Jul 7, 2026
ADDED
Teams: unlimited members on every plan
Invite your whole team into one workspace — everyone shares its inboxes, API keys, phone numbers, domains, and billing, and everyone signs in with their own magic link. Invites are emailed, single-use, and expire after 7 days; removing a member kills their sessions and pending sign-in links instantly. Unlimited members on every plan, including Free — we still count messages, not people. Manage it under Team in the dashboard.
Jul 7, 2026
Downgrading with phone numbers: a grace period, not a silent bill
If a plan change leaves your account with more phone numbers than the new plan includes, the extra numbers are now scheduled for automatic release after a 7-day grace period instead of renting at the carrier indefinitely. You get an email and a dashboard warning up front, each number carries a release_after date on the API (SDKs v0.4.1), and upgrading — or releasing numbers you don't need — before the date cancels the release. Fine print in the SMS quickstart.
Jul 7, 2026
ADDED
SPF, DKIM & DMARC verdicts on every message
Every received email is now verified on arrival and carries the results in extracted.auth: SPF for the delivering session, one entry per DKIM signature (with the failure reason when a signature doesn't verify), and DMARC alignment with the domain's published policy. Assert that your OTP mail actually authenticates — in CI, before a real inbox provider starts junking it. Verdicts never affect delivery: a hard-fail message still lands in your inbox wearing its failing verdict. Messages received before today have no auth key (that means "not verified", never "failed"). Exposed as a typed auth field in SDKs v0.4.0 and as verdict chips in the dashboard message viewer. Details in Concepts: Extraction.
Jul 7, 2026
ADDED
Follow the verification link server-side
POST /v1/messages/:id/links/follow clicks a link from a received email for you: we GET it (following up to 5 redirects) and return {status, final_url, redirects, ok} — no headless browser, no HTTP client in your fixture code. Defaults to the first verify-classed link; pick another with class, index, or an exact url. Only URLs extracted from the message can be followed, fetches are SSRF-guarded and https-only, and the target's response body is never returned. Same endpoint for texts (/v1/sms/:id/links/follow), two new MCP tools (follow_link, follow_sms_link — 34 total), and SDKs v0.3.0 (followLink / follow_link).
Jul 7, 2026
ADDED
Inbound SMS: dedicated phone numbers for text OTPs (paid plans)
Paid plans can now provision dedicated US phone numbers — POST /v1/phone-numbers — and assert on the texts they receive with the exact API shape you know from email: ?wait= long-polling, match filters, and the same OTP/link extraction (GET /v1/sms/:id/otp). Receive-only, as always: we never send SMS, and there's no short-code or MMS support. Solo includes 1 number + 100 texts/mo, Team 3 + 500, Scale 10 + 2,000 — the SMS quota is a hard stop on every plan (no overage; texts beyond it are dropped). Ships with SDKs v0.2.0 (createPhoneNumber / wait_for_otp), 7 new MCP tools (32 total) including wait_for_sms_otp, an sms.received webhook event, and a numbers page in the dashboard. Start at the SMS quickstart.
Jul 6, 2026
ADDED
MCP server: give your AI agent an inbox
mailfixture is now a remote MCP server at mailfixture.com/mcp — included on every plan. Connect Claude Code (or any Streamable HTTP client) with your API key and the agent gets 25 tools: the full REST surface plus wait_for_otp / wait_for_link / wait_for_message, which long-poll server-side so “trigger signup, read the OTP” is one tool call. Setup is one command — see the MCP quickstart.
Jul 6, 2026
ADDED
SDKs on npm + PyPI, new docs & guides
npm install -D mailfixture and pip install mailfixture are live (v0.1.0, MIT). Both SDKs cover the full API — inboxes, long-poll waits, OTP/link extraction, attachments, webhooks — with zero runtime dependencies. The docs grew quickstarts for Cypress and pytest, plus guides on flake-free OTP testing and the “disposable email detected” problem.
Jul 6, 2026
FIXED
Mobile layouts, GET /logout, security headers
The dashboard header no longer drifts down the page on phones, and the sign-out button is reachable there again. The landing nav wraps instead of overflowing small screens. /logout now works as a plain link, not just a form POST. The site also gained a favicon and strict security headers (CSP, HSTS, nosniff, referrer policy) — if you embed anything of ours, nothing changes: the API is unaffected.
Jul 5, 2026
ADDED
Webhooks: we push, you stop polling (paid plans)
Register an HTTPS endpoint and we POST message.received (summary + extracted OTP/links — never bodies) and domain.verified the moment they happen. Every delivery is HMAC-signed (X-MailFixture-Signature, same t=…,v1=… scheme Stripe uses), retried with backoff for ~21 hours, and inspectable per-endpoint in the dashboard. CRUD at /v1/webhooks; both SDKs ship a verify_webhook_signature helper.
Jul 5, 2026
ADDED
Attachment downloads + large-message offload
Message detail now includes attachment metadata (filename, content type, size), and GET /v1/messages/:id/attachments/:index returns the decoded bytes. Oversized raw MIME moved to object storage behind the scenes — the Raw tab and attachment downloads don't care where it lives.
Jul 5, 2026
CHANGED
Free plan: monthly quota is now a hard stop
Free has no card on file, so there's no overage to bill — at 100 messages in a calendar month, senders get an SMTP 550 until the month rolls over or you upgrade. Paid plans are unchanged: soft overage, nothing stops mid-run. The dashboard warns from 80% onward.
Jul 4, 2026
ADDED
mailfixture launches
Receive-only inboxes for test suites: programmatic inboxes, OTP and link extraction, long-polling (?wait=) on message lists, custom domains with MX verification, a dashboard with a sandboxed message viewer, and magic-link sign-in. Python and JS/TS SDKs are on their way to PyPI and npm.