Security
Your test email is still email — it carries OTPs, reset links, and addresses on your domain. Here's exactly how we treat it. Questions this page doesn't answer: security@mailfixture.com.
There is no outbound mail server in our infrastructure — not disabled, not restricted: absent. MailFixture cannot send email, so a compromise of our systems can't spoof your domain, spam your users, or phish anyone. The best attack surface is the one that doesn't exist.
Inboxes expire by TTL; messages age out per your plan's retention (24h–90d) and are then hard-deleted — rows and blobs, not flags. Deleting an inbox deletes its messages immediately. We keep aggregate counts for billing; the email itself is designed to be short-lived.
TLS 1.2+ on every connection, inbound SMTP included (STARTTLS required from senders that offer it). AES-256 at rest for message bodies and attachments. API keys are stored hashed — which is why we can only show yours once.
The dashboard renders email HTML in a sandboxed frame: no scripts execute, remote images are proxied, tracking pixels never phone home. The email your test received can't touch the dashboard your team is signed into.
Practices
Found something? Email security@mailfixture.com (PGP key at /.well-known/security.txt). We answer within 24 hours, fix on a severity-based SLA, and won't lawyer you for good-faith research. Safe harbor applies.