new-site/docs/new-sector-compliance-targets.md

New Compliance Sectors — Detectable Signals + Contact Channels

Companion to the FCC RMD and FMCSA/trucking playbooks. The winning pattern is: a public government registry + a per-record recurring obligation + an automated deficiency check + outreach to the operator. This doc covers the three best next sectors and, critically, how to reach the license holders besides postal mail.

Honesty note on email: unlike FCC RMD (contact_email) and FMCSA (carrier email), these three registries are address/phone-rich but email-poor. The deficiency engine still works; the channel is the hard part. Section 4 solves that.

---

1. NPPES / Healthcare Providers (NPI)

Source: CMS NPPES monthly full-replacement dissemination file (free bulk CSV, ~10M rows). Verified live against npidata_pfile_20050523-20260510.csv (download.cms.gov/nppes/). Cross-joinable with OIG LEIE (exclusions) and the CMS revalidation list, both free.

Email in file: ❌ VERIFIED — no email field exists (file has 104 columns; none is email). Contact info available: mailing + practice TELEPHONE (cols 27, 35), mailing + practice FAX (cols 28, 36), full mailing + practice addresses, and Authorized Official telephone (col 47). So channel = fax, phone, mail, or email-append. Not email-native.

Verified columns we care about (104-col file)

Col #	Field (exact)
1, 2	NPI, Entity Type Code (1=individual, 2=org)
5–11	Org legal name / provider name + credential
21–28	Mailing address, mailing telephone (27), mailing fax (28)
29–36	Practice location address, practice telephone (35), practice fax (36)
37	Provider Enumeration Date
38	Last Update Date
39, 40, 41	NPI Deactivation Reason Code, Deactivation Date, Reactivation Date
43–47	Authorized Official name/title + telephone (47)
48–103	Up to 15× {Taxonomy Code, License Number, License State Code, Primary Taxonomy Switch}

Note: the public file does NOT contain a "Is Sole Proprietor" or EIN-validated field in a usable way (EIN col 4 is usually masked). Earlier guess corrected.

Detectable from the file (verified)

Signal	Field(s)	Obligation	Service
Stale Last Update Date (>1–2 yrs)	col 38	NPPES update within 30 days of any change	NPPES refresh/attestation
Deactivated NPI	cols 39–41	Deactivated NPI can't bill	NPI reactivation
Old enumeration + never updated	col 37 vs 38	Likely overdue Medicare revalidation (5-yr)	PECOS revalidation
Taxonomy w/ license but no license-state	taxonomy/license/state sets	License/specialty inconsistency	License/taxonomy reconcile
No primary taxonomy flagged (switch all N)	Primary Taxonomy Switch_n	Billing/credentialing errors	Taxonomy cleanup
Org (Type 2) missing Authorized Official	cols 2, 43–47	Incomplete org NPI	Org NPI correction

Inferable only (not in file): exact revalidation due date (PECOS), HIPAA posture, active billing, sanctions (use OIG LEIE join), email.

Best cross-join hook: NPPES ⨝ OIG LEIE ⨝ CMS revalidation list.

---

2. FMC Ocean Transportation Intermediaries (OTI: NVOCC + freight forwarders)

Source: FMC OTI lookup (per-record web lookup; a few thousand licensees). Closest analog to FCC RMD in size and clock.

Email in record: Inconsistent — sometimes present, often not. Partial coverage.

Detectable from the record

Signal	Field(s)	Obligation	Service
License issue ≥ ~3 yrs ago	issue/license date	Triennial renewal (every 3 yrs)	OTI renewal filing
Bond below current minimum	financial responsibility	$75k NVOCC / $50k forwarder bond	Bond placement/review
Missing proof of bond	financial responsibility status	Required to operate	Bond compliance
QI stale/absent	qualifying individual	OTI must have a qualified QI	QI / Form FMC-18 update
NVOCC w/o tariff indicator	cross-ref tariff systems	NVOCCs must publish tariffs / SARs	Tariff publication setup
Status inactive/revoked/surrendered	license status	Operating lapsed = penalties	Reinstatement

Inferable only: exact renewal due date, whether tariff actually published (separate tariff registry), email when absent.

