Shopify Email Validation: Preventing Fake Checkout Emails

workerslab ·

37% of My Abandoned Cart Emails Were Going Nowhere

I found out the hard way. Ran a Black Friday cart recovery campaign, spent hours building the sequence, and nearly four out of ten emails bounced or hit dead inboxes. Disposable addresses. Typos like gmial.com. Bots stuffing junk into checkout fields.

You can’t recover a cart if you can’t reach the person who abandoned it.

That’s the core problem with fake checkout emails on Shopify. Your abandonment flows, your order confirmations, your shipping updates, they all depend on a real email address. Bad data at checkout poisons everything downstream. And Shopify doesn’t validate email deliverability out of the box. It checks for an @ symbol and calls it a day.

The Three Types of Fake Checkout Emails

Not all bad emails look the same. Each type causes different headaches.

Disposable addresses. Services like Guerrilla Mail, Temp Mail, and Mailinator give anyone a throwaway inbox that self-destructs. Shoppers use them to grab discount codes without joining your list. There are over 180,000 known disposable email domains. Shopify blocks zero of them by default.

Typos. [email protected] instead of gmail.com. [email protected] instead of yahoo.com. The customer actually wants their order confirmation. They just fat-fingered the email field. Now they’re emailing support asking where their receipt went.

Bot submissions. Automated scripts flood checkout forms with fake entries. Multiple Shopify merchants have reported dozens of fake abandoned checkouts from mail##@protonmail.com patterns, where ## is a rotating number. Some stores get hundreds in a single week during bot attacks. That junk pollutes your analytics and wastes your recovery budget.

The hidden cost of invalid emails on Shopify compounds monthly. Your ESP bills climb. Your sender reputation drops. Your recovery flows break. And your actual customers get worse inbox placement because ISPs see you sending to dead addresses.

Shopify Plus: Checkout Extensibility

If you’re on Shopify Plus, you’ve got the most powerful option. Shopify’s Checkout Extensibility framework replaced checkout.liquid (fully deprecated as of August 2024 for in-checkout pages) and lets you inject custom validation logic right into checkout.

The key tool is the Cart and Checkout Validation Function API. It runs server-side on Shopify’s infrastructure as compiled WebAssembly, works across all payment methods (Shop Pay, Apple Pay, Google Pay, PayPal), and can access the buyer’s email through the cart’s buyer identity object.

One requirement to know: accessing buyerIdentity.email counts as protected customer data. Your app needs level 2 access approved through the Shopify Partner Dashboard before it can read email addresses. That approval takes a few days, so apply early.

Here’s what a basic email validation function looks like in JavaScript:

// src/run.js
const BLOCKED_DOMAINS = [
  "guerrillamail.com",
  "mailinator.com",
  "tempmail.com",
  "throwaway.email"
];

export function run(input) {
  const errors = [];
  const email = input.cart.buyerIdentity?.email;

  if (email) {
    const domain = email.split("@")[1]?.toLowerCase();

    if (BLOCKED_DOMAINS.includes(domain)) {
      errors.push({
        localizedMessage: "Please use a permanent email address",
        target: "$.cart.buyerIdentity.email"
      });
    }
  }

  return { operations: [{ validationAdd: { errors } }] };
}

You’d scaffold this with Shopify CLI by running shopify app generate extension, then selecting “Function - Cart and checkout validation” and picking JavaScript or Rust as your language. The function compiles to WebAssembly and runs on every checkout attempt. If it returns errors, checkout won’t complete.

The validation fires for express checkouts too. That matters. A disposable email slipping through Shop Pay is just as costly as one typed in by hand.

Want to go further? You can hit an external validation API from a checkout UI extension, check MX records, flag typo domains, and show “Did you mean gmail.com?” suggestions right in the checkout flow. Each store supports up to 25 active validation functions.

Apps for Every Shopify Store

Don’t have Plus? Don’t want to write custom code? Apps handle this.

Express Email Validator (by MGLogics, starts at $12.99/month) detects fake, disposable, and misspelled email addresses during checkout or order creation. It flags suspicious emails and can block orders automatically. One catch: checkout-level validation still requires Shopify Plus. For standard stores, it validates after order creation and flags bad orders for review.

EmailMarker plugs real-time email validation into your store. It catches invalid syntax, hard bounces, spam traps, and disposable domains. Note: EmailMarker needs a separate paid account and API key. Their newer EmailVerify app is easier to set up and connects to multiple verification providers (Bouncer, ZeroBounce, SendPulse) for better accuracy.

For most standard Shopify stores, an app is the fastest path. Install, configure your rules, and you’re blocking bad emails within minutes. No developer needed.

The email validation for e-commerce guide covers how to evaluate these tools and what accuracy benchmarks to look for.

What About Non-Plus Stores?

No Plus subscription? You’ve still got options, but they’re more limited than you might think.

Here’s what tripped me up at first: Shopify Functions work on all plans when delivered through a public app on the Shopify App Store. But custom apps (private apps built just for your store) that use Shopify Functions require Shopify Plus. You can’t just build a private validation function for your standard store and call it done.

