prospiqBlogSign in
All posts
Prospecting Tips7 min read

How to find anyone's work email in 2026

Three approaches actually work in 2026 — pattern matching, domain search, identity resolution. When to use each, what to verify before sending.

K
Karan Mehra
July 14, 2026

How to find anyone's work email in 2026

You have a name, a company, and a reason to email. You don't have the address. This is one of the oldest problems in sales, and despite a decade of tools claiming to solve it, most people still guess and hope.

The honest version is short. There are three approaches that work today. Each one fails in predictable ways. The trick is knowing which to reach for and verifying before you hit send.

The three approaches that actually work

Forget the listicles claiming seventeen free hacks. In 2026, every reliable method falls into one of three buckets.

The first is pattern matching — you guess the format the company uses (first.last@, flast@, first@) and check if it resolves. The second is domain search — you query a third-party database for every email anyone has ever observed at a domain. The third is identity resolution — you start with a person, not a domain, and match them across data sources before generating candidates.

Most tools do one of these. Good tools do all three and pick the right one for each lookup.

Pattern matching: still useful, mostly for small companies

If you know one email at a company, you can usually predict the rest. A 30-person agency where the founder is priya@studio.co is almost certainly using first@studio.co for everyone. Test the pattern, verify the result, move on.

Pattern matching breaks down at scale. Companies with more than a few hundred employees rarely use a single pattern — they have legacy formats from acquisitions, regional variations, contractors on different domains, and execs on vanity addresses. Guessing sarah.chen@bigco.com when the company actually uses s.chen@, schen@, or sarah_chen@bigco.com wastes attempts and trains spam filters to flag your domain.

The other failure mode is when the pattern returns a real-looking address that nobody monitors. A bounce is recoverable. An email that disappears into a forwarding rule for a former employee is worse — you think you reached someone and you didn't.

Domain search: the workhorse

The most reliable approach for medium-to-large companies is querying a database of observed emails. Services like Hunter.io maintain indexes of email addresses that have appeared publicly — in press releases, GitHub commits, conference attendee lists, scraped corporate sites. You pass the domain, you get back a list of people and addresses observed there.

Domain search wins when you don't know the pattern, when the company is large enough that patterns vary, or when you need confidence that the address is actually in use. The data is observed, not guessed.

Where it falls down: people who joined the company recently won't appear yet, executives often have addresses that never get scraped, and the data goes stale when employees leave. A 2024 export of engineering@oldco.com employees is mostly people who don't work there anymore.

Identity resolution: matching the person before the email

The newer approach starts with the person, not the domain. You give it a name and a company. Behind the scenes it cross-references identity sources to find the right candidate, then resolves to an email — sometimes by domain search, sometimes by pattern, sometimes by both.

This is what we built single-contact lookup around at prospiq. The reason it matters is that "Sarah Chen at Stripe" returns dozens of results in any decent dataset, and the wrong one is worse than no result. Identity resolution surfaces the candidates first, lets you confirm which person you mean, then resolves the email. It's slower than blind pattern matching but the hit rate on first attempt is dramatically higher.

The honest limit: identity resolution depends on the person being indexed somewhere. New hires at small companies are sometimes invisible until they show up on LinkedIn or sign their first commit. No tool fixes that.

Verification: the step nobody talks about

Whatever method gives you an address, verify it before sending.

Verification means SMTP checks against the receiving server, syntax validation, and detection of catch-all domains that accept everything. It's a separate technical step from finding the email, and skipping it is the most common mistake we see.

The reason verification matters is that one bounced email doesn't just fail — it costs you reputation. Mailbox providers track sender behavior. Send to addresses that bounce, and your future emails get downgraded into spam folders even when they reach the right inbox. A 5% bounce rate over a campaign of 200 sends is enough to noticeably harm deliverability for weeks.

We covered the deliverability side in more depth here, but the short version: don't send anything you haven't verified, and be skeptical of tools that report "found" without telling you whether they verified.

The cost of getting this wrong

Most enrichment tools charge per attempt. You pay whether the email is real, fake, or unverifiable. The cost compounds quickly: a 1,000-contact list at a 30% miss rate burns 300 credits on results you can't use. At common pricing that's thirty to seventy dollars wasted per list.

We built prospiq with a different rule: you're never charged for an unverified email, or a phone we can't find. If we couldn't verify it, you don't pay for it.

The point isn't the pricing model — it's that the standard "pay per attempt" model creates the wrong incentive. A tool that gets paid for misses has no reason to fix its miss rate. A tool that only gets paid for hits has every reason to.

What to look for in a tool

Skip features. Look at four things.

Coverage breadth. Does the tool combine multiple data sources, or just one? Single-source tools have predictable blind spots — Hunter alone misses people who never appeared in scraped sources; LinkedIn-scraped data alone misses people without active LinkedIn presence.

Verification honesty. Does the tool tell you the verification status of every email it returns? If the result is just "found", the data is half-finished. You want explicit verification states.

Billing model. If the tool charges for misses, it's choosing your interest against its own. Find one that doesn't.

Workflow fit. A tool that gets the email but doesn't fit your workflow — no CSV export, no CRM integration, no Chrome extension on LinkedIn — costs you in copy-paste time. Look at how the data leaves the tool, not just how it enters.

That's it. Everything else is marketing.

A note on personal email addresses

Some tools surface personal Gmail or Yahoo addresses as fallbacks when work email isn't found. Don't use them for cold outreach. They get marked as spam faster, the legal exposure is worse under GDPR and DPDP, and the reply rate is lower than well-targeted work email anyway. If you can't find a work address, the better move is to find a different person at the same company — someone in an adjacent role who can route you internally.

The shortest version

Find the person first, not the domain. Use domain search for breadth, identity resolution for accuracy, and pattern matching only when you already know one address at the company. Verify everything before sending. Don't pay for misses.

The tools that follow these rules tend to be the ones built by people who've sent enough cold email to learn the hard way. The tools that don't are usually built by people optimizing for a different metric than yours.