---

3. EPA RCRA Hazardous Waste Handlers (via ECHO / RCRAInfo / FRS)

Source: ECHO bulk files (echo.epa.gov/files/echodownloads/) — verified live. Two relevant downloads:

• ECHO_EXPORTER (137 cols) — one row per facility across all programs, holds the compliance signals. Column dict: echo_exporter_columns_*.xlsx.
• rcra_downloads.zip — 6 RCRA-specific CSVs: RCRA_FACILITIES.csv (15 cols), RCRA_VIOLATIONS.csv, RCRA_EVALUATIONS.csv, RCRA_ENFORCEMENTS.csv, RCRA_NAICS.csv, RCRA_VIOSNC_HISTORY.csv.

Email in file: ❌ VERIFIED — no email anywhere in ECHO bulk. RCRA_FACILITIES.csv has only: ID_NUMBER, FACILITY_NAME, ACTIVITY_LOCATION, FULL_ENFORCEMENT, HREPORT_UNIVERSE_RECORD, STREET_ADDRESS, CITY_NAME, STATE_CODE, ZIP_CODE, LATITUDE83, LONGITUDE83, FED_WASTE_GENERATOR, TRANSPORTER, ACTIVE_SITE, OPERATING_TSDF. No contact name, no phone, no email in ECHO RCRA. Owner/ operator contact NAME + PHONE (still no email) exists only in the deeper RCRAInfo handler download (rcrapublic.epa.gov), where a PHONE field is present. So channel = phone (from RCRAInfo) + mail + email-append. Not email-native.

Verified ECHO_EXPORTER RCRA signal columns

RCRA_FLAG, RCRA_IDS, RCRA_PERMIT_TYPES, RCRA_NAICS, RCRA_INSPECTION_COUNT, RCRA_DAYS_LAST_EVALUATION, RCRA_INFORMAL_COUNT, RCRA_FORMAL_ACTION_COUNT, RCRA_DATE_LAST_FORMAL_ACTION, RCRA_PENALTIES, RCRA_LAST_PENALTY_DATE, RCRA_LAST_PENALTY_AMT, RCRA_QTRS_WITH_NC, RCRA_COMPLIANCE_STATUS, RCRA_SNC_FLAG, RCRA_3YR_COMPL_QTRS_HISTORY. Plus facility-level: FAC_DATE_LAST_INSPECTION, FAC_SNC_FLG, FAC_COMPLIANCE_STATUS.

Detectable from the data (verified)

Signal	Field(s)	Obligation	Service
Generator status (LQG/SQG/VSQG)	FED_WASTE_GENERATOR (1/2/3/N), RCRA_PERMIT_TYPES	Biennial report + manifest + training	Generator program
Open/current violation	RCRA_COMPLIANCE_STATUS, RCRA_QTRS_WITH_NC	Return-to-compliance	Violation remediation
SNC flag	RCRA_SNC_FLAG, FAC_SNC_FLG	High enforcement priority	Audit prep + corrective
Old/never evaluated + LQG	RCRA_DAYS_LAST_EVALUATION, FAC_DATE_LAST_INSPECTION	Overdue inspection risk	Self-audit
Recent penalty / formal action	RCRA_PENALTIES, RCRA_DATE_LAST_FORMAL_ACTION	Active enforcement	Remediation/defense
TSDF without active permit	OPERATING_TSDF, RCRA_PERMIT_TYPES	TSDF permit renewal	Permit renewal
NAICS implies waste, no RCRA ID	RCRA_NAICS / FRS NAICS w/o RCRA_FLAG	Should be registered as generator	Generator registration
Cross-program: RCRA + TRI reporter	RCRA_FLAG + TRI_FLAG	EPCRA/Tier II overlap	Tier II / SPCC filing

Inferable only (not in file): biennial-report-not-filed status (need RCRAInfo BR module, not in ECHO bulk), SPCC plan existence, actual chemical inventory, contact email. (Earlier "biennial flag" claim corrected — ECHO bulk does not expose a clean biennial-filed flag.)

Cross-join opportunity: ECHO_EXPORTER RCRA_FLAG + TRI_FLAG + FAC_NAICS_CODES to find facilities that should be reporting but aren't.

