How to Find a Decision-Maker's Email Address: 6 Methods That Work

You found the perfect prospect, researched their product, put together a solid pitch, and sent the email to info@. A week of silence. Sound familiar? The pitch was fine. The problem is that info@ lands in an intern's inbox, not the director's.

Below are six ways to reach the actual mailbox of the person who makes decisions. Each one comes with a concrete example, a note on legality, and the gotchas worth knowing.

If you are already connected with the person, their email often sits right in the "Contact Info" section. Not connected? Send a connection request with a short note. Skip the pitch entirely: "Reaching out about X, wanted to discuss Y" is enough context.

Example: You are looking for the CTO of a 50-person startup. Open their profile, click "Contact Info," and the work email is there. If the field is blank, try Sales Navigator. Its export occasionally surfaces an email that the public profile hides.

Legality: entirely fine. The person put that contact there themselves. Bulk-scraping hundreds of profiles automatically is a different matter. LinkedIn suspends accounts for it, usually without warning.

Enter a company domain and you get a list of known email addresses with job titles attached. Hunter aggregates data from public sources: blog posts, forum signatures, "About us" pages.

Example: You type "acme-corp.com" into Hunter and see john.smith@acme-corp.com labeled CEO with a 92% confidence score. Next to it is the company pattern: {first}.{last}@.

Legality: the data comes from public sources. That said, what you get is a hypothesis, not a confirmed address. Validate before you send anything.

Most companies use one format for every employee. If you know one address from the site or an email signature, you know the pattern for everyone else.

Common patterns:

• john.smith@ — firstname.lastname (most common)
• jsmith@ — first initial + lastname
• john.s@ — firstname + last initial
• smith@ — lastname only

Example: The company website lists a manager at anna.jones@domain.com. The CEO is Alex Carter. That makes alex.carter@domain.com the likely address. Still needs verification before you send, but more on that below.

Legality: you are combining a public name with a public domain. No hacking, no scraping. The risk is sending to an unverified address: a hard bounce damages your domain's reputation, and that damage accumulates.

"Team," "Contact," "About us," and press release pages often list leadership emails. Sometimes the address is embedded in an image or written as "name [at] domain," but plain text is more common.

Example: You open a logistics company's site, go to "Leadership," and find a photo, title, and the commercial director's email right under their name. It happens more often than people expect.

Legality: the company published this information voluntarily. If you automate the collection, respect the site's robots.txt.

When a company registers a domain, the registrant's email goes into WHOIS. For small businesses, that email is often the owner's personal inbox. Look it up via any WHOIS service or run whois domain.com in your terminal.

Example: You run WHOIS on a small web design studio and the "admin-contact" field shows the founder's personal address. For large companies this rarely works: they route everything through privacy proxy services.

Legality: WHOIS is a public registry. GDPR pushed European registrars to hide personal data by default. Registrars outside the EU vary, but the trend toward privacy protection is clear everywhere.

Twitter/X, Facebook, and Telegram channels are worth checking. Executives who actively build a personal brand sometimes leave a work email in their bio or in pinned posts.

Example: A SaaS founder runs a Telegram channel. The channel description links to their Calendly and lists an email for collaborations. You were not hunting for it, but there it is.

Legality: the person published the contact themselves. Use it for what they listed it for. If the bio says "for collaborations," pitch a collaboration, not a generic "business optimization" offer.

Found an email? Do not send yet

Every method above gives you a candidate, not a confirmed working address. Sending to an invalid email means a hard bounce, and hard bounces erode your domain's sender reputation.

What validation actually checks:

• Whether the mail server exists (domain MX record)
• Whether the server accepts mail to that specific mailbox (SMTP check)
• Whether the address is catch-all (accepts everything but nobody reads it)
• Whether the mailbox appears in known spam trap databases

You can do this manually with telnet mx.domain.com 25, but it takes time per address. Faster to upload your list to uChecker: results come back in a couple of minutes, split into valid, risky, and dead addresses.

The short version: a working sequence

1. Find the decision-maker's full name (LinkedIn, company site, press coverage).
2. Identify the company's email pattern (Hunter.io or any known employee address).
3. Generate the likely address using that pattern.
4. Cross-check with WHOIS, social profiles, and the "Contact" page.
5. Validate every address before sending.
6. Send one personalized email, not ten.

One accurate address for the right person is worth more than a thousand addresses from a purchased list. Spend 15 minutes finding it and 2 minutes validating it, and your email will at least get read.

Ready to verify the addresses you found? Upload them to uChecker — free for the first 100 checks.