Security
Your test email is still email — it carries OTPs, reset links, and addresses on your domain. Here's exactly how we treat it. Questions this page doesn't answer: security@mailfixture.com.
There is no outbound mail server in our infrastructure — not disabled, not restricted: absent. MailFixture cannot send email, so a compromise of our systems can't spoof your domain, spam your users, or phish anyone. The best attack surface is the one that doesn't exist.
Inboxes expire by TTL; messages age out per your plan's retention (3–30 days) and are then hard-deleted — rows and blobs, not flags. Deleting an inbox deletes its messages immediately. We keep aggregate counts for billing; the email itself is designed to be short-lived.
TLS 1.2+ on every API and dashboard connection. Inbound SMTP offers STARTTLS (TLS 1.2+, auto-renewed certificates) — though SMTP being SMTP, encryption on that hop is the sending server's choice; every major provider takes it. API keys are stored hashed (argon2id) — which is why we can only show yours once.
The dashboard renders email HTML in a sandboxed frame: no scripts execute, remote images are blocked outright by CSP, tracking pixels never phone home. The email your test received can't touch the dashboard your team is signed into.
Practices
Found something? Email security@mailfixture.com — PGP key at /pgp-key.asc, fingerprint 1ADF 03BC BB60 DD48 0BDB 3D50 0F2E 654A BCDC 2915 (machine-readable contact at /.well-known/security.txt). We answer within 24 hours, fix by severity, and won't lawyer you for good-faith research. Safe harbor applies.