Safety First

Security & Private Mode

Last updated: March 02, 2026

At testsmail, security and privacy are at the core of everything we build. We understand that you rely on our service to protect your identity and keep your communications secure. This page outlines our security standards and how our Private Mode provides an extra layer of protection.

1. Data Encryption

All data transmitted between your browser and our servers is encrypted using industry-standard TLS (Transport Layer Security). This ensures that your emails and account information cannot be intercepted or read by third parties while in transit. Sensitive payloads exchanged with our backend are additionally encrypted at the application layer, so the data crossing the wire is never plain text. Mail held in your Private inbox is stored encrypted and is only decrypted for you after you authenticate.

2. Private Mode Benefits

While our public mode is great for quick, one-off verifications, our Private Mode is designed for users who need enhanced security and control. Private Mode offers several key advantages:

  • Exclusive Access: In Private Mode, only you can access your inbox. Public inboxes can be viewed by anyone who knows the name, but Private inboxes are tied to your secure account.
  • Secure Storage: Emails in Private Mode are stored with enhanced security protocols, ensuring that your sensitive information remains protected.
  • Personalized Domains: Private Mode users may have access to exclusive domains, reducing the likelihood of our service being flagged by external providers.
  • Persistent Identity: Unlike guest sessions, Private Mode allows you to maintain your inbox for longer periods, providing a consistent secure identity for your digital needs.

3. How to Enable Private Mode

Activating Private Mode is simple and free. You can do so by:

  1. Sign in to your testsmail account.
  2. Use the mode toggle in the header or on the landing page to switch to 'Private'.
  3. Once active, all inboxes you create or access will be within your secure, private workspace.

4. Protection Against Email-Based Threats

Incoming email is, by nature, untrusted content. A malicious message can carry tracking pixels, scripts, or deceptive links. We render every message defensively so that simply opening an email can never compromise you:

  • Sandboxed rendering: Email HTML is displayed inside an isolated, sandboxed frame that cannot access your session, your account token, or the rest of the page. This neutralizes script-based (XSS) attacks hidden in a message.
  • Remote images blocked by default: Images are not loaded until you explicitly choose "Show pictures." This stops invisible tracking pixels from reporting that you opened a message, where you are, or which device you use.
  • Safe link handling: Links inside emails open in a new, separate context rather than navigating your secure session.

5. Account & Developer Key Security

For registered users, account access is protected by authenticated sessions, and private mail is bound to your account so it is never publicly viewable. If you use our developer API, your API key can be rotated at any time from your profileโ€”so a key that is ever exposed can be invalidated instantly without affecting the rest of your account. We recommend treating your API key like a password and rotating it periodically.

6. Minimal Data Retention

Our commitment to security includes not keeping what we don't need. We prioritize your privacy by automatically deleting emails after a temporary period. Collecting and storing less data is itself a security control: the less information we hold, the less there is to expose in the unlikely event of an incident. We do not sell your data, and we do not require personal details to use the public service.

7. Infrastructure Security

Our infrastructure is hosted on secure, high-performance servers with regular security patches and active monitoring. We employ rate limiting, abuse detection, and other defensive measures to protect our community from spam floods, brute-force attempts, and automated abuse. Access to production systems is restricted and least-privilege by design.

8. Responsible Disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability, please report it privately to our team rather than disclosing it publicly, and give us a reasonable window to investigate and remediate before any disclosure. We do not pursue legal action against researchers who act in good faith, avoid privacy violations, and do not degrade the service for other users.

9. Your Role: Security Best Practices

Security is a shared responsibility. To get the most protection from testsmail, we recommend that you:

  • Reserve your real email for banking, identity, and account recoveryโ€”use disposable or private inboxes for everything else.
  • Never share sensitive secrets (passwords, financial details) through a public inbox, since public inboxes can be opened by anyone who knows the name.
  • Use Private Mode whenever you need an inbox that only you can access.
  • Rotate your API key if you suspect it has been exposed.
  • Keep "Show pictures" off for messages from senders you don't recognize.

10. Contact Security Team

If you have discovered a security vulnerability or have concerns about your account security, please reach out to us immediately:

  • By email: support@testsmail.com
File Transfer