Engineering

How disposable email works under the hood

2026-04-12 · 8 min read · WebMailTemp Team

From the outside, a temporary email service looks like magic: you load a page, an address appears, and seconds later real email shows up in your browser. Under the hood it's a small, elegant pipeline. Here's how a service like WebMailTemp is put together.

Step 1: The catch-all MX record

Email routing starts with DNS. The domain's MX record tells the world's mail servers where to deliver messages for [email protected]. The trick is configuring the mail server as a catch-all: instead of requiring each mailbox to exist in advance, it accepts mail for every possible address at the domain.

That's why a temp-mail service can hand out unlimited addresses instantly — x7k2m9@… is "real" the moment someone sends mail to it, because the server accepts everything.

Step 2: Webhook ingestion

Running a full mail server is heavy, so most services use an email API provider (Mailgun, SendGrid, Postmark) as the receiving layer. The provider accepts the SMTP delivery, parses the MIME message — headers, text body, HTML body, attachments — and fires an HTTP webhook at the application with the parsed fields.

The application's job shrinks to a single endpoint: receive a POST, verify it's authentic, route it to the right inbox. Authenticity matters — without a signature check, anyone could forge "incoming email" by POSTing to the endpoint. Providers solve this with an HMAC signature over a timestamp and token, which the app verifies before trusting anything in the payload.

Step 3: Inboxes that live in RAM

Here's the counterintuitive part: the best storage for a temporary inbox is no storage at all. WebMailTemp keeps inboxes in a simple in-memory map: username → list of messages. Messages are never written to disk.

This isn't laziness — it's the privacy model. Data that exists only in RAM for 30 minutes can't be subpoenaed from a database next year, can't leak in a backup, and disappears completely on expiry. A periodic cleanup pass removes any inbox older than its TTL, and a restart wipes everything. For data you explicitly want to be ephemeral, volatility is a feature.

Step 4: Getting mail to the browser

The browser polls a lightweight /api/check endpoint, and the server returns the inbox's messages as JSON. Polling every second or two feels instant for the verification-code use case, and a session cookie scopes each inbox to the browser that created it, so inboxes can't be casually enumerated by other visitors.

The security trade-offs

It's worth being honest about the model's limits. Inbound email is plaintext SMTP traffic like any other email; the address space is guessable if you choose a short custom name; and anyone with the address during its lifetime could potentially request the inbox. That's why the golden rule of temp mail is: use it for things that don't matter. For throwaway signups it's a perfect fit. For your bank, it never will be.

Simple components — DNS catch-all, a webhook, a dictionary in memory, and a polling loop — combine into a service that feels instant and leaves no trace. Sometimes the best architecture is the one with the fewest moving parts.

Keep reading