The whois check for a domain literally contains when it will expire. You can do this one time (combined with an MX lookup) while the email is added.
And knowing the ASN of a domain is also quite helpful. If anything changes (e.g. geolocation of ASN or different domain registrar) you can easily force the user to confirm this while they are already logged in.
Source: I am doing this for my tholian.network products.
All I’m saying is if you’re building such a system you should be aware of this and possibly account for it with some low frequency scanning before listed expiry. Or not, if you decide it’s not worthwhile.
Alternatively you could do a whois query of the domain (and verify against cached details) before sending out the recovery email. It's probably best to do that every time the email addresses are changed or updated.
Note that some WHOIS servers (as in port 43) are hostile to automation and might block you if you’re doing it too much, although you could be paying a few cent per custom domain per month to have a service perform the data aggregation for you.
Agree, most ToS of WHOIS servers say they don't want automated queries.
In this case I think it'd be simpler to just do a DNS check, either NS alone or A/MX. Scales better. If NXDOMAIN is returned over a period of days then the domain can be flagged.
And knowing the ASN of a domain is also quite helpful. If anything changes (e.g. geolocation of ASN or different domain registrar) you can easily force the user to confirm this while they are already logged in.
Source: I am doing this for my tholian.network products.