EmailRep
EmailRep is an email address reputation and threat-intelligence API operated by Sublime Security, Inc. It crawls and enriches data across social media profiles, professional networking sites, dark-web credential leaks, data breaches, phishing kits, phishing emails, spam lists, open mail relays, spam traps, domain age and reputation, and email-deliverability signals to predict the risk associated with any email address. The free, JSON-over-HTTP REST API returns a `reputation`, a `suspicious` flag, a `references` count, and a detailed signal block (blacklisted, malicious_activity, credentials_leaked, data_breach, domain_reputation, deliverable, spoofable, profiles, and more). A POST `/report` endpoint lets analysts contribute observations of malicious email behavior back into the reputation graph.
1 APIs
0 Features
SecurityEmailEmail ReputationThreat IntelligencePhishingFraud PreventionAnti-AbuseDeliverabilityRisk ScoringPublic APIs
aid: emailrep
name: EmailRep
description: >-
EmailRep is an email address reputation and threat-intelligence API operated by Sublime Security, Inc. It crawls and
enriches data across social media profiles, professional networking sites, dark-web credential leaks, data breaches,
phishing kits, phishing emails, spam lists, open mail relays, spam traps, domain age and reputation, and
email-deliverability signals to predict the risk associated with any email address. The free, JSON-over-HTTP REST API
returns a `reputation`, a `suspicious` flag, a `references` count, and a detailed signal block (blacklisted,
malicious_activity, credentials_leaked, data_breach, domain_reputation, deliverable, spoofable, profiles, and more). A
POST `/report` endpoint lets analysts contribute observations of malicious email behavior back into the reputation
graph.
type: Index
image: https://kinlane-images.s3.amazonaws.com/shared/apis-json/apis-json-logo.jpg
tags:
- Security
- Email
- Email Reputation
- Threat Intelligence
- Phishing
- Fraud Prevention
- Anti-Abuse
- Deliverability
- Risk Scoring
- Public APIs
url: https://raw.githubusercontent.com/api-evangelist/emailrep/refs/heads/main/apis.yml
created: '2026-05-28'
modified: '2026-05-30'
specificationVersion: '0.20'
x-source: public-apis/public-apis
x-category: Security
x-tier: 2
x-tier-reason: enriched-from-stub
apis:
- aid: emailrep:emailrep-api
name: EmailRep API
description: >-
Email reputation and threat-intelligence REST API. `GET /{email}` returns a reputation verdict
(high/medium/low/none), a `suspicious` flag, a `references` count, and a detailed signal block covering
blacklisting, malicious activity, credential leaks, data breaches, domain age and reputation, deliverability, MX
validity, SPF/DMARC posture, spoofability, free-provider/disposable status, and known online profiles. `POST
/report` lets authenticated callers report an email address as malicious (BEC, phishing, fraud, account takeover,
maldoc, etc.) so the signal feeds the reputation graph. Authentication is via a `Key` header issued from
emailrep.io/key. Free tier: 250 queries/month, 10/day; Commercial tier: 1,000 queries/month at $20/month with no
daily limit; Enterprise: high-volume custom plans with SLA.
humanURL: https://emailrep.io
baseURL: https://emailrep.io
tags:
- Email Reputation
- Threat Intelligence
- Phishing
- Fraud
- Deliverability
properties:
- type: Documentation
url: https://docs.sublimesecurity.com/reference/emailrep-introduction
- type: APIReference
url: https://docs.sublimesecurity.com/reference/emailrep-introduction
- type: GettingStarted
url: https://docs.sublimesecurity.com/reference/emailrep-quickstart
- type: OpenAPI
url: openapi/emailrep-api-openapi.yml
- type: SDK
title: Python SDK
url: https://github.com/sublime-security/emailrep.io-python
- type: SDK
title: Python Package
url: https://pypi.org/project/emailrep/
- type: SDK
title: PowerShell SDK (community)
url: https://github.com/arnydo/PSEmailRep
- type: SDK
title: R SDK (community)
url: https://git.rud.is/hrbrmstr/emailrep
- type: SDK
title: .NET SDK (community)
url: https://github.com/WestDiscGolf/EmailRep.NET
- type: SDK
title: Go SDK (community)
url: https://github.com/kaiiyer/emailrep
- type: SDK
title: Go SDK (community, vertoforce)
url: https://github.com/vertoforce/go-emailrep
- type: CLI
url: https://github.com/sublime-security/emailrep.io-python
- type: SourceCode
url: https://github.com/sublime-security/emailrep.io
common:
- type: PostmanWorkspace
url: https://www.postman.com/kinlaneapi/emailrep/overview
- type: ArazzoWorkflows
url: arazzo/
workflows:
- url: arazzo/emailrep-screen-and-report-malicious-workflow.yml
name: EmailRep Screen and Report Malicious Sender
summary: >-
Query an email's reputation and, when the signals show it is malicious, report it back into the reputation
graph.
