How to Find Someone’s Email Address: 10 Methods That Still Work

You have a name, a company, and a reason to reach out. What you don’t have is the email. Welcome to one of the most common bottlenecks in B2B outbound, recruiting, and founder-led sales.

The web in 2026 is harder to scrape than it used to be. Team pages have thinned out, LinkedIn hides contact info more aggressively, and Google has tightened operator behavior. But emails still leak everywhere if you know where to look. This guide walks through 10 methods to find someone’s email address, ordered from free and manual to paid and automated, with the trade-offs that matter for SDRs, recruiters, and founders running outbound themselves.

You will learn:

• The 6 most common email patterns and how to crack them in under 2 minutes
• Where emails still hide for free (LinkedIn, GitHub, podcast notes, conference pages)
• Which email finder tools are worth the credit
• How to verify before you send, so you do not torch your sender reputation
• What GDPR and CCPA actually allow when you contact a stranger

TL;DR

• Most B2B emails follow one of 6 patterns. Crack the pattern once, scale it across the company.
• LinkedIn, GitHub, Twitter / X bios, podcast show notes, and conference speaker pages still expose emails for free.
• Email finder tools like Hunter, Apollo, Snov.io, and Zeliq combine pattern guessing with SMTP verification and database lookups.
• Always verify before you send. A 5% bounce rate will hurt your domain for weeks.
• B2B email outreach is legal under GDPR and CCPA when you have a legitimate interest and an opt-out, but business emails of natural persons still count as personal data.

Why finding an email is harder in 2026

Three shifts have changed the game.

First, public team pages are disappearing. Companies that used to list every engineer on an “About” page now stop at department heads, partly to reduce spam, partly because of GDPR exposure.

Second, LinkedIn caches less. Sales Navigator pulls data behind login walls, third-party scrapers get blocked faster, and even first-degree contacts hide their email by default.

Third, Google has changed how it handles operators. Some classic queries that used to surface emails now return zero results. The trick is no longer one perfect Google search. The trick is stacking 3 to 5 lightweight signals.

Good news: the underlying logic of corporate email has not changed. Most companies still use the same predictable pattern across every employee. Once you know it, you can guess any email at that company in seconds.

Method 1: Crack the email pattern

Almost every company uses one email pattern across all employees. Find one known email at the company, infer the pattern, then apply it to your target.

The 6 most common B2B email patterns

Pattern	Example for John Smith at acme.com	Frequency
firstname.lastname@	john.smith@acme.com	~40%
firstname@	john@acme.com	~15%
flastname@	jsmith@acme.com	~12%
firstnamelastname@	johnsmith@acme.com	~10%
firstname.l@	john.s@acme.com	~8%
lastname@	smith@acme.com	~5%

How to find one known email at the company

• Check the founder’s or CEO’s LinkedIn (often shared in their bio).
• Look at press releases on the company website (PR contacts sign with full email).
• Search the company name plus “@” plus their domain on Google.
• Look at job listings, some include a recruiter email.

Once you have a single email, the pattern reveals itself. Apply it to your target name, and you have a candidate to verify.

This method is free, fast, and works in maybe 70 to 80% of cases for companies of 20 employees or more. Smaller startups are more chaotic and may use any of three patterns at once.

Method 2: Mine the company website

The company’s own site is still the highest-trust source. Look in this order:

1. Footer. Smaller companies often list a generic email plus sometimes a real human contact.
2. About / Team page. When it exists, names and emails sometimes sit side by side, especially at agencies, law firms, and consultancies.
3. Press / Media kit. PR contacts almost always sign with a real email.
4. Careers page. Recruiter emails are usually exposed.
5. Contact page. Often a form, but sometimes a direct line.

Use the site search trick: in Google, type site:targetcompany.com "@targetcompany.com". This forces Google to find any string on that domain that contains the email pattern. It does not always work, but when it does, you scrape three or four real emails in under a minute.

Method 3: LinkedIn (still gold, but you have to work for it)

LinkedIn is still the single most useful surface for B2B prospecting. Three angles work in 2026:

Contact info section. On any first-degree connection’s profile, click “Contact info” near the top. Some users expose their email to their network. Hit rate sits around 15 to 25%, lower for senior leadership.

LinkedIn data export. Settings, Privacy, “Get a copy of your data”. Request the archive, and you receive a CSV of every connection with the email they used to sign up. This only covers people you are already connected with, but it is a one-time goldmine for anyone with an established LinkedIn network.

