Security at Mailvator

Mailvator reduces risk by keeping the public service intentionally limited. HTTPS protects browser connections, messages expire automatically, sender HTML is not rendered, remote images are not loaded, and attachments are unavailable.

Public by design

Anyone who knows an inbox name may be able to open it. This is the service’s most important security limitation.

Receive only

The disposable domain does not send user email. SPF and DMARC records declare a restrictive outbound policy.

Reduced message surface

Mailvator extracts text for display instead of rendering sender-controlled HTML, scripts or remote images.

Automatic expiry

Messages and inactive inboxes are designed to expire within 24 hours, subject to short backup rotation.

Report a vulnerability

Send a concise report to davidnovuk@gmail.com. Include the affected URL, reproduction steps, impact and supporting evidence. Do not access other people’s messages, perform denial-of-service testing or publish sensitive details before a reasonable remediation period.

Security is ongoing

No internet service is risk-free. Mailvator monitors abuse, maintains dependencies and applies operational controls, but users must still avoid sensitive information and treat incoming messages as untrusted.