- url: arazzo/emailrep-triage-inbound-sender-workflow.yml
name: EmailRep Triage Inbound Sender
summary: >-
Pull a human-readable reputation summary for an inbound sender and escalate low-reputation, spoofable senders
by reporting them.
- url: arazzo/emailrep-verify-before-report-workflow.yml
name: EmailRep Verify Before Report
summary: >-
Confirm an email's domain resolves and is deliverable before reporting it, so junk addresses never pollute the
reputation graph.
- type: Website
url: https://emailrep.io
- type: Documentation
url: https://docs.sublimesecurity.com/reference/emailrep-introduction
- type: APIReference
url: https://docs.sublimesecurity.com/reference/emailrep-introduction
- type: GettingStarted
url: https://docs.sublimesecurity.com/reference/emailrep-quickstart
- type: SignUp
url: https://emailrep.io/key
- type: Pricing
url: https://emailrep.io/key
- type: TermsOfService
url: https://emailrep.io/terms
- type: PrivacyPolicy
url: https://emailrep.io/privacy
- type: Blog
url: https://emailrep.io/blog
- type: Support
url: https://sublimesecurity.com/contact
- type: GitHubOrganization
url: https://github.com/sublime-security
- type: SourceCode
url: https://github.com/sublime-security/emailrep.io
- type: Operator
url: https://sublimesecurity.com
- type: LinkedIn
url: https://www.linkedin.com/company/sublime-security
- type: PublicAPIsListing
url: https://github.com/public-apis/public-apis
- type: Tools
title: Sublime Platform
url: https://github.com/sublime-security/sublime-platform
- type: Tools
title: Sublime Rules
url: https://github.com/sublime-security/sublime-rules
- type: Tools
title: Sublime CLI
url: https://github.com/sublime-security/sublime-cli
- type: Tools
title: OpenCTI Connectors
url: https://github.com/sublime-security/connectors
- type: Tools
title: MQL VS Code Extension
url: https://github.com/sublime-security/mql-vscode
- type: Tools
title: ICS Phishing Toolkit
url: https://github.com/sublime-security/ics-phishing-toolkit
- type: Tools
title: Strelka File Scanning
url: https://github.com/sublime-security/strelka
- type: Tutorials
title: Detection Engineering Workshop
url: https://github.com/sublime-security/detection-workshop
- type: Plans
url: plans/emailrep-plans-pricing.yml
- type: RateLimits
url: rate-limits/emailrep-rate-limits.yml
- type: FinOps
url: finops/emailrep-finops.yml
- type: Vocabulary
url: vocabulary/emailrep-vocabulary.yml
- type: SpectralRuleset
url: rules/emailrep-spectral-rules.yml
- type: JSONSchema
url: json-schema/api-email-reputation-schema.json
- type: JSONSchema
url: json-schema/api-email-reputation-details-schema.json
- type: JSONSchema
url: json-schema/api-report-request-schema.json
- type: JSONSchema
url: json-schema/api-report-response-schema.json
- type: JSONStructure
url: json-structure/api-email-reputation-structure.json
- type: JSONStructure
url: json-structure/api-email-reputation-details-structure.json
- type: JSONStructure
url: json-structure/api-report-request-structure.json
- type: JSONStructure
url: json-structure/api-report-response-structure.json
- type: JSONLD
url: json-ld/emailrep-api-context.jsonld
- type: Examples
url: examples/api-email-reputation-example.json
- type: Examples
url: examples/api-email-reputation-details-example.json
- type: Examples
url: examples/api-report-request-example.json
- type: Examples
url: examples/api-report-response-example.json
features:
- name: Reputation Verdict
description: >-
Each email lookup returns a `reputation` of `high`, `medium`, `low`, or `none` summarizing the overall trust
signal for the address.