---

4. How to Contact License Holders (Besides Postal Mail)

The registries above give us name + entity + address + phone (+ sometimes fax). Ranked options to reach them on cheaper/faster channels:

A. Email append (turn address/phone into email)

• B2B email-append vendors (e.g. data providers that match company name + address → business email): bulk match files, pay per match. Best for NPPES org records and EPA facilities (real businesses).
• Domain inference + verification: derive likely domain from business name / website, generate info@, first.last@, etc., then run an email-verification API (SMTP/MX validation) to keep only deliverable addresses. Cheap, scalable, works well where the entity has a website.
• Website-scrape enrichment: for each entity, find the website (search by name+city), scrape contact/mailto: and /contact pages for published business email. High accuracy when a site exists.
• People/B2B data APIs keyed on the Authorized Official / Qualifying Individual / facility contact name we already have from the registry.

B. Phone (we already have it in all three)

• Cold call the listed phone — these registries reliably include phone.
• Ringless voicemail / voicemail drop to the listed number.
• SMS to numbers that resolve to mobile (carrier-lookup the phone first; honor TCPA/DNC — we already run DNC compliance services, so scrub against the NDNC and keep consent records). This is the channel we must be most careful on.

C. Fax (underrated for NPPES + EPA)

• NPPES and many EPA records include fax. Compliance/medical/industrial audiences still read fax. Cheap blast, low competition, novelty cut-through.

D. Web / digital, no contact info needed

• Free public lookup tool (like /tools/dot-compliance-check): e.g. /tools/npi-compliance-check, /tools/oti-renewal-check, /tools/rcra-compliance-check. Drives inbound; the provider searches their own NPI/license/EPA ID and self-identifies. Pair with SEO + paid search on "NPI revalidation", "FMC license renewal", "RCRA biennial report".
• Retargeting / lookalike audiences: upload the matched-email or hashed contact list to ad platforms for display/social retargeting even without reaching the inbox.
• LinkedIn / Sales Navigator outreach keyed on the Authorized Official / QI name (especially good for FMC OTIs and EPA facility EHS managers).

E. Channel-fit by sector

Sector	Phone	Fax	Email-append quality	Web/SEO inbound
NPPES (NPI)	✅ strong	✅ good	Medium (org > individual)	✅ "NPI revalidation"
FMC OTI	✅ strong	⚠️ some	Medium-high (have websites)	✅ "FMC license renewal"
EPA RCRA	✅ strong	⚠️ some	High (real businesses + EHS contact)	✅ "RCRA biennial report"

Compliance guardrails for these channels

• TCPA/DNC: scrub all phone/SMS against DNC, prefer manual-dial or established business relationship, keep consent/records. (We already sell DNC compliance — practice what we preach.)
• CAN-SPAM: appended emails must carry unsubscribe + physical address (our Listmonk templates already do).
• State telemarketing & fax (TCPA/JFPA): fax blasting has its own rules; treat as opt-out-respecting and B2B-only.

---

Recommendation / Sequencing

1. FMC OTI first — cleanest RMD analog (small set, 3-yr clock, bond math), some email already present, businesses with websites = easy email-append.
2. EPA RCRA — best deficiency richness + highest fine fear = best conversion; reach via email-append + phone + free lookup tool.
3. NPPES — biggest volume, but email-poor and individual-heavy; lead with a free NPI revalidation lookup tool + fax + org-targeted email-append.

If email-native outreach (like FCC RMD) is the hard requirement, the better targets are state license boards (contractors/CSLB, insurance producers, NMLS, cannabis/ABC) that publish licensee email directly. Worth a separate survey.

---

5. Postcard Print-and-Mail Vendor Pricing (Lob vs PostGrid vs Click2Mail)

For our use case (targeted list of named license holders with mailing addresses, personalized + QR to the free compliance-check tool, API-driven like Listmonk), a print-and-mail API is the right tool — no USPS permit, no presort, no BMEU drop-off. Per-piece is all-in (printing + postage + address verification).

Rates verified from live pricing pages on the session date. Confirm before committing volume; these vendors change rates and gate some behind sales.

Lob — VERIFIED from lob.com/pricing/print-mail

4x6 postcard, "starting at" per-piece by plan tier (volume + automation lower it):

Plan	Monthly fee	4x6 postcard from	Notes
Developer (free)	$0	$0.872 / postcard	up to 5 templates, low limits, good for testing
Growth	$260/mo	$0.612 / postcard	10 HTML templates, address verif. included tiers
Enterprise	$550/mo	$0.582 / postcard	25 templates, custom volume, lowest per-piece

• Letters from ~$0.806 / check ~$1.159 (for reference).
• Address verification (US) ~$0.05/lookup pay-go, cheaper bundled.
• Strong API + webhooks (in-transit tracking), best docs of the three.
• Best fit if we want to wire postcards into the existing pipeline cleanly.

