Real-time email verification
for every WordPress form.
One drop-in plugin. Twenty native integrations — WooCommerce, Contact Form 7, WPForms, Gravity Forms, MailPoet, FluentCRM, MemberPress and more. The plugin auto-detects what's installed and starts verifying every submitted email address against the Trumailo API. Invalid, disposable, throwaway, and role addresses get rejected before they touch your CRM, mailing list, or order pipeline.
Spam signups, throwaway inboxes, and typo'd addresses are quietly eating your deliverability.
Every fake or mistyped email that enters your list is a slow tax on future sends. Mailbox providers downgrade your sender reputation when bounces creep above 2–3%. Disposable inbox services (Mailinator, 10MinuteMail, Guerrilla Mail and the rest) generate never-engaged signups that depress your open rate cohort by cohort. Role addresses (admin@, info@, postmaster@) trip spam filters more aggressively than individual inboxes. And typos — gmial.com, yhaoo.com, hotnail.com — cost you actual customers, silently.
The fix is to refuse those at the form, before they land in your database. That's what this plugin does: it intercepts every email submitted to every supported form on your site, verifies it against the Trumailo API, and rejects it with a friendly inline message if it fails your policy.
Twenty integrations. Zero per-integration config.
The plugin scans your site on activation, lists every supported host it finds, and lets you toggle each one. New form plugin gets installed later? Trumailo picks it up automatically.
Not in the list? do_action( 'trumailo_verify', $email ) or the REST endpoint /wp-json/trumailo/v1/verify covers anything custom.
Built for production, not a demo.
Server-side blocking
Validation happens during the form's PHP submit handler — survives bots that disable JavaScript and doesn't depend on the front-end.
Real-time inline check
Debounced AJAX as the visitor types, with accessible status badges and 'did you mean' suggestions for common typos (gmial → gmail).
Per-status policy
Choose what to block: invalid, disposable, risky, role addresses, or anything below a quality threshold. Different settings per integration if needed.
Whitelist / blacklist
Skip the API for trusted internal domains; always reject specific bad ones. Plus an opt-in cache so repeat verifications return instantly from local transients.
Fail-open by default
If the Trumailo API is unreachable, submissions still go through (or set fail-closed if your conversion math prefers caution). Configurable per integration.
GDPR-aware logging
Default log stores only an MD5 hash of each address; flip 'store full emails' only when you need it. Logs auto-purge after the configurable retention window.
From zero to verifying in two minutes.
- 01
Install the plugin
Search “Trumailo” from the WordPress Plugins page and click Install. Or download the zip from wordpress.org/plugins/trumailo and upload it via Plugins → Add New → Upload.
- 02
Activate
Standard WordPress activation. No database migration, no long install task — the plugin is ready immediately.
- 03
Grab a Trumailo API key
Sign up at trumailo.com/register (free tier available, no card). Copy the key from your dashboard.
- 04
Paste the key and save
Settings → Trumailo → paste the API key → Save. The plugin runs a single test call to confirm the key works, then enables verification on every detected integration.
- 05
(Optional) tune the policy
Pick which result types to block (invalid by default; toggle disposable, risky, role addresses). Set the quality-score threshold. Add domain whitelist / blacklist entries. Configure fail-open vs fail-closed per integration.
Hook into anything.
The 20 native integrations cover the common case. Beyond that, the plugin exposes a small but complete extension surface.
add_action( 'admin_init', function () {
do_action( 'trumailo_verify', 'user@example.com' );
});Fire a verification from anywhere. The verdict lands on thetrumailo_verdictfilter for downstream code to react.
POST /wp-json/trumailo/v1/verify
Content-Type: application/json
X-WP-Nonce: <nonce>
{ "email": "user@example.com" }
→ { "verdict": "valid", "score": 100, "cached": false, ... }add_filter( 'trumailo_verdict', function ( $verdict, $email ) {
// Always allow your team's domain regardless of score.
if ( str_ends_with( $email, '@your-company.com' ) ) {
$verdict['allow'] = true;
}
return $verdict;
}, 10, 2 );What data leaves your site, and when.
The plugin sends the email address being verified to https://api.trumailo.com/v1/verify over HTTPS, with your API key in the Authorization header. This happens on every form submit where the value isn't already in the local cache.
Separately, the plugin polls https://api.trumailo.com/v1/account at most every 5 minutes to refresh the credits-remaining gauge on the plugin dashboard.
No other personal data, form fields, page URLs, or visitor identifiers are transmitted. Verification results are cached in WordPress transients to minimise repeat API calls.
Use of the plugin requires that you accept Trumailo's Terms of Service and Privacy Policy. If you operate in a jurisdiction with sub-processor disclosure requirements, list Trumailo in your own site's privacy notice.
Do I need a Trumailo account?
Yes — the plugin is a thin client on top of the Trumailo API. Sign up free at trumailo.com, copy the API key from the dashboard, paste it in Settings → Trumailo. The free tier covers small sites; paid plans start at $19/mo with a 7-day unlimited trial.
Will this slow down my forms?
A single verification call typically completes in 200–800 ms; cached calls (the same address verified again) return sub-millisecond. If you'd rather never wait on the API, flip 'Fail-open' in settings and submissions go through immediately whenever the API is slower than your latency budget.
Does it work with a form plugin I don't see listed?
Yes — use the do_action( 'trumailo_verify', $email ) hook, the REST endpoint /wp-json/trumailo/v1/verify, or wire your own filter on trumailo_verdict. The 20 native integrations are auto-detected, but the plumbing is open for anything else.
Is it GDPR-safe?
By default the plugin only stores an MD5 hash of each verified address in the local log table. The full email address is sent to the Trumailo API for verification (this is unavoidable — that's the service) but not retained locally unless you opt in. See the External services section of the readme and our Privacy Policy.
What happens at the API rate limit?
Trumailo's API returns HTTP 429 when you exceed your plan's per-minute limit. The plugin retries with backoff; if every retry fails, your configured fail-open or fail-closed setting decides whether the submission passes. The dashboard surfaces 429 events so you can see when you're brushing your plan ceiling.
Multisite, i18n, custom themes?
Multisite-aware (per-site or network activation), translation-ready (.pot included), and back-end independent — no front-end markup assumed, just hooks into the host plugin's validation lifecycle.
Two minutes to install, every signup verified.
The free tier covers small sites. Paid plans start at $19/mo with a 7-day unlimited trial — verifications during trial don't count toward your monthly quota.