=== Trumailo — Email Verification ===
Contributors: rexotech1
Tags: email verification, contact form 7, wpforms, woocommerce, mailpoet
Requires at least: 5.8
Tested up to: 7.0
Requires PHP: 7.4
Stable tag: 1.0.1
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Real-time email verification for WordPress. Block invalid, disposable, and risky emails before they enter your forms, lists, or checkout.

== Description ==

**Trumailo** verifies every email address submitted to your WordPress site — in real time, with one drop-in plugin — and stops fake, throwaway, mistyped, and risky addresses *before* they touch your CRM, mailing list, or order pipeline.

= Why bother =

* Spam signups inflate your list and tank deliverability.
* Disposable inboxes (Mailinator, 10MinuteMail, etc.) never convert.
* Typo'd emails (`gmial.com`, `yhaoo.com`) are lost forever.
* Role addresses (`admin@`, `info@`) hurt sender reputation.

Trumailo catches all of those at the form, with a friendly inline message.

= Works out of the box with =

* WordPress core (registration, comments, REST users)
* WooCommerce (classic checkout, block checkout, registration)
* Easy Digital Downloads
* Contact Form 7
* WPForms
* Gravity Forms
* Ninja Forms
* Fluent Forms
* Elementor Pro Forms
* Forminator
* Formidable Forms
* MailPoet
* FluentCRM
* Mailchimp for WordPress
* Newsletter (by Stefano Lissa)
* Groundhogg
* BuddyPress
* Ultimate Member
* MemberPress
* LearnDash

No configuration per integration — add your API key, the plugin detects what's installed and starts verifying.

= Features =

* **Server-side blocking** — survives JavaScript-disabled bots; the rejection happens during form validation.
* **Real-time inline validation** — debounced typing check with "did you mean" suggestions and accessible status badges.
* **Per-status policy** — choose what to block: invalid, disposable, risky, role addresses, or anything below a quality threshold.
* **Whitelist / blacklist** — skip the API for trusted internal domains; always reject specific bad ones.
* **Cache** — repeat verifications served instantly from local transients (configurable TTL).
* **Fail-open by default** — if the API is unreachable, submissions go through (configurable to fail-closed).
* **Verification log** — opt-in, with optional email-hashing for GDPR compliance and configurable retention.
* **Dashboard** — counts of allowed, blocked, cached, and per-day trend.
* **REST endpoint** — for custom front-ends and third-party integrations (`/wp-json/trumailo/v1/verify`).
* **Multisite-aware**, **i18n-ready**, **GPL-2.0**.

= Getting started =

1. Install and activate the plugin.
2. Get an API key at https://trumailo.com.
3. Settings → Trumailo → paste the key.
4. Done — every supported form on your site is now verifying emails.

== Installation ==

1. Upload the `trumailo` folder to `/wp-content/plugins/`.
2. Activate it through the **Plugins** menu in WordPress.
3. Go to **Trumailo → Settings**, paste your API key, save.

== Frequently Asked Questions ==

= Does this work without an API key? =

The plugin loads, but actual verification is skipped. You need a free or paid key from trumailo.com.

= Will this slow my forms down? =

A single verification call typically completes in 200–800ms (cached calls are sub-millisecond). Choose **Fail-open** in settings if you'd rather let a submission through than ever wait on the API.

= Does it work with custom or unsupported form plugins? =

Yes — use the `do_action( 'trumailo_verify', $email )` hook, the REST endpoint, or wire your own integration on the `trumailo_verdict` filter.

= Is it GDPR safe? =

By default the plugin stores only an MD5 hash of each address in the log table. Enable "Store full emails" only if you need it. Logs auto-purge after the retention window.

= What happens at the rate limit? =

Trumailo's API returns HTTP 429 when you exceed your plan's per-minute limit. The plugin retries with backoff; if all retries fail it falls back to your fail-open / fail-closed setting.

== Screenshots ==

1. Dashboard with verification counters and 14-day trend
2. Settings — API key, blocking policy, fail-open
3. Integrations — detected plugins with per-integration toggle
4. Inline front-end validation badge

== External services ==

This plugin connects to the Trumailo email-verification API to determine whether each submitted email address is deliverable. The API is provided by Trumailo (https://trumailo.com), the same vendor that publishes this plugin.

**What the service is and what it is used for**

Trumailo is a real-time email-verification API. It checks an address for syntactically-valid format, MX records, disposable / role / catch-all signals, and (where the recipient mail server cooperates) an SMTP-level deliverability probe. The plugin uses it so your site can reject invalid, disposable, and risky addresses before they enter your forms, lists, or checkout.

**What data is sent and when**

* The plugin sends the **email address being verified** to `https://api.trumailo.com/v1/verify` over HTTPS, together with your API key in the `Authorization: Bearer` header. This happens every time a supported form is submitted with a value the plugin hasn't already cached.
* The plugin sends a lightweight request to `https://api.trumailo.com/v1/account` to read the calling key's remaining monthly credits. This is used to populate the credits gauge on the plugin dashboard and is polled at most every 5 minutes.
* No other personal data, form fields, page URLs, or visitor identifiers are transmitted.
* Verification results are cached locally in WordPress transients to minimise repeat API calls; you can configure the TTL and toggle full-email vs hashed-email storage in the plugin settings.

**Service provider, terms, and privacy**

* Service: **Trumailo** — https://trumailo.com
* Terms of Service: https://trumailo.com/terms
* Privacy Policy: https://trumailo.com/privacy

Use of this plugin requires that you (the site owner) agree to Trumailo's Terms of Service and Privacy Policy linked above. You should disclose Trumailo as a sub-processor in your own site's privacy notice if you operate in a jurisdiction that requires such disclosure.

== Changelog ==

= 1.0.1 =
* Added plugin icon (visible on the WordPress.org plugin directory listing and search results).

= 1.0.0 =
* Initial release. 20 integrations, inline AJAX validation, dashboard, log, whitelist/blacklist, fail-open.

== Upgrade Notice ==

= 1.0.1 =
Cosmetic-only update — plugin icon. No functional changes.

= 1.0.0 =
First release.