PostGrid — quote/login gated (not publicly itemized)

• Pricing page does not publish per-piece; requires signup/sales for the rate card. Historically positioned slightly under Lob per-piece (~$0.50–$0.80 range for 4x6 depending on volume) with pay-as-you-go + no mandatory monthly minimum on the entry tier.
• US + Canada print/mail, address verification (CASS/NCOA, SERP for Canada), good API. Often pitched as the cheaper Lob alternative.
• Action: get an actual quote keyed to our expected monthly volume before choosing — the public "slightly cheaper" claim is unverified here.

Click2Mail — login/quote gated, but the cheapest at low volume historically

• Public pages (postcards / cost-calculator) gate exact rates behind an account; rates depend on size (4x6, 4x9, 5x8, 6x9, 6x11), class (First-Class vs Standard/Marketing Mail), and quantity.
• Historically the lowest all-in for small/medium runs (often well under $0.50/4x6 First-Class at modest volume) because it's a self-serve mail house, not a developer-API-first platform. Has an API but less polished than Lob.
• Action: run their cost calculator logged in for a real number on a sample 4x6 First-Class run of ~1,000 and ~5,000 pieces.

Practical comparison

	Lob	PostGrid	Click2Mail
Per-piece 4x6 (4x6)	$0.58–$0.87 (verified)	~$0.50–$0.80 (quote)	typically lowest at low vol (quote)
Monthly fee	$0 / $260 / $550	none on entry (quote)	none (self-serve)
API quality	Best	Good	Basic
Address verif (CASS/NCOA)	Yes	Yes	Yes
Best for	API-wired campaigns at scale	cheaper Lob-style API	cheapest small/medium runs

Recommendation

• Start on Click2Mail (or Lob Developer free tier) for the first test batch to validate conversion at the lowest fixed cost — no $260/$550 monthly commitment.
• Move to Lob Growth/Enterprise (or a PostGrid quote) once volume justifies the per-piece drop (~the monthly fee pays for itself only at several thousand pieces/month). Lob's API is the cleanest to wire into our existing pipeline.
• Always personalize with the detected deficiency + a QR code / short URL to the relevant free lookup tool — that QR is our tracking + conversion bridge, the same role the email CTA plays today.

---

6. NPI Compliance Programs, "Expired" Signals & Suggested Rates

What we actually know is expired/dead (honest breakdown)

NPPES alone has no license/cert/revalidation expiry date. The only hard "dead" status in the file is NPI deactivation. Real dateable "expired" signals come from FREE companion databases joined to NPPES by NPI or name.

Source	What it proves is expired/wrong	Hook
NPPES (deactivation cols 39-41)	NPI deactivated — cannot bill	NPI reactivation (HARD)
NPPES (Last Update col 38)	Record stale (not "expired", a nudge)	NPPES update
CMS PECOS Revalidation list	Medicare revalidation due/overdue date (5-yr) — the real dateable hook	Revalidation filing (flagship)
OIG LEIE	Provider EXCLUDED from federal programs	Exclusion remediation (urgent)
SAM.gov exclusions	Debarred / additional exclusions	Screening + remediation
State medical board lookups	License itself expired (not in NPPES)	License renewal

Flagship analog to FCC RMD recertification = CMS Medicare revalidation due date, joined to NPPES by NPI. That is the genuine "your X expired" signal.

Programs to sell (ranked by trigger defensibility)

1. Medicare PECOS revalidation filing (flagship)
2. NPI reactivation (hard NPPES signal)
3. NPPES data update / attestation
4. State license renewal monitoring / filing
5. OIG/SAM exclusion screening + remediation
6. CAQH profile attestation (re-attest ~every 120 days)
7. HIPAA compliance package (universal, not detectable)
8. Credentialing / re-credentialing with payers
9. Taxonomy / enrollment cleanup

Suggested rates

Service	Price	Cadence	Notes
NPPES data update / attestation	$149	one-time	low-friction entry product
NPI reactivation	$249	one-time	hard trigger
Medicare PECOS revalidation filing	$399	every 5 yrs	flagship, high stakes
State license renewal (per license)	$149/license	annual/biennial	recurring
OIG/SAM exclusion screening	$99/yr ($19/mo)	recurring	sticky subscription
CAQH attestation/maintenance	$249/yr	recurring	high-churn pain
HIPAA compliance package	$799–$1,499	one-time + annual	biggest ticket
Credentialing (per payer)	$199/payer	as needed	volume add-on
Provider Compliance Bundle	$599–$899/yr	annual subscription	revalidation watch + exclusion screening + NPPES upkeep

Pricing logic: solo/small providers are price-sensitive, but fear of losing Medicare billing privileges (revalidation, exclusion) supports premium pricing on those two. Data-update products stay cheap as door-openers. The annual bundle is the goal — mirrors the trucking compliance-bundle model for recurring revenue.

