Email Finder
Discover email addresses associated with a domain using multiple methods.
How It Works
- 1. Website Scraping — Fetches homepage, /contact, /about, /team pages and extracts emails via regex
- Search Dorking — Searches for published emails in directories and search engines
- Pattern Guessing — If a name is provided, generates common patterns (first@, first.last@, flast@, etc.)
- DNS Hints — Checks MX/SPF/DMARC records to identify the email provider
- SMTP Verification — Verifies all found/guessed emails using RCPT TO
Dependencies
CODEBLOCK0
Usage
Basic domain search
�CODEBLOCK1
With name for pattern guessing
�CODEBLOCK2
Skip SMTP verification
�CODEBLOCK3
Options
- -
--name "First Last" — Enable pattern guessing for a specific person - INLINECODE1� — Skip SMTP verification step
- INLINECODE2� — Connection timeout (default: 10)
Output
JSON to stdout:
CODEBLOCK4
Source values
| Value | Meaning |
|---|
| INLINECODE3 | Found on the domain's website |
| INLINECODE4 |
Found via search/directory lookup |
|
guessed | Generated from name patterns |
|
dns | Found in DNS records (DMARC reports, etc.) |
Deliverable values
| Value | Meaning |
|---|
| INLINECODE7 | Server accepted the recipient |
| INLINECODE8 |
Server rejected the recipient (invalid) |
|
catch-all | Server accepts all addresses |
|
unknown | Could not determine |
|
not_checked | Verification was skipped |
Rate Limiting
The script includes built-in rate limiting at every stage to protect your IP:
CODEBLOCK5
Options
- -
--scrape-delay SECONDS — Pause between website page fetches (default: 0.5) - INLINECODE13� — Pause between SMTP verification checks (default: 2.0)
- INLINECODE14� — Max SMTP verifications per run (default: 15). Remaining emails get
not_checked status.
Why rate limiting matters
This tool hits both web servers and mail servers. Without rate limiting:
- - Web scraping — Aggressive crawling gets your IP blocked by WAFs (Cloudflare, etc.) and makes you look like a bot. Respectful delays avoid this.
- SMTP verification — Mail servers flag IPs making rapid RCPT TO requests. Your IP can get blacklisted, affecting your ability to send real email.
- Residential IPs are fragile — Unlike datacenter IPs, your home/office IP is shared across all your internet activity. Getting it blacklisted affects everything.
Guidelines for agents
| Scenario | Recommended approach |
|---|
| Single domain lookup | Defaults are fine |
| Domain + name pattern guessing |
Defaults are fine (15 SMTP checks covers all patterns) |
| Multiple domains in sequence | Add 5-10s pause between domains. Don't run more than 20 domains/day |
| Just need the email provider | Use
--no-verify — DNS-only, zero risk |
| Bulk prospecting (50+ domains) | Use a paid service (Hunter.io, Apollo) or spread across multiple days |
Key principle: The script is designed for targeted lookups, not mass scraping. If you need to process hundreds of domains, use a dedicated service with proper IP reputation management.
Limitations
- - Website scraping depends on emails being visible in page source (won't find obfuscated/JS-rendered emails)
- Search engines may block automated queries
- SMTP verification requires outbound port 25 access
- Catch-all domains accept all addresses — can't confirm real inboxes
- Be respectful: the script adds delays between requests but don't run it in tight loops
