TempMaily.co
Developers

Test Email Addresses for QA: Every Option Compared

TempMaily Team9 min read

The right test email address depends on one question: does the test need to actually receive the mail? If it does not — you are only checking that a form accepts a valid-looking address — use a reserved domain like example.com that can never deliver. If it does, you need an inbox you can read back from code or by hand, and the choice comes down to how much privacy and isolation the message needs. This post walks every option a QA engineer reaches for and says plainly where each one fits and where it bites.

Quick answer

There is no single best test email address, because "test email address" covers at least three different jobs:

Everything below is the long version: the honest pros and cons of each option, a decision table by testing job, and the hygiene rules that keep a QA suite from leaking data or hurting your sending reputation.

The option landscape

Reserved domains (example.com, .test, .invalid)

RFC 2606 reserves a handful of names precisely so nothing addressed to them ever leaves your network: the domains example.com, example.org, example.net, and the top-level domains .test, .invalid, and .localhost. An address like [email protected] looks completely valid to a format check and is guaranteed non-deliverable.

Good for: form-validation logic, unit tests, seed data, anywhere you need a syntactically valid address that must not generate mail. bad@@example for the negative case, [email protected] for the positive one — no send, no cleanup, no flakiness.

Wrong the moment delivery matters. These domains cannot receive anything, so any test that opens a confirmation email, follows a magic link, or reads an OTP will simply never get the message.

The trap to avoid: do not make up an address on a real domain you do not control — [email protected], [email protected]. That mail actually gets sent. It bounces, and repeated bounces drag down your domain's sending reputation with mailbox providers; worse, a plausible-looking guess can land in a real stranger's inbox. If you want a non-deliverable address, use a reserved domain, which exists for exactly this.

Plus-addressing on a team inbox (you+case1@)

Gmail and Google Workspace let you tag a username, so [email protected] and [email protected] both land in [email protected]. It is free, needs no new tooling, and the mail is genuinely delivered, so you can read a real verification email.

Good for: a developer testing a flow by hand who wants a couple of labeled variants without creating new accounts.

Where it hurts: every variant shares one mailbox, so parallel test runs read each other's mail and the state never resets between runs. You end up building filter rules to route tagged mail into folders, and that filter spaghetti becomes its own maintenance job. Many signup forms also strip or reject the +, so the address you carefully tagged never makes it into the system under test. And every message still lands in one real, human-owned inbox — fine for a smoke check, awkward for automation. We compared the mechanics in depth in temp mail versus Gmail plus-addressing.

Public shared inboxes (Mailinator-style)

Public disposable services give you an inbox for any name you type, with no signup and no wait. Address your mail to [email protected], then open that inbox on their site and read it.

Good for: the fastest possible manual check — did the mail send, does the template look right, does the link go where it should.

The honest, specific warning: these inboxes are public. Anyone who types the same inbox name sees the same mail, because there is no password and no ownership. So never send anything to a public inbox that you would not post on a wall: no real user data, no auth tokens, no password-reset or magic links (a stranger watching that inbox can click them), and no internal staging URLs. Treat a public inbox as a billboard, not a mailbox. For anything carrying a secret or a person's data, move to a private inbox.

Sinkhole / catch-all SMTP servers you self-host

Some teams run their own catch-all mail server in staging — a sinkhole that accepts mail for any address on a domain they control and files it for inspection. Tools like a self-hosted MailHog or a Postfix catch-all cover this.

Good for: teams that want full control, no third-party dependency, and mail that never leaves their own infrastructure.

The real cost is operational. You now run and secure a mail server: DNS records, disk that fills with captured mail, access controls, and upkeep that lands on whoever drew the short straw. It is a legitimate choice when control and data-residency requirements justify the burden, and an overreaction when you just need to read a verification code in CI.

Private disposable inboxes (manual or API-minted)

A private disposable inbox is a throwaway mailbox that only you can read — real delivery, but no shared state and no privacy leak. There are two ways to use one.

For an ad-hoc manual check, grab a throwaway from the TempMaily homepage, paste the address into your form, and watch the message arrive in the browser. No account, no cleanup, and the inbox is yours rather than public.

For automation, mint one per test run from the API. A single authenticated POST /inboxes returns a fresh, unique address every time, so each test — and each parallel worker — gets its own isolated mailbox with no collisions:

curl -X POST "https://tempmaily.co/api/v1/inboxes" \
  -H "Authorization: Bearer $XTM_KEY" \
  -H "Content-Type: application/json" \
  -d '{"expiry":"1d"}'
# → 201 { "id": "...", "address": "[email protected]", ... }

$XTM_KEY is your Premium API key (the xtm_-prefixed Bearer credential from the dashboard). Because every call returns a unique address, disposable inboxes are parallel-safe by construction and self-cleaning — you delete each one when the test finishes. The full receive-poll-extract flow is covered in automating email verification with the temp mail API, and framework-specific setups live in the Playwright and Cypress guides.

Dedicated outbound-testing tools (Mailtrap-style capture)

When the thing under test is your app's own outbound mail — is the template composed correctly, does the HTML render across clients, are the merge fields right — the tool you want intercepts the send rather than receiving a delivery. A capture service (Mailtrap-style) sits in as your staging SMTP endpoint, catches the message before it reaches anyone, and shows you the raw email to inspect.