Your best paths without Plus:

  1. Install a public app that already uses validation functions (like the ones in the previous section).
  2. Build and publish a public app on the Shopify App Store that includes your validation logic. Yes, even if it’s just for your one store. It’s more work, but it gets around the Plus restriction.
  3. Use post-checkout validation through webhooks. Listen for orders/create events, validate the email, and flag or cancel orders with bad addresses.

Here’s a more complete validation example with typo detection. This works in both Plus custom apps and public apps on any plan:

// src/run.js
const TYPO_CORRECTIONS = {
  "gmial.com": "gmail.com",
  "gmal.com": "gmail.com",
  "gamil.com": "gmail.com",
  "yaho.com": "yahoo.com",
  "yahooo.com": "yahoo.com",
  "hotmial.com": "hotmail.com",
  "outlok.com": "outlook.com"
};

const DISPOSABLE_DOMAINS = [
  "guerrillamail.com", "mailinator.com", "tempmail.com",
  "throwaway.email", "yopmail.com", "sharklasers.com",
  "guerrillamailblock.com", "grr.la", "dispostable.com"
];

export function run(input) {
  const errors = [];
  const email = input.cart.buyerIdentity?.email;

  if (!email) return { operations: [{ validationAdd: { errors } }] };

  const domain = email.split("@")[1]?.toLowerCase();

  // Block disposable domains
  if (DISPOSABLE_DOMAINS.includes(domain)) {
    errors.push({
      localizedMessage: "Disposable email addresses aren't accepted. Please use your regular email.",
      target: "$.cart.buyerIdentity.email"
    });
    return { operations: [{ validationAdd: { errors } }] };
  }

  // Suggest corrections for typo domains
  if (TYPO_CORRECTIONS[domain]) {
    const corrected = TYPO_CORRECTIONS[domain];
    errors.push({
      localizedMessage: `Did you mean @${corrected}? Please fix your email to get order updates.`,
      target: "$.cart.buyerIdentity.email"
    });
  }

  return { operations: [{ validationAdd: { errors } }] };
}

The input query for this function needs to request the buyer identity email:

query Input {
  cart {
    buyerIdentity {
      email
    }
  }
}

One thing to know: buyerIdentity.email will be null for first-time visitors who haven’t typed their email yet. Don’t throw an error on a missing email. Let Shopify’s built-in required-field check handle that part.

Typo Corrections That Save Sales

Typo domains deserve special attention because they’re not malicious. They’re mistakes from real customers who want to buy from you.

The most common ones I’ve seen across Shopify stores:

  • gmial.com, gmal.com, gamil.com (all meant gmail.com)
  • yaho.com, yahooo.com (meant yahoo.com)
  • hotmial.com, hotmal.com (meant hotmail.com)
  • outlok.com, outllook.com (meant outlook.com)
  • iclould.com, iclod.com (meant icloud.com)

A static list catches the obvious typos. But email validation APIs do it better. They track thousands of known misspellings and update constantly. If you’re processing more than a few hundred orders a month, the API approach pays for itself fast.

What happens when a customer with a typo email completes checkout? They never get their order confirmation. They call support. Or worse, they assume the order didn’t go through and file a chargeback. Catching the typo before order completion costs you nothing. Missing it costs you $20-50 in support time per incident.

Cart Abandonment: Can’t Recover What You Can’t Email

Here’s where fake emails hurt the most. Revenue you’ll never see.

Cart abandonment emails convert at roughly 10-15% (Klaviyo and Baymard Institute data both land in that range). For a store doing $50,000 a month with a 70% abandonment rate, that recovery flow is worth $3,500-5,250 in recaptured revenue. Every month.

But those numbers assume the emails actually land. If 15% of your abandoned cart emails go to disposable or invalid addresses, you’re losing $525-787 in recoverable revenue monthly. That’s $6,300-9,450 per year from one validation gap.

The math gets worse during peak seasons. Black Friday week might see 3-5x your normal cart volume. The percentage of fake emails goes up too, because deal-seekers use throwaway addresses more often when they’re just browsing sales.

Want to block disposable emails at checkout before they reach your abandonment flow? That’s the single highest-ROI validation you can add.

Setting It Up: Start Here

Pick your path based on your store.

Shopify Plus stores: Use the Checkout Extensibility framework. Build a validation function that blocks disposable domains and suggests typo corrections. Pair it with an external validation API for the most coverage. You’ve got the tools. Use them.

Standard stores with budget: Install Express Email Validator or EmailVerify from the app store. Configure disposable blocking and typo detection. You’ll catch most problems without writing any code.

Standard stores with a developer: Build a public Shopify app with a Cart and Checkout Validation function. (Custom/private apps with Functions need Plus, but public apps work on all plans.) Start with a disposable domain blocklist and typo corrections. Add API-based validation when order volume justifies the cost.

Every store, right now: Add your checkout email field to your abandoned cart flow’s exclusion rules. If you’re already collecting bad emails, at least stop wasting sends on them. Clean your existing list with a bulk validation service. Then add real-time validation so the bad addresses stop coming in.

The whole point is simple. Real email addresses at checkout mean real revenue from every flow that follows. Recovery emails, shipping updates, review requests, repeat purchase campaigns. All of it breaks when the email is fake.

Fix checkout validation once, and every email you send after that works harder.

We use cookies to process payments and improve your experience. By using MailCop, you agree to our use of cookies in accordance with our Privacy Policy.