Production-Like Email Testing. Self-Hosted & Secure.
Your CI passes. Production fails. Stop mocking your email stack. VaultSandbox validates your full email stack — including TLS, DNS, and SPF/DKIM — entirely inside your VPC.
For developers who run real SMTP and TLS in tests, not just mocks.
Mocks hide the exact email failures that break production
If your app sends real emails in production, it must send real emails in testing. Mocks push you to weaken your application’s security just to get a green build.
The Dangerous Test Config
ignore_tls: true
rejectUnauthorized: falseThe "Works on My Machine" Shortcuts:
Fake SMTP
No TLS, DNS, or MX records — a fantasy environment.
Polling & Sleep Loops
Flaky CI tests relying on sleep(5) break pipelines.
Shared Public Inboxes
Risky data leaks on public cloud tools.
The Real-World Failures You Miss
Authentication Rot
SPF, DKIM, and DMARC only break on real domains. Mocks always pass.
TLS Negotiation
SSL/TLS issues surface only in production once you disable checks in dev.
Rendering Bugs
HTML emails render differently in real clients vs. plain text viewers.
Real Domains. Real SMTP. Real TLS.
Zero Risk to Customer Data.
VaultSandbox provides isolated inboxes that behave exactly like production — without exposing a single byte of customer data.
How it works (inside your VPC)
Infrastructure requirements: Public IP, ports 25/80/443 open, DNS control.
Standard DNS Setup
Just point an A record and an MX record to the container. Subdomains supported.
Terminates Real SMTP + TLS
ACME certificates for SMTP and HTTPS auto-provisioned.
Full Message Validation
SPF, DKIM, DMARC, and rDNS checks on every message.
True Isolation
Email storage is encrypted in a sandbox; outbound mail is hard-blocked.
Production Fidelity
Test authentication, MX, DNS, MIME, and TLS exactly as they behave in the real world.
What You Gain
Keep secure: true
No more weakening TLS or SMTP configs just to make tests pass.
Catch Auth Issues Early
Validate domain crypto before deployment.
Data Sovereignty
All data stays in your infrastructure — never shared, never leaked.
Deterministic Pipeline
No guesswork, no polling, no sleeps.
Beyond Local Mocks and Public SaaS
Zero-Trust Email Testing
Zero-Knowledge Storage Architecture
The server never stores emails in plaintext or sees your private keys.
Client-side key pairs are generated entirely in the browser or test environment.
Immediate public-key encryption on receipt, with plaintext discarded.
Local-only decryption within your browser or test runner.
Production-Like Message Analysis
VaultSandbox validates and inspects mail like a hardened email gateway:
SPF, DKIM, DMARC, and rDNS verdicts instantly returned.
Full MIME parsing — boundaries, attachments, HTML structure.
Strict SMTP protocol compliance, catching failures mocks silently ignore.
Ephemeral by Design (CI-Optimized)
VaultSandbox is built for high-velocity pipelines.
100% In-Memory: Lightning-fast execution with zero disk I/O bottlenecks.
Automatic Cleanup: No need to manually flush databases; restart the container to wipe the slate clean.
Disposable Inboxes: Generate random addresses that exist only for the duration of one test.
Test Inbound Flows,
Not Just Outbound
Transactional Email QA
Password resets, receipts, subscription notices. Catch rendering, authentication, and deliverability issues before users see them.
Reply-To + Inbound Parsing
Test full round-trips:
Send an email in → Validate parsing → Assert helpdesk/ticketing automation behavior.
Load Testing at Real Scale
Hammer your mail pipeline with thousands of messages. Everything remains encrypted and sandboxed — no leaks, no production inbox pollution.
Inspect Rendered HTML & Headers in Real-Time
A debugging workflow built for engineers:
Create disposable inboxes instantly
Full HTML preview (rendered as recipients see it)
Automatic link extraction + status checking
Auth results at a glance: SPF/DKIM/rDNS
Full header explorer
Deterministic SDKs for Automated Tests
Powered by Server-Sent Events (SSE) for true real-time, deterministic test behavior.
Real-time delivery where tests wait on actual delivery events instead of sleeps
Zero flakiness with no polling and no guessing
Clean promise-based API for auth and content assertions
Language support with Node.js available and Python, Java, and Go in progress
Open Source & Commercially Safe
The core engine is open-source and un-gated — the Docker image you pull is the same engine used in production setups.
- Core Gateway: AGPLv3
- SDKs + UI: MIT (safe for proprietary apps)
No Artificial Limits
Unlimited inboxes, connections, containers
Unlimited volume (hardware-bound only)
100% in-memory for high-speed CI
(Local persistence coming soon)
Full Encryption by Default
Quantum-safe cryptography is built in from day one.
Roadmap: Foundation First
PHASE 1: CORE FOUNDATION
Current- • Achieving 100% test coverage & complete docs for a rock-solid core.
- • Closing critical feature gaps based on community feedback.
- • Finalizing SDKs (Python, Java, Go) for broad language support.
PHASE 2: ENTERPRISE CONTROL PLANE
ArchitectingFor compliance-heavy teams:
- • SSO (OIDC/SAML)
- • Audit Logs & Retention
Have governance needs? Help shape the specs.
Frequently Asked Questions
Still have questions? Drop a line to [email protected]
Is the Gateway truly free? What’s the catch?
Yes. The Core Gateway is AGPLv3 and free forever — no limits on domains, messages, or retention. We only charge for optional Enterprise features (SSO, Audit Logs).
Do I need a public IP and domain?
Yes, to unlock full production parity. To issue real Let's Encrypt certificates (ACME) and perform valid SPF/DKIM checks, the container must be publicly reachable on Ports 80, 443, and 25.
- Port 80/443: Required for ACME certificate issuance and secure API/UI access
- Port 25: Required to receive inbound SMTP traffic from the open internet.
- Running locally implies using self-signed certificates and bypassing strict DNS validations.
Can I use this as a temporary email service for QA?
Absolutely. VaultSandbox acts as a catch-all for your testing domains. Create infinite inboxes like `[email protected]` instantly.
Is this heavy to run (vs Mailcow/Mailu)?
No. VaultSandbox omits heavy components like antivirus or spam filtering — optimized strictly for testing.
How is this “Zero-Knowledge” if the server receives email via SMTP?
Storage is zero-knowledge:
- Client generates keys
- Server encrypts with your public key
- Plaintext is discarded
- Decryption happens only client-side
Why quantum-safe cryptography for a testing tool?
Test data often mirrors production data structures. If encrypted test emails are ever exfiltrated, today's encryption could be broken by tomorrow's quantum computers. We use ML-KEM-768 + AES-256-GCM so your test data stays protected even against future threats. Overkill for most—peace of mind for regulated industries.
Ready to drop your mocks?
Stop guessing if your emails will land. Spin up the full VaultSandbox environment in your VPC in minutes.
Open Source (AGPLv3/MIT) • Deploys via Docker
Stay in touch with VaultSandbox
Subscribe for product updates, security releases, and deep dives on building production-grade email testing inside your VPC.