Recommendation

Lead with Medicare revalidation (real dateable expiry from the free CMS list, like FCC RMD recert), use NPI-deactivated + stale-NPPES as secondary triggers, package into a $599-899/yr Provider Compliance Bundle.

---

7. Companion Databases — VERIFIED (downloaded & inspected)

All free, all joinable to NPPES by NPI. Counts below are from the live files pulled on the session date. This is the data that turns "stale record" into a real, dateable "your X expired" hook.

7.1 CMS Revalidation Due Date List (the flagship)

revalidation_base.csv — ~2.9M rows, 2.42M distinct NPIs. Columns: Enrollment ID, National Provider Identifier (NPI), First/Last Name, Organization Name, Enrollment State Code, Enrollment Type, Provider Type Text, Enrollment Specialty, Revalidation Due Date, Adjusted Due Date, Individual Total Reassign To, Receiving Benefits Reassignment.

Verified population:

• 261,878 enrollments have a concrete due date set (rest are "TBD" = CMS hasn't scheduled them yet).
• 217,968 are PAST DUE (overdue revalidation) — these are the hottest leads.
• 43,910 are upcoming (future-dated) — perfect for "due soon" pre-emptive offers.

This is the direct analog to the FCC RMD recertification date. Sell Medicare PECOS revalidation filing ($399) to the 217,968 overdue + watch service to the upcoming ones. Join to NPPES to get their address/phone for outreach.

7.2 OIG LEIE (Exclusions)

UPDATED.csv — 83,256 excluded providers/entities. Columns: LASTNAME, FIRSTNAME, MIDNAME, BUSNAME, GENERAL, SPECIALTY, UPIN, NPI, DOB, ADDRESS, CITY, STATE, ZIP, EXCLTYPE, EXCLDATE, REINDATE, WAIVERDATE, WVRSTATE.

Verified: only 8,608 have a valid joinable NPI (most exclusions predate NPI or are entities w/ 0000000000). Use this two ways:

• As a screening product sold to OTHER providers ($99/yr) — "we check you and your staff against LEIE monthly."
• As a remediation hook to the 8,608 excluded-with-NPI (reinstatement help), though excluded providers are a harder, riskier audience.

7.3 Medicare Opt-Out Affidavits

OptOut_*.csv — 56,300 opt-out affidavits. Columns: First/Last Name, npi, Specialty, Optout Effective Date, Optout End Date, address, City, State, Zip, Eligible to Order and Refer, Last updated.

Verified: 22,379 have an opt-out period ending within 12 months. Opt-out auto-renews every 2 years unless cancelled — a real dateable event. Sell opt-out renewal / re-enrollment decision support.

7.4 Order & Referring File

OrderReferring_*.csv — ~2.0M rows. Columns: NPI, LAST_NAME, FIRST_NAME, PARTB, DME, HHA, PMD, HOSPICE (Y/N flags). Tells us which providers are eligible to order/refer for each program. Use to qualify leads (a provider missing eligibility they should have = enrollment gap = service opportunity).

7.5 PPEF Public Provider Enrollment

PPEF_Enrollment_Extract_*.csv — ~2.98M rows. Columns: NPI, MULTIPLE_NPI_FLAG, PECOS_ASCT_CNTL_ID, ENRLMT_ID, PROVIDER_TYPE_CD/DESC, STATE_CD, names, ORG_NAME. This is the authoritative "who is actively enrolled in Medicare" list. Join against NPPES to find:

• NPPES providers NOT in PPEF = not Medicare-enrolled (enrollment opportunity).
• Cross-check enrollment state vs NPPES practice state (mismatch = cleanup).

