From the GitHub source, it connects to the mail server for the domain’s MX record and issues a “RCPT TO:” command and looks for a non-rejection. Back when I was managing email servers, this option was typically disabled to prevent address enumeration and I’d be surprised if it still works reliably.
Many mail servers function by answering all “RCPT TO:” commands (for the domains served) with a success message that is effectively “Yeah, sure... give it a try” and, if the mailbox doesn’t exist, will email the sender a bounce message.
Worth pointing out that it’s possible to configure an email server to not respond to these types of queries and many high-value targets (large corporate email systems) do.