LinkedIn extensions. Tools like the Zeliq LinkedIn extension sit on top of any LinkedIn profile or search and pull verified contact info on demand. Useful when you are working through a Sales Navigator list and do not want to leave the tab.

LinkedIn alone is rarely enough. Pair it with pattern guessing or an email finder for full coverage.

Method 4: Twitter / X bios

A surprisingly high share of founders, journalists, marketers, and indie operators put their email in their X bio or pinned tweet. They want to be reached. The pattern is usually:

• Email in the bio (split with brackets to dodge bots: “name [at] company [dot] com”)
• Email in a pinned tweet labeled “DMs open or email me at…”
• Email on the personal site linked from the profile

For founder outreach, this is the fastest path. A 30-second scan of an X profile beats most paid tools.

Method 5: GitHub

If your target is technical, GitHub is the single best free source. Every public commit ships with the author’s email. Find their profile, click into any of their repos, open a commit, and the email is there.

Two ways:

• Visit github.com/username, click on a recent repository, then “commits”, then any commit. The email is in the metadata.
• Use the GitHub API: https://api.github.com/users/USERNAME/events/public and look for commit payloads.

Caveat: many engineers configure a “noreply” GitHub address (something like 12345+username@users.noreply.github.com). That one is useless. But plenty of people leave their real email exposed for years without realizing it.

This method is free, instant, and ethically solid: people are publishing under that email by their own choice.

Method 6: Podcast notes and conference speaker pages

Two categories of public content underused for email lookups:

Podcast show notes. When someone is interviewed on a podcast, the show notes often list their email, website, or LinkedIn. Search “site:podcasthost.com [Person Name]” or check their guest profile on tools like Listen Notes.

Conference speaker pages. Speaker bios on conference websites frequently include contact info, especially for industry events where the speaker is also looking for partners or hires. Search “[Person Name] speaker [Conference]” and check the official conference site.

Both methods are slow but reliable for senior decision-makers, who are exactly the targets that block most automated tools.

Soft CTA midway: stop guessing, start finding

If you spend more than 10 minutes hunting an email, you are losing money. The point of this guide is not to make you faster at manual lookup. It is to give you the pattern recognition that powers automated tools.

Zeliq combines a 450M+ verified contact database, a Chrome extension that pulls emails directly from LinkedIn, and waterfall enrichment across 40+ providers to hit ~80% email coverage. Most users find the email in under 5 seconds. Try it free.

Method 7: Whois (mostly dead, but check anyway)

If your target owns the domain personally (common for solo founders, indie hackers, agencies), Whois can still expose the registrant’s email. Run whois targetdomain.com from the terminal, or use a web Whois lookup.

GDPR has redacted most European registrants since 2018, and most major registrars (Namecheap, GoDaddy) now offer free privacy by default. So the hit rate is low. But it costs nothing to check. For older domains registered before 2018, or for US-based small business sites, Whois sometimes still drops a real personal email.

Method 8: Google search operators

Google has nerfed several of the classic operators, but a few combinations still work in 2026:

• "firstname lastname" "@company.com" finds public mentions of the email.
• "firstname lastname" email contact casts a wider net.
• site:company.com "firstname lastname" finds the person on the company site.
• intext:"firstname.lastname@company.com" tests a specific guessed email.

Pair with DuckDuckGo, which treats @company.com more literally than Google does. For some companies, DuckDuckGo will find emails Google has filtered out.

This method is hit-or-miss. Treat it as a 10-second sanity check, not a primary tool.

Method 9: Email finder tools

Email finder tools combine pattern guessing, public web crawling, proprietary databases, and SMTP verification. For any volume above 20 emails per week, this is what you should use.

Free vs paid: what you actually get

Tool	Free tier	Paid starts at	Best for
Hunter.io	25 to 50 searches / month	~$34 / month	Domain-wide email mapping
Snov.io	50 credits / month	~$30 / month	Volume + drip campaigns combined
Apollo.io	Limited free tier	~$49 / user / month	Big database, full sales engagement
Zeliq	Free trial with 50 credits	~$59 / month	All-in-one find + enrich + engage
RocketReach	5 lookups / month	~$48 / month	US executives
Anymail Finder	Pay per verified email	~$49 / month	Small batches, pay only for hits

The free tiers of these tools cover personal use and tiny experiments. Once you cross 100 to 200 lookups per month, you are paying. Whether you pay one tool or stack three depends on your stack and your verification needs. For SDRs running real outbound, a unified tool that combines find, enrich, and engage almost always beats stitching together three tools that do not talk to each other.

