Security at Mailvator
Mailvator reduces risk by keeping the public service intentionally limited. HTTPS protects browser connections, messages expire automatically, sender HTML is not rendered, remote images are not loaded, and attachments are unavailable.
Public by design
Anyone who knows an inbox name may be able to open it. This is the service’s most important security limitation.
Receive only
The disposable domain does not send user email. SPF and DMARC records declare a restrictive outbound policy.
Reduced message surface
Mailvator extracts text for display instead of rendering sender-controlled HTML, scripts or remote images.
Automatic expiry
Messages and inactive inboxes are designed to expire within 24 hours, subject to short backup rotation.
Report a vulnerability
Send a concise report to davidnovuk@gmail.com. Include the affected URL, reproduction steps, impact and supporting evidence. Do not access other people’s messages, perform denial-of-service testing or publish sensitive details before a reasonable remediation period.
Security is ongoing
No internet service is risk-free. Mailvator monitors abuse, maintains dependencies and applies operational controls, but users must still avoid sensitive information and treat incoming messages as untrusted.