What is the best way to block users from spam domains like 10minutemail.com, from signup?
It depends on the exact scenario, if you’re referring to signup associated with a database connection, which means the account identity (username/password) is managed by your Auth0 account, then you can consider implementing a pre-registration hook that will actually prevent the creation of the user.
For other connection types, like social connections, the hooks approach is not currently available, however, you can still implement a similar approach through rules. Have in mind that the rule won’t actually block the creation of a user profile associated to that user, however, it will indeed block the overall transaction so the visible effect to the end-user is mostly the same; they won’t be able to signin or login. In order to complement this approach you can also then implement a process that routinely cleans up these blocked accounts by using the applicable endpoints available through the Management API v2.