When the tool says “not found”

Email finders fail in three cases: very small companies (under 10 employees) where there is no consistent pattern yet, very protected execs who have aliases, and personal Gmail / iCloud / Outlook addresses that do not have a corporate domain trail. For those, fall back to the manual methods above.

Method 10: Just ask

Underrated. If you have a real reason to talk to someone and one degree of separation, ask for an intro on LinkedIn. Hit rate is around 60 to 70% when the intro is well-framed.

If you have no warm path, send a LinkedIn DM or X DM that says, in one line, why you want to reach them and ask for the right email. This works particularly well for journalists, founders, and content creators, who are paid to be reachable.

It is also the only method that gives you opted-in contact, which makes the rest of the sequence easier from a deliverability and compliance standpoint.

Verify before you send (or you will pay)

A bounce rate above 5% will damage your sender reputation within a week. Above 10% and your domain may end up on a denylist for months.

Verification works in two layers:

1. Syntax + domain check. Does the address parse? Does the domain have an MX record? Free, instant, but weak.
2. SMTP ping. Does the mail server accept the address as a real mailbox? This is what most email verifiers actually do.

Tools to use: NeverBounce, ZeroBounce, Bouncer, MillionVerifier. Most email finders include verification in the same call: when Zeliq enriches a contact, the email comes pre-verified through waterfall checks across multiple providers.

Rule of thumb: never send to an unverified email at scale. For one-off senior contacts, you can risk it. For a 500-prospect campaign, verify everything or you will tank deliverability for the next sequence too.

Is it legal to find someone’s email address?

Short answer: yes, in most cases, when used for legitimate B2B outreach with an opt-out and a real reason to write.

Long answer depends on your jurisdiction.

GDPR (EU). Business email addresses of natural persons are personal data under GDPR. You can collect and use them for B2B outreach under “legitimate interest”, provided you can demonstrate that interest, you offer a clear opt-out in every email, and you respect deletion requests within 30 days. Generic addresses (info@, contact@) are not personal data.

CCPA / CPRA (California). Similar logic. You can contact someone for business reasons, but you must honor opt-out and deletion requests, and you must disclose your data sources if asked.

CAN-SPAM (US). Cold email is legal as long as you identify yourself, do not use deceptive headers, include a physical address, and honor opt-outs.

What is never okay anywhere: scraping protected platforms (LinkedIn data is technically off-limits unless you respect their TOS), buying lists from opaque sources, or sending after someone has opted out. For B2B teams, the safest path is using a tool that sources data through legal channels and offers GDPR-compliant suppression lists out of the box.

FAQ absorbed: questions people also ask

Are email finder tools legal to use?

Yes, when used for legitimate B2B outreach. The tools themselves only aggregate publicly available data plus pattern inference. The legality depends on what you do next. Sending unsolicited cold email is regulated, not the lookup itself.

What is the best free email finder?

Hunter.io and Snov.io both offer 25 to 50 free credits per month with solid accuracy. For one-off needs, that is enough. Zeliq gives 50 credits in its free trial across email and phone, useful if you also want to test enrichment and sequencing in the same flow.

Can I find someone’s personal Gmail?

Hard. Personal Gmails are not indexed in B2B databases and rarely leak in patterns. Best bets: Whois (if they own a domain), GitHub commits (if they are technical), or asking directly. For most B2B use cases, a personal Gmail is not what you want anyway. Reach them at work.

How accurate are email finder tools?

Top tools claim 95 to 98% accuracy when verification is included. Real-world hit rate varies by region and seniority: ~85% for US mid-market, ~70% for European SMBs, much lower for executives at companies under 20 employees. Always verify, never trust the claim alone.

Is buying an email list a good idea?

No. Bought lists are stale (decay rate of 22 to 30% per year), often non-compliant, and burn your sender reputation fast. You are better off building a smaller, verified list with a real tool and warming your domain properly.

Where to go from here

Stop spending 15 minutes per email. The methods in this guide work, but they scale poorly past a few hundred contacts. Pick one tool that combines find, verify, and contact in a single flow, and reserve the manual methods for hard targets.

If you are an SDR, recruiter, or founder running outbound, the playbook is simple: build your target list, enrich with a verified email finder, verify the output, then run a multichannel sequence with a real opt-out. That stack works under GDPR and CCPA, scales past 1,000 contacts a week, and does not torch your domain.

Start free with Zeliq and find your next 50 verified emails in under 5 minutes. No credit card needed.