# Understanding Check Results > A detailed breakdown of every check Fidro runs and what each result means for your business. **Category:** core-concepts | **Last updated:** March 13, 2026 --- When you call the `/api/validate` endpoint, Fidro runs a series of checks and returns the results in the `data.checks` array. This guide explains each check and how to act on the results. ## Email checks ### `disposable_email` **What:** Checks the email domain against 50,000+ known disposable email providers. **Why it matters:** Disposable emails are the #1 tool for free tier abuse and multi-accounting. **Recommended action:** Block at signup for B2B products. For consumer products, consider requiring phone verification. ### `free_email` **What:** Detects free email providers (Gmail, Yahoo, Outlook, etc.). **Why it matters:** Not fraud on its own, but combined with other signals it increases risk. B2B products may want to flag free email signups. **Recommended action:** Use as a supporting signal, not a blocking signal. ### `email_syntax` **What:** Validates email format, checks for MX records, and verifies the domain can receive mail. **Why it matters:** Invalid emails waste your onboarding resources and hurt deliverability. **Recommended action:** Block signups with invalid emails — they can't verify anyway. ### `domain_age` **What:** Checks how recently the email's domain was registered. **Why it matters:** Fraudsters frequently register new domains for phishing and throwaway accounts. Domains under 30 days old are significantly more likely to be fraudulent. **Recommended action:** Flag for review if domain is under 30 days old. ## IP checks ### `vpn_detection` **What:** Identifies commercial VPN services (NordVPN, ExpressVPN, Surfshark, etc.). **Why it matters:** VPNs mask the user's real location. While many legitimate users use VPNs for privacy, they're also heavily used to evade geo-restrictions and commit fraud. **Recommended action:** Flag for review, but don't block outright — many legitimate users use VPNs. ### `proxy_detection` **What:** Identifies open proxies and anonymous relay services. **Why it matters:** Unlike commercial VPNs, open proxies are more strongly associated with fraud and bot activity. **Recommended action:** Higher risk than VPNs. Consider blocking or requiring additional verification. ### `tor_detection` **What:** Checks if the IP is a known Tor exit node. **Why it matters:** Tor provides strong anonymity and is frequently used for fraud, multi-accounting, and abuse. Very few legitimate signups come from Tor. **Recommended action:** Block or require strong verification (phone, ID). ### `hosting_detection` **What:** Identifies IPs belonging to cloud providers and data centres (AWS, GCP, Azure, DigitalOcean, etc.). **Why it matters:** Real users don't browse from cloud servers. Datacenter IPs usually indicate bots, scrapers, or automated abuse. **Recommended action:** Block for user-facing products. Allow if you expect API-to-API traffic. ### `bad_ip` **What:** Checks the IP against known abuse/spam lists. **Why it matters:** IPs flagged on abuse lists have a documented history of malicious activity. **Recommended action:** Block. ### `geo_mismatch` **What:** Compares the IP's country with an expected country (if you provide `country_code`). **Why it matters:** A user claiming to be in the US but connecting from Nigeria is a strong fraud signal, especially for financial products. **Recommended action:** Flag for review or require additional verification. ## Behavioural checks ### `country_risk` **What:** Scores based on the IP's country's fraud index. **Why it matters:** Some regions have statistically higher rates of online fraud. This is a weak signal on its own but strengthens other indicators. **Recommended action:** Use as a supporting signal only. ### `custom_blocklist` **What:** Checks the email, domain, or IP against your account's custom blocklist. **Why it matters:** Your blocklist entries represent known bad actors specific to your business. **Recommended action:** These are your rules — the block is automatic and immediate. ## Combining checks for decisions Don't make decisions based on a single check. The risk score already combines all signals with appropriate weights. Use individual check results for: 1. **Custom logging** — Know exactly why a user was flagged 2. **Support context** — When a user complains about being blocked, see the specific reasons 3. **Threshold overrides** — Block on specific checks regardless of score (e.g., always block Tor)