Legend
✓ Surfaced to customers
◐ Partial / collected but limited
✗ Not available
Unique No competitor offers this
Hover cells for detail
CF Today
What customers see right now (binary bool)
CF + Aurora
Expose Maxime's existing infrastructure pipeline
CF Full Vision
Full dashboard + reasoning + clustering + zone integration
Capability Scorecard
| Capability | Kickbox | ZeroBounce | Abstract | NeverBounce | Xverify | LexisNexis | Estab. Emails | IPQS | CF Today | CF + Aurora | CF Full Vision |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Verdict RichnessBeyond binary disposable yes/no? | ◐ KickboxBinary disposable bool inside 4-tier verdict. Disposable buried in "risky." |
✓ ZeroBounce7 statuses x ~25 sub-statuses. Distinguishes disposable / mx_forward / toxic. Most granular taxonomy. |
◐ Abstract3-tier deliverability + boolean is_disposable. No domain-type breakdown. |
◐ NeverBounceDisposable as top-level result (5 categories) but no sub-types. |
✓ Xverify5 statuses + 8-value domain_type enum. Cleanest "what kind of domain?" model. |
◐ LexisNexis0-1000 risk score with bands. Disposable not first-class. |
◐ Estab. Emails5 classifications incl. privacy_relay. Positive-signal framing. |
✓ IPQSdisposable bool + domain_trust enum + fraud_score 0-100. |
✗ | ✓ CF + AuroraExpose the existing 4-state classification (disposable/trusted/suspicious/unknown) + new domain_category field from Maxime's pipeline. |
✓ CF Full VisionThree-state UI verdict (Trusted / Suspicious / Disposable) + domain_category. "Suspicious with infrastructure-backed reasoning" is unique to Cloudflare. |
| ExplainabilityCan customers see why it was flagged? | ✗ | ✓ ZeroBounceSub-status + plain-English description + prescribed action + industry citations. Best market explainability. |
◐ AbstractDecomposed boolean flags per bucket. No narrative string. |
✗ | ◐ XverifyReason codes per status. Category context but no evidence chain. |
✓ LexisNexisRisk factors with linkage evidence. Most contextual explanation in market. |
◐ Estab. Emailsemail_observed_since as audit trail. Positive-only framing. |
◐ IPQSfraud_score + boolean flags. No narrative "why." |
✗ | ✗ | ✓ CF Full VisionHuman-readable reasons[] with evidence chains: "MX host smtp.yopmail.com shared by 1,382 domains", "No SPF or DMARC." Unique evidence depth. |
| Infrastructure LinkageShows mail infra the domain uses? | ✗ | ✗ | ✗ | ✗ | ✗ | ◐ LexisNexisIdentity-level linkage (email-to-IP/device). Tracks person, not mail server. |
✗ | ◐ IPQSReturns raw mx_records[] and a_records[]. No provider mapping or known-bad flagging. |
✗ | ✗ | ✓ CF Full VisionMX hosts, IPs, known-bad provider mapping with reason, allowlisted providers as trust signals. No competitor offers this. |
| Network ClusteringShows shared bad-actor infra? | ✗ | ✗ | ✗ | ✗ | ✗ | ◐ LexisNexisCross-customer identity linkage. Not infrastructure-level. |
✗ | ✗ | ✗ | ✗ | ✓ CF Full Vision"This domain is 1 of 1,382 sharing the same MX." Related domains with shared MX/IP. Zone + network activity stats. Unique. |
| Effort / Hygiene SignalSPF, DMARC, TLS, cert quality? | ✗ | ✗ | ◐ Abstractis_risky_tld flag only. No SPF/DMARC/TLS. |
✗ | ✗ | ✗ | ✗ | ◐ IPQSspf_record and dmarc_record booleans only. No quality analysis. |
✗ | ✓ CF + AuroraExpose SPF/DKIM/DMARC presence, TLS cert validity, self-signed detection from existing domain_smtp_probes table. |
✓ CF Full VisionFull auth posture checklist + SPF junk-IP detection + cert health. Abstracted as "effort" indicator. Unique. |
| Trust Counter-SignalsShows why domain might be legit? | ◐ Kickboxdid_you_mean for typo correction. No trust signals. |
◐ ZeroBounceIndustry citations. No domain-level trust data. |
◐ Abstractdomain_age only. No integrated trust view. |
