Email Validation in PHP
Validate any email address from PHP with one API call. Use Guzzle or native cURL, pass an address, get back a nested JSON object with syntax, deliverability, domain, and quality signals. Real-time, sub-1s median response.
100 validations a month. No credit card required.<?php
$client = new \GuzzleHttp\Client();
$response = $client->post("https://api.trueguard.io/v2/email/validation", [
"headers" => ["X-API-KEY" => $yourKey],
"json" => ["email" => "founder@yourcompany.com"],
]);
$result = json_decode($response->getBody(), true);How do I validate an email in PHP?
Three steps. Most teams have it running in under an afternoon.
Get a free API key
Sign up at trueguard.io. No card, no trial expiry. 100 validations a month included on the free tier.
POST to /email/validation with X-API-KEY
Use Guzzle's $client->post() or curl_init with curl_setopt_array. Set X-API-KEY in the headers and pass the email address as JSON in the request body.
Read the nested JSON, branch on deliverability.status
safe: accept. risky: catch-all or uncertain, apply a softer policy. invalid: the mailbox does not exist, reject.
PHP samples using the real endpoint. Paste, set your key, run.
<?php
$client = new \GuzzleHttp\Client();
$response = $client->post("https://api.trueguard.io/v2/email/validation", [
"headers" => ["X-API-KEY" => $yourKey],
"json" => ["email" => "founder@yourcompany.com"],
]);
$result = json_decode($response->getBody(), true);Where should I call the API in PHP?
PHP runs server-side, so the API key never reaches the browser. Two things still matter: keeping the key out of source control, and placing the call at the right layer in your framework.
Keep the key out of source
Store your X-API-KEY in a .env file and read it with getenv() or your framework config. Never commit it to source control, never echo it into a template, and never log it.
In Laravel use config('services.trueguard.key'). In Symfony bind it as a parameter in services.yaml. In WordPress read it from a server environment variable set at the hosting level.
Call it from your framework
Laravel: use the Http facade in a controller or FormRequest rule. Symfony: inject HttpClientInterface into a service class. WordPress: call wp_remote_post inside an action hook.
For plain PHP without a framework, use Guzzle via Composer or native cURL. Place the call in a validation function that runs before you write anything to the database.
What does the JSON response look like?
Four nested groups: syntax, deliverability, domain, and quality. Every field is included on every plan, including free.
{
"email": "realemail@gmail.com",
"rawEmail": "realemail@gmail.com",
"syntax": {
"isValid": true
},
"deliverability": {
"status": "safe",
"isSmtpValid": true,
"isMxValid": true,
"isCatchall": false,
"isInboxFull": false,
"isDeliverable": true,
"isDisabled": false,
"mxRecords": [
"alt2.gmail-smtp-in.l.google.com",
"gmail-smtp-in.l.google.com",
"alt4.gmail-smtp-in.l.google.com",
"alt1.gmail-smtp-in.l.google.com",
"alt3.gmail-smtp-in.l.google.com"
]
},
"domain": {
"name": "gmail.com",
"age": 11263,
"isLive": true,
"isRisky": false
},
"quality": {
"isDisposable": false,
"isFree": true,
"isRole": false,
"isSubaddress": false
}
}How do I handle errors and rate limits in PHP?
Guzzle throws a ClientException on 4xx responses. Catch it and call getStatusCode() on the response to inspect the code. A 429 means you have hit the rate limit and should back off before retrying. Catch GuzzleException separately to handle network failures.
<?php
use GuzzleHttp\Client;
use GuzzleHttp\Exception\ClientException;
use GuzzleHttp\Exception\GuzzleException;
$client = new Client();
try {
$response = $client->post("https://api.trueguard.io/v2/email/validation", [
"headers" => ["X-API-KEY" => $yourKey],
"json" => ["email" => $email],
"timeout" => 10,
]);
} catch (ClientException $e) {
$status = $e->getResponse()->getStatusCode();
if ($status === 429) {
throw new RuntimeException("Rate limit reached. Back off and retry.");
}
throw new RuntimeException("Validation failed: {$status}");
} catch (GuzzleException $e) {
throw new RuntimeException("Network error calling the validation API.");
}
$result = json_decode($response->getBody(), true);Which PHP frameworks does this work with?
Any PHP environment that can make an HTTPS POST request. The Trueguard endpoint is a standard JSON API that works with any HTTP client. You can also use the same API from JavaScript, Python, Go, Ruby, C#, and Java.
Laravel
Use the built-in Http facade: Http::withHeaders(['X-API-KEY' => config('services.trueguard.key')])->post(...). Store the key in config/services.php, reading from your .env file.