Join architecture

NPPES (10M providers, addr/phone/fax)         <- outreach contact + base universe
  ⨝ NPI ⨝
Revalidation Due (217,968 overdue)            <- flagship "expired" hook + $399
  ⨝ NPI ⨝
LEIE (8,608 excluded w/ NPI)                  <- screening product + urgent flag
  ⨝ NPI ⨝
Opt-Out (22,379 ending <12mo)                 <- renewal hook
  ⨝ NPI ⨝
PPEF / Order-Referring                        <- enrollment gaps / lead qualification

Headline takeaway

The single best, defensible, dateable hook is 217,968 providers with OVERDUE Medicare revalidation, each enrichable with NPPES address/phone/fax for outreach. That is a larger and harder-deadline audience than the FCC RMD list, and the $399 revalidation filing is a clean flagship product.

---

8. Free Email Append for NPI — VERIFIED FINDINGS

Yes, there is a partial free email source, plus a free verification path. Investigated and tested live on the session date.

8.1 NPPES Endpoint file = free, NPI-keyed email addresses

The NPPES dissemination ZIP contains a separate endpoint_pfile (123 MB) that we had not previously parsed. It holds electronic endpoints keyed by NPI. Verified contents:

• 597,927 endpoint rows, covering 491,761 distinct NPIs.
• 390,639 rows are email-formatted (user@domain.tld).
• Endpoint types: DIRECT 356,394 · CONNECT 91,616 · SOAP 56,543 · FHIR 46,764 · OTHERS 45,938 · REST 672.

The honest catch: most are Direct Secure Messaging (HISP) addresses, not normal inboxes. The top domains are health-system Direct gateways (ehrdirect.mayoclinicmsg.org, direct.iuhealth.org, upmcdirect.com, …). Direct addresses route only inside the DirectTrust network — you cannot cold- email them from a normal mail server; they will not deliver. So the raw 390k is NOT a usable marketing email list.

BUT — the usable slice: a meaningful subset are real consumer/business inboxes the provider self-published:

• ~19,759 rows on common consumer webmail (gmail.com 12,427, plus yahoo, hotmail, outlook, aol, icloud).
• Verified samples are clearly personal/practice inboxes: tcneurology@gmail.com, veinsofkc@yahoo.com, kendalncarlsondmd@gmail.com, scottcopt@aol.com, etc.
• Plus an additional long tail of non-Direct practice-domain emails (clinic websites) that are also normal inboxes.

So the genuinely free, cold-emailable slice from NPPES endpoints is on the order of tens of thousands (consumer webmail + real practice domains), not the full 391k. Still free, still NPI-keyed (joins to revalidation/LEIE/etc.), and exactly the small-practice owner-operators who are our buyer.

8.2 Free SMTP/MX verification is possible from our infra

Tested from this host:

• Port 25 egress is OPEN (connected to gmail-smtp-in.l.google.com:25, got 220 banner).
• MX lookups work (resolved MX for gmail.com, mayoclinic.org).

That means we can run free email verification ourselves (MX check + SMTP RCPT-TO probe) with no paid validation vendor, to:

1. Filter the endpoint emails down to deliverable ones.
2. Verify guessed emails for the domain-inference path below.

Caution: aggressive SMTP probing can get an IP greylisted/blocked. Throttle, rotate, and prefer MX-only validation where possible. Do it from a non-sending IP so it never touches our warmed MTA reputation.

8.3 Free domain-inference append (for the rest)

For NPIs without a usable endpoint email but with an org name + practice address:

1. Find the practice website (search name + city; or guess name.com).
2. Generate candidate emails (info@, office@, contact@, first.last@).
3. MX + SMTP verify for free (8.2) and keep only deliverable. This is zero-cost compute, just our time/infra. Lower hit rate than a paid append vendor but free.

8.4 Bottom line

Path	Cost	Yield	Cold-emailable?
NPPES endpoint Direct addresses (~356k)	free	high count	❌ no (HISP-only routing)
NPPES endpoint consumer/practice inboxes (~20k+)	free	tens of thousands	✅ yes
Domain-inference + free SMTP verify	free (compute)	medium, varies	✅ yes
Paid B2B email append vendor	$ per match	highest	✅ yes

Recommendation: build a free pipeline = (a) extract the cold-emailable subset of endpoint emails, (b) domain-infer + free-SMTP-verify the rest, (c) fall back to phone/fax/mail for non-matches. This recovers a real email channel for a meaningful chunk of the 217,968 overdue-revalidation targets at zero vendor cost, and we verify deliverability ourselves since port 25 + MX both work here.