✗ | ◐ Xverifydomain_type distinguishes biz/edu/gov as positive categories. |
✓ LexisNexisSocial footprint, first/last seen across consortium, email age. Most mature trust model. |
✓ Estab. Emailsemail_observed_since as positive trust signal. Privacy relay broken out. |
◐ IPQSdomain_age, first_seen, domain_trust enum. Good but not framed as trust narrative. |
✗ | ✓ CF + AuroraExpose domain age (RDAP), first_seen_at, registrar, CT first cert date, allowlisted provider detection from existing pipeline data. |
✓ CF Full VisionFull trust view: domain age, CT cert date, registrar, WHOIS privacy, trusted MX flag. Framed as "why you might trust this." Privacy relay distinction planned. |
Strategic Analysis
Wins
Opportunities
Risks
Infrastructure Linkage Unique
Only vendor mapping flagged domains to named mail infrastructure with human-readable reasoning. Includes allowlisted providers as positive trust signals.
"Routes through smtp.yopmail.com — known disposable provider, shared by 1,382 domains" vs. IPQS returning raw mx_records[] with no interpretation.
Network Clustering Unique
No competitor surfaces infrastructure-level clustering. LexisNexis does identity linkage, but no vendor shows shared MX/IP clusters across domains.
"This domain is 1 of 1,382 sharing the same MX infrastructure." DB supports full cluster discovery across mx_records, ips, ns_records, smtp_probes.
Effort / Hygiene Signal Unique
Only product to expose SPF quality analysis (junk IPs like localhost, RFC1918), TLS health, and cert validity — abstracted as a non-technical effort indicator.
IPQS has SPF/DMARC presence booleans only. No competitor surfaces SPF quality or TLS cert health.
Explainability Exceeds Market
ZeroBounce leads market today (plain English + prescribed action). CF Full Vision surpasses with evidence-backed reasoning from live infrastructure data.
"MX host smtp.yopmail.com shared by 1,382 disposable domains" — no competitor combines this evidence depth.
The gap is a surface problem, not a data problem
CF Today already collects everything needed for the top 3 unique wins. The PoC converts internal data to customer-facing signals. Shipping is a product decision, not an engineering discovery.
Infrastructure clustering is white space
No competitor exposes shared MX/IP/cert clustering. Cloudflare's edge position gives us infrastructure data that pure email validation vendors cannot replicate.
Explainability is highest-leverage for App Sec persona
The persona's defining need: "I need to know exactly what fired and why." ZeroBounce is today's leader, but CF's evidence-chain reasons[] surpasses it. Fastest path to persona fit.
Trust framing is a differentiation strategy
Established Emails' philosophy ("absence of evidence should remain neutral") is product positioning. CF can adopt this: showing positive trust signals alongside negative ones reframes from blacklist to judgment tool.
Prioritize unique over parity
The three unique capabilities require no new data collection — only API surface and UI. Prioritize these over taxonomy refinement which merely matches ZeroBounce/Xverify.
CF Today is a competitive liability
Customers get a binary is_disposable_email bool while IPQS, ZeroBounce, and LexisNexis surface significantly richer signals. Any vendor evaluation will immediately expose this gap.
IPQS is the near-term competitive threat
Only competitor to surface raw MX/A records + combined disposable + trust + fraud score. Not as deep as CF Full Vision, but real, shipping, and covers more surface than any other point vendor.
LexisNexis plays a different game
Most mature trust model and best enterprise explainability, but operates as an identity consortium. Compete on infrastructure depth, not identity graph breadth. Partnership more viable than head-to-head.
