Security

Your test email is still email — it carries OTPs, reset links, and addresses on your domain. Here's exactly how we treat it. Questions this page doesn't answer: security@mailfixture.com.

RECEIVE-ONLY, STRUCTURALLY

There is no outbound mail server in our infrastructure — not disabled, not restricted: absent. MailFixture cannot send email, so a compromise of our systems can't spoof your domain, spam your users, or phish anyone. The best attack surface is the one that doesn't exist.

DATA THAT DELETES ITSELF

Inboxes expire by TTL; messages age out per your plan's retention (3–30 days) and are then hard-deleted — rows and blobs, not flags. Deleting an inbox deletes its messages immediately. We keep aggregate counts for billing; the email itself is designed to be short-lived.

ENCRYPTION

TLS 1.2+ on every API and dashboard connection. Inbound SMTP offers STARTTLS (TLS 1.2+, auto-renewed certificates) — though SMTP being SMTP, encryption on that hop is the sending server's choice; every major provider takes it. API keys are stored hashed (argon2id) — which is why we can only show yours once.

SANDBOXED RENDERING

The dashboard renders email HTML in a sandboxed frame: no scripts execute, remote images are blocked outright by CSP, tracking pixels never phone home. The email your test received can't touch the dashboard your team is signed into.

Practices

Compliance No certifications yet — no SOC 2, no ISO 27001, and we won't claim them until an auditor says so. GDPR: we act as processor for message content; if you need a DPA, email us and we'll sort it out.
Access control API keys are account-scoped, hashed at rest, and revocable instantly. Dashboard access is per-member magic-link sign-in; removing a team member kills their sessions and pending sign-in links the same second. Production access is key-based SSH, limited to the operator; nobody reads message content outside of a support ticket you opened.
Infrastructure A single region today (netcup, US-East). The whole stack is code in the repo — containers, config, provisioning — deployed through CI; no snowflake servers. Nightly off-site backups with a drill-tested restore runbook.
Payments Handled entirely by Stripe. Card numbers never touch our servers — we see the last four digits, same as you.
RESPONSIBLE DISCLOSURE

Found something? Email security@mailfixture.com — PGP key at /pgp-key.asc, fingerprint 1ADF 03BC BB60 DD48 0BDB 3D50 0F2E 654A BCDC 2915 (machine-readable contact at /.well-known/security.txt). We answer within 24 hours, fix by severity, and won't lawyer you for good-faith research. Safe harbor applies.