- name: Suspicious Flag
description: >-
A boolean `suspicious` field indicates whether the email should be treated as risky based on combined positive and
negative signals.
- name: References Count
description: >-
`references` is the total number of positive and negative reputation sources observed for the address or its
associated domain.
- name: Credential-Leak and Breach Signals
description: >-
Detects whether the email has appeared in known data breaches, dark-web credential leaks, or pastes — historically
and within the last 90 days.
- name: Domain Reputation and Age
description: >-
Reports `domain_exists`, `domain_reputation`, `new_domain`, and `days_since_domain_creation` so callers can weight
reputation against domain freshness.
- name: Deliverability and Mail-Server Posture
description: >-
Reports `deliverable`, `accept_all`, `valid_mx`, `spoofable`, `spf_strict`, and `dmarc_enforced` for both fraud
prevention and legitimate sender hygiene.
- name: Provider Classification
description: >-
Classifies the address as `free_provider`, `disposable`, `suspicious_tld`, or `spam` to expose throwaway or
low-quality accounts.
- name: Online Profile Discovery
description: Returns a `profiles` array enumerating social and professional networking sites where the email has been observed.
- name: Crowd-Sourced Reporting
description: >-
`POST /report` accepts community submissions of malicious email behavior (BEC, phishing, fraud, account takeover,
maldoc) with tags, description, timestamp, and an expires window so signal feeds the reputation graph.
useCases:
- name: Phishing and BEC Detection
description: >-
Score inbound emails against EmailRep to identify suspicious senders, brand-spoofing attempts, and targeted
Business Email Compromise.
- name: Account-Signup Abuse Prevention
description: >-
Block or step-up disposable, throwaway, or known-malicious email addresses during user registration to reduce
fraud and abuse.
- name: Marketing List Hygiene
description: >-
Validate deliverability, catch-all status, and disposable-provider use on inbound or outbound marketing lists to
protect sender reputation.
- name: Threat-Intelligence Enrichment
description: >-
Enrich SIEM, SOAR, and case-management workflows with email reputation signals alongside netflow, EDR, and
email-gateway telemetry.
- name: Sender-Reputation Self-Check
description: >-
Marketing, sales, and outbound teams can verify their own addresses to ensure they aren't trapped on spam lists or
blocklists.
- name: Red-Team and Recon
description: >-
Authorized offensive-security teams can profile target email addresses for credential brute forcing and targeted
phishing-engagement design.
integrations:
- name: Sublime Platform
description: >-
Native consumer of EmailRep signals inside the Sublime Security email detection-and-response platform for inbound
email threat hunting and response.
- name: Sublime Rules
description: >-
Open-source MQL detection rules in github.com/sublime-security/sublime-rules can call EmailRep enrichment as part
of email-attack detection.
- name: OpenCTI Connectors
description: EmailRep enrichment is callable from threat-intel platforms via the Sublime-maintained OpenCTI connectors repo.
- name: SOAR Playbooks
description: >-
EmailRep is widely used as an enrichment node in SOAR products (Tines, Splunk SOAR, Cortex XSOAR, Torq) for
phishing triage.
- name: Python, PowerShell, R, .NET, Go SDKs
description: >-
First-party Python SDK plus community-maintained PowerShell, R, .NET, and Go libraries make EmailRep callable from
analyst tooling.
solutions:
- name: Email Threat Intelligence
description: Reputation, breach exposure, and online-profile signals on any email address, queryable in a single HTTP call.
- name: Account-Takeover and Fraud Prevention
description: Disposable, free-provider, new-domain, and recent-credential-leak signals support sign-up abuse and ATO defenses.
- name: Email Hygiene and Deliverability Insight
description: Deliverable, accept-all, MX, SPF, and DMARC signals support marketing, sales, and IT-ops list hygiene work.
maintainers:
- FN: Kin Lane
email: kin@apievangelist.com