I have recently been learning how to build a production-ready user authentication system, I have been building it along the way and I have just started to use an SMTP server to send emails for things such as password resets and email verification. I have read that if you get too many bounces or complaints, then your emails are less likely to end up in peoples inboxes as they get regarded as spam, or that your account could even be terminated by the SMTP provider.
So I am wondering how businesses would normally protect their APIs from users creating malicious scripts that register accounts with millions of random email addresses with the intent to generate bounces and complaints to ruin their domain reputation.
I am quite new to this area so there are a lot of unknowns to me. One idea I had was to throttle users if there are too many registration attempts, but I feel like this would not really stop someone that knows what they are doing.
If it makes any difference, the calls will be coming from a mobile app and not a website.
Many websites use an email address validation service like Real Email or A dedicated spam prevention tool like Recaptcha, with a "not a robot" popup.