Home › About

About Inboxflip

Inboxflip is a free disposable email service. We exist to keep your real email address out of signup forms, OTP fields, and marketing databases when you only need to receive a single message. This page explains who runs the service, how it works behind the scenes, and how to reach us.

Service: Inboxflip — free disposable temporary email
Canonical site: https://inboxflip.com/
Operator: Inboxflip team
Contact: support@inboxflip.com
Security: /.well-known/security.txt
Privacy policy: /privacy
Terms of service: /terms
GitHub: github.com/inboxflip
X (Twitter): x.com/inboxflip

What we do

Inboxflip generates a random disposable email address whenever you open the site. You paste that address into any signup form, OTP field, or marketplace reply, and you read incoming messages in real time on the same page. Twenty-four hours later, the inbox and all of its messages are deleted automatically. No accounts, no passwords, no clean-up.

How we operate the service

The site is a single-page web app served behind HTTPS with HSTS, a strict cookie-consent flow, and a small PHP API that handles inbox generation and mail retrieval. Mail is received over standard SMTP, written to short-lived storage, displayed to whoever currently controls the inbox URL, and then permanently removed within 24 hours.

Public marketing pages are pre-rendered HTML — homepage, policies, synonym pages, use-case guides — so search engines and AI assistants can read them without executing JavaScript.
The live inbox UI is a small React app that calls a PHP backend over HTTPS to generate addresses and stream incoming mail.
Inbox URLs are private. They are explicitly excluded from search engines via robots.txt and by an X-Robots-Tag: noindex response header. Treat the URL like a session token.
Tracking is opt-in. Google measurement tags only load if you explicitly accept them in the cookie banner. Default is reject.

Our commitments

We do not read your mail. Inbox contents are not scanned, indexed, sold, or used for training.
We do not require accounts. Generating an address never asks for a name, real email, phone, or payment method.
We delete on a fixed schedule. Inboxes auto-expire after 24 hours; server logs are kept for at most 7 days for abuse and security monitoring, then permanently removed.
We disclose breaches. If a security issue affects our service, we will publish a write-up and notify users via the contact channels above.

What we do not do

Inboxflip is receive-only by design. You cannot send mail from a disposable address, and we do not provide an API to forward mail to a permanent inbox. This is a deliberate anti-abuse choice: receive-only inboxes cannot be used to send phishing, spam, or impersonation mail.

We also do not offer custom domains, paid plans, or long-lived inboxes. If you need any of those, an alias service like SimpleLogin or AnonAddy is a better fit. Inboxflip stays intentionally small and free.

Acceptable use

Use Inboxflip for personal privacy: signups, OTPs, ebook downloads, marketplace replies, QA testing of email flows. Do not use the service for fraud, harassment, or anything prohibited by our Terms of Service. Abuse is rate-limited and, where appropriate, blocked at the IP level.

Contact us

For support questions, security disclosures, takedown requests, or press enquiries, email support@inboxflip.com. Security researchers can also use the contact information in /.well-known/security.txt.