This is a genuinely different job from receiving mail, and worth being straight about: TempMaily is receive-only. It reads mail that was actually delivered to a disposable inbox, which is exactly right for end-to-end flows where your app sends to a test address and you assert on what arrives. It is not the tool for inspecting an outbound send in isolation before delivery — a capture tool is. Use each for what it does.

Which address for which testing job

Testing job Recommended address type
Form / format validation Reserved domain ([email protected], RFC 2606)
Manual smoke check (did it send, does it render) Public shared inbox — nothing sensitive — or a manual TempMaily throwaway
End-to-end verification flow (click link, read OTP) API-minted private disposable inbox, one per test
Load / many parallel signups API-minted disposables in a loop, within the rate limit
Outbound template / rendering before it ships Outbound capture tool (Mailtrap-style)

Hygiene rules for QA email

A few rules keep a test suite from quietly becoming a liability.

Never use real customer addresses in tests. Seeding a test with a real person's email risks sending them stray confirmation or reset mail, and it drops production PII into your test environment. Use reserved domains or disposable inboxes you control.

Never send secrets to a public inbox. Tokens, reset links, and staging URLs sent to a public shared inbox are visible to anyone. If a message carries anything private, it belongs in a private disposable inbox, full stop.

Clean up after yourself. In automation, delete each inbox when its test finishes with DELETE /inboxes/{id}. That frees your account's storage quota and keeps the account tidy. Treat a 404 on teardown as success — if the inbox was never created, the delete is a harmless no-op.

Respect the rate limit in load scenarios. The API is capped at 300 requests / 60s per key. Minting a few hundred inboxes for a bulk-signup test is well within that if you pace the loop, but a tight burst across many workers can trip 429 rate_limited. Space requests out and back off on a 429.

Use a stable naming convention. When a test fails at 2am, a message in checkout-abandon-cart@… is far faster to triage than one in test5@…. Name inboxes or subjects after the flow under test so failures point at themselves.

Common mistakes

Where to go next

Match the address to the job and most email-testing pain disappears: reserved domains for validation, public inboxes for throwaway manual checks, and private disposable inboxes — manual from the homepage or API-minted for automation — for anything that has to receive real mail. For the working code behind the automation path, start with automating email verification with the temp mail API, then the Playwright and Cypress guides.

Teams that need a stable, app-trusted test domain rather than the shared pool can use dedicated domains on TempMaily Premium — see custom domains for temp mail — so your staging environment accepts the address exactly as it would a real user's.

Frequently asked questions

What is a valid test email address?

A valid test email address is one that passes your app's format validation and, when delivery matters, actually receives mail you can read. For pure format checks, an address on a reserved domain like [email protected] is valid-looking and guaranteed never to deliver. For anything that sends a real message — a confirmation link, an OTP, a welcome email — you need an address on a domain that accepts mail and that you can read back, which a disposable inbox gives you. The right kind depends entirely on whether the test needs to receive the email.

Can I use [email protected] for testing?

Yes, for tests that must never send real mail. The example.com, example.org, and example.net domains are reserved by RFC 2606 specifically so that nothing addressed to them leaves your network, which makes them safe for form-validation and unit tests. The catch is that they can never receive mail either, so the moment your test needs to open a verification email or click a confirmation link, example.com is the wrong choice. Never substitute a made-up address on a real domain instead — that mail actually gets sent, bounces, and can land on a real stranger.

Are public inboxes like Mailinator safe for QA?

Only for throwaway checks that contain nothing sensitive. Public shared inboxes are readable by anyone who guesses or types the inbox name — there is no password and no privacy. That is fine for confirming a template renders, but you must never send anything with real user data, auth tokens, password-reset links, or internal staging URLs to a public inbox, because you are effectively publishing it. For anything that carries a secret or identifies a person, use a private disposable inbox instead.

How do I get many test addresses at once?

Mint them from an API. A disposable-inbox endpoint returns a fresh, unique address on every call, so a load or bulk-signup test can create hundreds of isolated inboxes in a loop rather than reusing one shared mailbox. TempMaily's POST /inboxes does this with a single authenticated request per address; respect the 300 requests / 60s rate limit and delete each inbox when the test finishes so you stay within your storage quota.

Do test addresses work for email rendering checks?

It depends where the mail lands. If your app sends the message and you read it back from a real inbox, a disposable address works for rendering checks — you can fetch the sanitized HTML body and assert on it. If instead you are testing an outbound template before it ever ships, a capture tool that intercepts the send (Mailtrap-style) is the better fit, because it shows you the raw message without delivering it. Pick the address type by whether the mail is actually being sent.

What about testing outbound email that my own app sends?

That is a different job from receiving, and a disposable inbox is only half of it. If you want to verify that your app's own outbound mail is composed and rendered correctly without it reaching real users, use an outbound capture tool that intercepts SMTP in staging. A receive-only disposable service like TempMaily is the right tool when your test needs to read a message that was genuinely delivered — an end-to-end signup or password-reset flow — not when you are inspecting a send in isolation.

Get a free disposable inbox

A live throwaway address, no signup, real-time delivery. Upgrade to Premium for custom domains, forwarding, and no expiry.