Symfony
Inject HttpClientInterface and call $client->request('POST', ..., ['headers' => [...], 'json' => [...]]). Read the key from the Symfony secrets vault or a bound parameter in services.yaml.
WordPress
Call wp_remote_post with the args array containing headers and body. Read the key from a server environment variable or a WordPress option. Never hardcode it in plugin source.
Guzzle
Install with composer require guzzlehttp/guzzle. Pass the headers and json keys in the options array. Guzzle throws ClientException on 4xx, making error handling straightforward.
cURL (no dependencies)
Use curl_init, curl_setopt_array, and curl_exec. No Composer needed. Works on any PHP host. More verbose than Guzzle but useful for shared hosting or minimal environments.
Composer
Run composer require guzzlehttp/guzzle to get the recommended HTTP client. The Trueguard API is a standard HTTPS POST, so any PSR-18 compatible client works as a drop-in replacement.
What can I build with email validation in PHP?
One API call unlocks several data-quality and fraud-prevention patterns. Here are the most common ones teams build with the PHP integration.
Stop fake signups at the form
Validate on submit, before the account is created. Drop disposable addresses and hard-reject invalid ones. Risky catch-all addresses can be accepted with a confirmation step.
Stop fake signupsClean outreach lists before sending
Run each address through the API before the campaign loads it. Flag role mailboxes and invalid addresses to protect your sender reputation.
Pair with VPN detectionEmail list hygiene
Validate in batch before a send. Drop invalid, flag disposable, route catch-all to a re-permission flow. Cleaner list, lower bounce rate, better deliverability.
Email list cleaning guideFrequently asked questions
How do I validate an email address in PHP?
Send a POST request to https://api.trueguard.io/v2/email/validation using Guzzle or native cURL. Set the X-API-KEY header to your key and pass the address as JSON in the request body. Call json_decode on the response body to get the nested result array with syntax, deliverability, domain, and quality groups. Branch on deliverability.status: safe means the address passed, risky means catch-all or uncertain, invalid means the mailbox does not exist.
Should I use Guzzle or cURL in PHP?
Guzzle is the cleaner option if you already use Composer. It handles JSON encoding, throws exceptions on 4xx and 5xx responses, and integrates naturally with Laravel and Symfony. Native cURL needs no dependencies and works in any PHP environment, but requires more boilerplate. Both call the same endpoint with the same header and body shape. For new projects, Guzzle is recommended. For simple scripts or shared hosting with no Composer, cURL works fine.
Where should I call the email validation API in PHP?
Always call the API from server-side PHP code. Store your key in a .env file or server environment variable and read it with getenv() or your framework config. In Laravel use Http::withHeaders([...]) inside a controller or service. In Symfony use HttpClientInterface injected into a service. In WordPress use wp_remote_post in a plugin or theme action hook. Never put the key in a template rendered directly to the browser or in any client-distributed file.
What does the JSON response look like?
The response is a nested object with four groups: syntax contains isValid; deliverability contains status, isSmtpValid, isMxValid, isCatchall, isInboxFull, isDeliverable, isDisabled, and mxRecords; domain contains name, age, isLive, and isRisky; quality contains isDisposable, isFree, isRole, and isSubaddress. Every field is present on every plan including free.
How do I check if an email is deliverable in PHP?
Read deliverability.status from the parsed response array. If it equals safe the address passed all checks. If it equals risky the domain is a catch-all or the SMTP probe could not confirm the mailbox, so the address may or may not be real. If it equals invalid the mailbox does not exist. Branch on these three values rather than any individual boolean for the most reliable decision.
Does the API detect catch-all domains in PHP?
Yes. When the destination domain accepts mail for every address, the API sets deliverability.isCatchall to true and deliverability.status to risky. You cannot confirm a specific mailbox on a catch-all domain without actually sending mail, so risky is the honest verdict. You can use isCatchall to apply a softer policy instead of a hard reject.
How do I handle errors and rate limits in PHP?
Guzzle throws a ClientException for 4xx responses. Catch it and call getStatusCode() on the response: 429 means you have hit the rate limit and should back off before retrying. Catch GuzzleException for network failures such as timeouts. If you use cURL, check the HTTP status code from curl_getinfo and branch accordingly. Log the status code so you can distinguish between a validation error and a temporary service issue.
Is there a free tier for testing the PHP integration?
Yes. Sign up for a Trueguard account and you get 100 email validations per month at no cost, with no credit card required. The free tier runs the production endpoint with the same response shape and the same accuracy as a paid plan. It is enough to build and test a full integration before committing to a subscription.
