Security

Your test email is still email — it carries OTPs, reset links, and addresses on your domain. Here's exactly how we treat it. Questions this page doesn't answer: security@mailfixture.com.

RECEIVE-ONLY, STRUCTURALLY

There is no outbound mail server in our infrastructure — not disabled, not restricted: absent. MailFixture cannot send email, so a compromise of our systems can't spoof your domain, spam your users, or phish anyone. The best attack surface is the one that doesn't exist.

DATA THAT DELETES ITSELF

Inboxes expire by TTL; messages age out per your plan's retention (24h–90d) and are then hard-deleted — rows and blobs, not flags. Deleting an inbox deletes its messages immediately. We keep aggregate counts for billing; the email itself is designed to be short-lived.

ENCRYPTION

TLS 1.2+ on every connection, inbound SMTP included (STARTTLS required from senders that offer it). AES-256 at rest for message bodies and attachments. API keys are stored hashed — which is why we can only show yours once.

SANDBOXED RENDERING

The dashboard renders email HTML in a sandboxed frame: no scripts execute, remote images are proxied, tracking pixels never phone home. The email your test received can't touch the dashboard your team is signed into.

Practices

Compliance SOC 2 Type II report available under NDA. GDPR: we act as processor for message content; DPA available on all paid plans.
Access control API keys are workspace-scoped with live/test separation. Production access for our staff requires hardware-key MFA and is logged; nobody reads message content outside of a support ticket you opened.
Infrastructure AWS, us-east and eu-central; EU data residency on Team and above. Infrastructure as code, peer-reviewed deploys, no snowflake servers.
Payments Handled entirely by Stripe. Card numbers never touch our servers — we see the last four digits, same as you.
RESPONSIBLE DISCLOSURE

Found something? Email security@mailfixture.com (PGP key at /.well-known/security.txt). We answer within 24 hours, fix on a severity-based SLA, and won't lawyer you for good-faith research. Safe harbor applies.