We provide temporary and free email addresses through a simple creation interface using mail.tm API services, with automatic or manual usernames. Addresses expire by default after 24 hours, but the user can extend this period, and they remain active until manually deleted or after expiration. Email accounts can be created and deleted in real time. Messages are automatically deleted every 7 days by mail.tm.

Users can access messages via authentication with email and password set at first use, or in direct mode as long as the browser session and token remain valid. Messages are automatically deleted after 7 days, unless manually deleted earlier.

Each message can be analyzed to detect invisible trackers, suspicious links, and authentication information in headers (SPF, DKIM, SMTP path), enhancing user security.

Each message can be downloaded in HTML or EML format. The entire mailbox can be exported as a .zip file containing all messages and attachments. Attachments can be downloaded individually, preserving the original format.

Allows sending any URL to obtain a detailed analysis through multiple antivirus engines and blocklisting services. Provides aggregated verdicts, WHOIS data, DNS records, and details on detected threats, with constantly updated security signatures.

Allows analyzing domains and IPs, showing results from dozens of security engines and blacklists. Includes WHOIS data, DNS records, SSL/TLS certificates, and threat categories, always up-to-date.

Allows uploading files of various formats to analyze them with over 70 antivirus engines. Provides a detailed report with technical information and protection advice, updated in real-time.

We store emails, tokens, browser sessionIDs, SHA256 of scanned files, scanned domains and hashes, base64 IDs of scanned URLs, and encrypted passwords for very short periods. We do not store messages or personal data. After mailbox deletion, it cannot be recovered or reused with the same username. Through the myActivity feature, users can view, export, or delete scan data related to their session. If the session expires or changes, the data will be deleted after 24 hours.

The site uses temporary sessions associated with sessionID and CSRF token for all operations: email activation, URL scan, domain, file.

Each activity is monitored, tracked, and can be exported or deleted by the user via the myActivity page. Records automatically expire via cronjob (24h for emails, scans, and files).

Sessions are protected with Secure, HttpOnly, SameSite=Strict cookies, 30-minute sliding session timeout, ID regeneration, User-Agent binding, CSRF checks, and form protection via Cloudflare Turnstile.

Uploaded files for scanning are not saved on disk and have a 32MB limit. URLs and domains are stored only with hash ID, sessionID, and CSRF token.

Data export from the myActivity page is sanitized: content escaping and partial anonymization of emails to prevent exposure of personal data.

These measures reduce risks of: session hijacking, CSRF, XSS, data loss or exposure, unauthorized access, and misuse of uploaded files or URLs.