Capability Deep Dive
1. Verdict Richness — Goes beyond binary disposable yes/no?
| Vendor | Status | What they surface |
|---|---|---|
| Kickbox | ◐ | Binary disposable bool inside 4-tier verdict (deliverable/undeliverable/risky/unknown). Disposable buried in "risky." |
| ZeroBounce | ✓ | 7 statuses x ~25 sub-statuses. Distinguishes disposable / mx_forward / toxic under do_not_mail. |
| Abstract API | ◐ | 3-tier deliverability + boolean is_disposable. No domain-type breakdown. |
| NeverBounce | ◐ | Disposable as top-level result (5 categories). No sub-types. |
| Xverify | ✓ | 5 statuses + 8-value domain_type (disposable/biz/edu/freeisp/gov/org/paidisp/wireless). |
| LexisNexis | ◐ | 0-1000 risk score with bands. Disposable not first-class. |
| Estab. Emails | ◐ | 5 classifications incl. privacy_relay. Positive-signal framing. |
| IPQS | ✓ | disposable bool + domain_trust enum + fraud_score 0-100. |
| CF Today | ✗ | Customers see binary is_disposable_email bool only. 4-state classification exists internally but is not exposed. |
| CF + Aurora | ✓ | Expose 4-state classification + new domain_category field from Maxime's pipeline. |
| CF Full Vision | ✓ | Three-state verdict (Trusted/Suspicious/Disposable) + domain_category. Suspicious with infrastructure-backed reasoning is unique. Unique |
▶ Show API Response Examples
// Kickbox: GET https://api.kickbox.com/v2/verify?email=user@tempmail.xyz { "result": "risky", // disposable buried in "risky" "reason": "accepted_email", "disposable": true, // boolean only -- no "why" "sendex": 0.23, "did_you_mean": null, "domain": "tempmail.xyz" }
Gap: No MX records, no infrastructure data, no explanation of why the domain is disposable.
// CF Full Vision (proposed): same domain
{
"verdict": {
"classification": "suspicious",
"domain_category": "disposable",
"detection_method": "infrastructure_fingerprint",
"recommended_action": "challenge"
},
"reasons": [
{ "summary": "MX host smtp.yopmail.com is a known disposable provider, shared by 1,382 domains" },
{ "summary": "No SPF or DMARC configured" }
]
}
CF advantage: Same domain, dramatically more context. Customer sees why, what infrastructure, and what to do about it.
2. Explainability — Can the customer see why a domain was flagged?
| Vendor | Status | What they surface |
|---|---|---|
| Kickbox | ✗ | 11-value reason enum (rejected_email, low_quality). Codes only, no narrative. |
| ZeroBounce | ✓ | Sub-status + plain-English description + prescribed action + industry citations. |
| Abstract API | ◐ | Decomposed boolean flags per bucket (quality, domain, risk, breaches). No narrative. |
| NeverBounce | ✗ | Flag array only (has_dns, has_dns_mx, bad_syntax). No explanation. |
| Xverify | ◐ | Reason codes per status. Category context but no evidence chain. |
| LexisNexis | ✓ | Risk factors with linkage evidence ("seen at 17 customers since 2018"). |
| Estab. Emails | ◐ | email_observed_since as audit trail for pushback defense. |
| IPQS | ◐ | fraud_score + boolean flags (recent_abuse, suspect). No narrative "why." |
| CF Today | ✗ | Customers see true/false. ClassificationResult.signals[] exists internally but is not exposed. |
| CF + Aurora | ✗ | Aurora pipeline data alone doesn't include customer-facing reasoning. Requires dashboard layer. |
| CF Full Vision | ✓ | Human-readable reasons[] with evidence: "MX host smtp.yopmail.com shared by 1,382 domains." Exceeds Market |
▶ Show API Response Examples
// Abstract API Professional Tier: grouped signal buckets
{
"email_quality": { "is_disposable": true, "score": 0.33 },
"email_domain": { "domain_age": 2, "is_risky_tld": true },
"email_risk": { "address_risk_status": "high", "domain_risk_status": "high" },
"email_breaches":{ "total_breaches": 0 }
}
Notable pattern: Abstract's tiered bucketing is the most organized response structure. Good design influence. But still no narrative reasoning or infrastructure data.
