Verify the unverifiable.
Other verifiers shrug at catch-all domains and call them “unknown.” CatchLume stacks five signals into a real 0–100 confidence score — so you stop wasting deliverability on 30% of your list.
Live · Powered by the CatchLume engine · Free during beta
The unknown problem
“Risky” isn't an answer.
Catch-all mail servers accept anything at the SMTP layer, so legacy verifiers can't tell a real mailbox from a black hole. They mark the whole bucket “unknown” and bill you for the privilege.
That bucket is 25–35% of B2B addresses. CatchLume cracks it open with a stacked engine that scores what others skip.
- 5 independent signals, 1 calibrated score
- Sub-300ms cold, sub-50ms warm-cached
- Same answer in API, CSV, and widget
jane.doe@catch-all-corp.com
Three surfaces, one engine
Ship it the way your stack wants
REST API
POST a single email, get a verdict + 0–100 score in <300ms. vk_* keys, salted SHA-256 at rest, 300/min per user.
POST /v1/verify
Authorization: Bearer vk_…
{ "email": "jane@acme.io" }Bulk CSV
Upload up to 100k rows / 10 MB. Job streams through Redis to workers and lands in a downloadable export.
POST /v1/verify/bulk
Content-Type: multipart/form-data
file=list.csv → job_idJS Widget
Drop a 4 KB script on your signup form. Sub-200ms verdict, native setCustomValidity, origin-scoped widget keys.
<script src="https://catchlume.shakvaro.com/widget.js"></script>
window.CatchLume.attach('#email', { key: 'vk_…' })Under the hood
Five signals, stacked into one score
Each layer is cheap and falsifiable on its own. Together they triangulate something legacy verifiers can't: whether a real human lives behind a catch-all.
Syntax + DNS
weight 18%RFC-grade syntax, disposable list, MX / SPF / DMARC lookup. The cheap gates first.
SMTP timing baseline
weight 26%RCPT-TO timing variance vs. a known-bad probe. Real mailboxes respond differently than catch-all sinkholes.
Gravatar lookup
weight 14%MD5 over the address. A hit is a strong positive signal a human owns the inbox.
Provider fingerprint
weight 22%Banner, response codes, greylisting behavior. Google / Microsoft / Zoho all leak signature.
ML scorer
weight 20%scikit-learn gradient-boosted classifier blends every signal into one 0–100 confidence score. sha256-checked at load.
One calibrated output
Confidence score 0–100
87
example output
Pricing
Free during beta. No card.
Get the full engine for nothing while we collect real traffic to retrain the catch-all model. When we flip Stripe on, it'll land at roughly 40% under ZeroBounce / NeverBounce.
Guest try-it
No account · Turnstile-gated
5 / day
Signed-in beta
API + CSV + widget
500 / month
Paid plans
Stripe wired · dormant
soon
Built like infra
Boring security, on purpose
Argon2id passwords
Never plaintext. Per-user salt, modern KDF.
Salted SHA-256 keys
vk_* values hashed at rest. Lost key = rotate, no reveal.
SSRF-hardened SMTP
RFC1918 / loopback / link-local rejected before any connect.
Refresh rotation
Reuse-detection invalidates the family. Stolen cookie ≠ forever.
Questions
The honest answers
Most verifiers return 'unknown' or 'risky' for catch-all domains, which is roughly 30% of B2B addresses. CatchLume stacks five signals, DNS, SMTP timing, Gravatar, provider fingerprint, and an ML scorer, to produce a real 0–100 confidence instead of a shrug. That's the whole bet.
It calls the same engine that powers the API, gated through a server-side proxy on shakvaro.com, no Turnstile prompt for you, no credit cost, and the result is trimmed to verdict + score + disposable + typo. Bulk and full-fidelity results live behind sign-in.
Yes. Guest try-it is 5/day per IP. Signed-in accounts get 500 verifications per month. Stripe is wired in code but dormant, no card asked, no surprise charges. Pricing lands at roughly 40% under ZeroBounce / NeverBounce when we flip the switch.
Postgres + Redis on a VPS we run ourselves, Docker non-root containers, bound to localhost behind nginx + Let's Encrypt. HubSpot OAuth tokens are Fernet-encrypted at rest. We don't sell verification data and we don't share email lists between accounts.
This landing page is part of the agency site. The widget on the marketing home proves the engine works without making you create an account first. The full product surface, bulk CSV, API keys, HubSpot, billing, lives at catchlume.shakvaro.com.
Not yet. The current model is trained on synthetic catch-all traffic only. Once we have enough opted-in labeled traffic, we'll retrain, and it will be opt-in with a clear toggle, not a default.
Free during beta · No card asked
Stop guessing on 30% of your list
Sign in at catchlume.shakvaro.com and start scoring catch-all domains the same minute.