Domain Detection

The most practical approach to detecting disposable emails is maintaining a blocklist of known disposable domains. This blocklist should include:

• Domains of well-known disposable email services
• Domains that have been identified through community reporting
• Domains with patterns common to disposable services (auto-generated names, recently registered, no web presence)

The challenge is keeping this list current. New disposable email services launch frequently, and existing services add new domains to evade blocklists. An effective blocklist needs regular updates — ideally automated.

When checking a checkout email against the blocklist, compare only the domain part (everything after @). If the domain is on the list, the email is disposable.

Technique 3: MX Record Verification

Every domain that can receive email has MX (Mail Exchange) records in its DNS configuration. You can verify that an email's domain has valid MX records as a basic legitimacy check.

However, this technique has limitations. Many disposable email services have valid MX records because they genuinely accept email. And some legitimate but obscure domains might have unusual MX configurations. MX verification works best as a supplementary signal rather than a primary detection method.

Technique 4: Domain Age and Reputation

Recently registered domains are more likely to be associated with disposable email services or fraud. While this is not a definitive signal, a domain registered within the last 30 days that is being used for checkout emails is worth flagging.

Domain reputation services aggregate data from millions of transactions and can provide a risk score for a given domain. This is useful for catching new disposable providers that have not yet made it onto blocklists.

Technique 5: Pattern Analysis

Some patterns are strong indicators of fake or abusive emails:

High entropy in the local part — Random-looking strings like "[email protected]" are more likely auto-generated than human-chosen.

Sequential patterns — If you see "[email protected]," "[email protected]," "[email protected]" all placing orders, the pattern suggests automated abuse.

Domain frequency — If an unusual domain suddenly appears in multiple checkouts, it may be a new disposable service or a coordinated abuse attempt.

Real-Time Implementation

For checkout protection to be effective, email detection must happen in real-time during the checkout flow — not after the order is placed. This is the critical difference between prevention and cleanup. Here is how this works in practice.

At Checkout Initiation

When the customer enters the checkout and provides their email, the detection engine:

1. Normalizes the email address using the rules above
2. Checks the domain against the disposable email blocklist
3. Looks up the normalized email in the order history database
4. Returns a pass/fail decision within milliseconds

Decision Logic

The email check result feeds into the broader detection chain. A match on email alone might be sufficient to block the checkout (since email normalization has essentially zero false positives), or it might be combined with other signals depending on your configuration.

For disposable emails, the recommended action is to block immediately — there is no legitimate reason for a customer to use a temporary email for a purchase that requires shipping and order tracking.

For normalized email matches (detecting Gmail aliases of a previous customer), the recommended action is also to block, since this definitively identifies the same person.

Handling Edge Cases

Catch-all domains: Some businesses configure their email domain to accept mail at any address (a "catch-all" configuration). This can look like multiple different people using the same domain, but it is a legitimate business practice. Avoid flagging an email solely because other addresses on the same domain have been seen before, unless the domain is specifically a known disposable provider.

Corporate email addresses: Company email addresses ([email protected]) are generally lower risk. The barrier to creating a new corporate email address is much higher than creating a free email alias.

International email providers: Ensure your normalization rules account for email providers popular in your target markets. Yahoo Japan, Mail.ru, GMX, and other regional providers may have their own aliasing features.

Measuring Email Detection Effectiveness

After implementing email detection, track these metrics:

Disposable email block rate: What percentage of checkout attempts use disposable emails? A rate above 2-3% suggests you have been a target.

Alias detection rate: What percentage of checkouts are caught by email normalization? This shows how many repeat buyers were attempting to use email tricks.

False positive complaints: Monitor customer support contacts from people who believe they were incorrectly blocked. For email normalization, this should be near zero. For disposable email blocking, it should also be very low — legitimate customers do not typically use disposable emails for purchases.

Bypass rate: Periodically audit your orders to check whether email-based abuse is still occurring despite your detection. Look for patterns that your current rules might miss and update accordingly.

Beyond Email: Why Multi-Signal Detection Matters

Email detection catches the majority of checkout abuse, but it is not comprehensive on its own. A determined abuser can use a genuinely different email address (not an alias, not disposable) and bypass email-only detection entirely. Industry data shows that 5-10% of first-time buyer discounts are fraudulent — and not all of those use email tricks.

This is why email detection works best as the first signal in a multi-signal chain. When combined with phone number verification, address fuzzy matching, IP tracking, and device fingerprinting, email detection covers the most common abuse vector while the other signals catch what email alone misses.

OfferGuard's Watchdog plan (free) includes email normalization and disposable email blocking — enough to see how much abuse your store has. The Sentinel plan ($29/month) adds phone, address, IP, and device detection for comprehensive 5-signal protection.

The combination of email normalization (which catches casual abuse with zero false positives) and broader identity matching (which catches determined abuse with very low false positives) provides comprehensive protection that scales from small stores to high-volume operations.