// CF Full Vision (proposed): evidence-chain reasoning
{
"reasons": [
{
"signal_type": "known_bad_mx",
"summary": "MX host smtp.yopmail.com is a known disposable provider, shared by 1,382 domains",
"evidence": { "matched_value": "smtp.yopmail.com", "source": "database" }
},
{
"signal_type": "no_email_auth",
"summary": "No SPF or DMARC configured",
"evidence": { "has_spf": false, "has_dmarc": false, "auth_posture": "neither" }
},
{
"signal_type": "new_domain",
"summary": "Domain first observed 2 days ago",
"evidence": { "first_seen_at": "2026-05-30T09:15:00Z" }
}
]
}
CF advantage: Each reason has a human-readable summary + machine-readable evidence. No competitor combines live infrastructure data with plain-English reasoning.
3. Infrastructure Linkage — Can the customer see what mail infrastructure the domain uses?
| Vendor | Status | What they surface |
|---|---|---|
| Kickbox | ✗ | Not available. |
| ZeroBounce | ✗ | Not available. |
| Abstract API | ✗ | Not available. |
| NeverBounce | ✗ | has_dns_mx flag but no MX details or provider mapping. |
| Xverify | ✗ | Not available. |
| LexisNexis | ◐ | Identity-level linkage (email-to-IP/device). Tracks person, not mail server. |
| Estab. Emails | ✗ | Not available. |
| IPQS | ◐ | Returns raw mx_records[] and a_records[]. No provider mapping or known-bad flagging. |
| CF Today | ✗ | Not exposed. Full MX chain + known_bad_infrastructure exists internally in Postgres. |
| CF + Aurora | ✗ | Data exists in pipeline but requires dashboard/API layer to surface to customers. |
| CF Full Vision | ✓ | MX hosts, IPs, known-bad provider mapping with reason, allowlisted providers as trust signals. Unique |
▶ Show API Response Examples
// IPQS: returns raw records but no interpretation
{
"mx_records": ["smtp.yopmail.com"],
"a_records": ["5.230.123.239"],
"dns_valid": true,
"spf_record": false,
"dmarc_record": false
}
Best competitor for infra data, but customer must manually research whether smtp.yopmail.com is a known disposable provider.
// CF Full Vision: infrastructure with known-bad mapping
{
"infrastructure": {
"mx_records": [{
"exchange": "smtp.yopmail.com.",
"ips": ["5.230.123.239"],
"is_known_bad": true,
"known_bad_reason": "High-volume disposable email service",
"is_allowlisted": false
}],
"smtp_banner": "220 smtp.yopmail.com ESMTP"
}
}
CF advantage: Same data as IPQS, plus provider identification, known-bad flagging with reason, and allowlist status. Customer gets interpretation, not raw data.
