Security
Last updated: July 12, 2026
How inboxes are protected
- Every inbox has an unguessable public ID (~128 bits) and a separate access secret (~256 bits). Only a keyed hash of the secret is stored.
- The secret travels in a URL fragment and an authorization header — never in query strings, server logs, or referrer headers.
- Email HTML is sanitized and rendered in a fully sandboxed frame: scripts, forms, and embeds cannot run.
- Remote images are blocked by default to prevent open-tracking.
- Links from emails open behind an interstitial that shows the true destination.
- Dangerous attachment types are blocked or quarantined.
Responsible disclosure
Found a vulnerability? Email security@inboxdome.com with details and reproduction steps. Please do not access other users' data, degrade the service, or run automated scanners against production. We aim to respond within 72 hours.
Out of scope
- Denial-of-service or volumetric testing
- Social engineering of operators
- Reports that a third-party website rejects our domains