4. Network Clustering — Can the customer see that multiple domains share the same bad-actor infrastructure?
| Vendor | Status | What they surface |
|---|---|---|
| Kickbox | ✗ | Not available. |
| ZeroBounce | ✗ | Not available. |
| Abstract API | ✗ | Not available. |
| NeverBounce | ✗ | Not available. |
| Xverify | ✗ | Not available. |
| LexisNexis | ◐ | Cross-customer identity linkage. Not infrastructure-level. |
| Estab. Emails | ✗ | Not available. |
| IPQS | ✗ | domain_velocity (high/med/low) but no clustering. |
| CF Today | ✗ | Not exposed. related_domains[] with shared_infrastructure built internally. |
| CF + Aurora | ✗ | Cluster data exists in DB but requires dashboard layer. |
| CF Full Vision | ✓ | "1 of 1,382 domains sharing same MX." Related domains list + zone/network activity. Unique |
▶ Show API Response Examples
// CF Full Vision: clustering (no competitor has this)
{
"clustering": {
"mx_cluster": {
"primary_mx": "smtp.yopmail.com.",
"total_domains_sharing_mx": 1382,
"classification_breakdown": { "disposable": 1380, "trusted": 0, "suspicious": 2 }
},
"ip_cluster": { "primary_ip": "5.230.123.239", "total_domains_sharing_ip": 947 },
"related_domains": [
{ "domain": "temp-mail-gen.xyz", "classification": "disposable" },
{ "domain": "throwaway99.com", "classification": "disposable" }
],
"related_domains_total": 1382
}
}
White space: No competitor returns anything like this. The difference between "this domain is disposable" and "this domain is part of a 1,382-domain fraud operation."
5. Effort / Hygiene Signal — Does the product surface email authentication quality?
| Vendor | Status | What they surface |
|---|---|---|
| Kickbox | ✗ | Not available. |
| ZeroBounce | ✗ | Not available. |
| Abstract API | ◐ | is_risky_tld flag only. |
| NeverBounce | ✗ | Not available. |
| Xverify | ✗ | Not available. |
| LexisNexis | ✗ | Not available. |
| Estab. Emails | ✗ | Not available. |
| IPQS | ◐ | spf_record (bool) and dmarc_record (bool). Presence only. |
| CF Today | ✗ | Not exposed. Full SPF/DKIM/DMARC/TLS/cert data in Postgres. |
| CF + Aurora | ✓ | Expose SPF/DKIM/DMARC presence, TLS cert validity, self-signed detection. |
| CF Full Vision | ✓ | Full auth posture + SPF junk-IP detection + cert health as "effort" indicator. Unique |
6. Trust Counter-Signals — Does the product show why a domain might be legitimate?
| Vendor | Status | What they surface |
|---|---|---|
| Kickbox | ◐ | did_you_mean for typo correction. No trust signals. |
| ZeroBounce | ◐ | Industry citations. No domain-level trust data. |
| Abstract API | ◐ | domain_age only. No integrated trust view. |
| NeverBounce | ✗ | Not available. |
| Xverify | ◐ | domain_type distinguishes biz/edu/gov as positive categories. |
| LexisNexis | ✓ | Social footprint, first/last seen across consortium, email age. |
| Estab. Emails | ✓ | email_observed_since. Privacy relay broken out. "Absence of evidence = neutral." |
| IPQS | ◐ | domain_age, first_seen, domain_trust enum. |
| CF Today | ✗ | Not exposed. registered_at, first_seen_at, ct_first_cert_at, allowlisted_infrastructure in Postgres. |
| CF + Aurora | ✓ | Expose domain age (RDAP), first_seen_at, registrar, CT cert date, allowlisted provider flag. |
| CF Full Vision | ✓ | Full trust view with "why you might trust this" framing. Privacy relay distinction planned. Matches Leaders |
▶ Show API Response Examples
// IPQS: trust-related fields
{
"domain_trust": "suspicious",
"domain_age": { "human": "2 days ago", "timestamp": 1748534400 },
"first_seen": { "human": "2 days ago", "timestamp": 1748534400 },
"user_activity": "low"
}
Good signals, but not framed as a trust narrative. Customer sees data points without guidance.
// CF Full Vision: explicit trust framing
{
"trust_signals": {
"domain_age_days": 2,
"registered_at": "2026-05-30T00:00:00Z",
"first_seen_at_cloudflare": "2026-05-30T09:15:00Z",
"registrar": "NameCheap Inc.",
"uses_whois_privacy": true,
"is_trusted_mx_provider": false,
"trusted_provider_name": null
}
}
CF advantage: Trust signals explicitly framed as "why you might trust this domain" with registrar, WHOIS privacy, and trusted provider detection. Positive alongside negative.