Home
FAQ

Frequently Asked Questions

Quick answers to the questions we get most often. Don't see yours? Get in touch.

Is PocketInbox actually free?

Yes. There are no plans, no signup, no credit card. We pay our hosting bill with display ads via Google AdSense, and only after you accept the advertising category in our cookie banner. If you reject ads, the site still works.

How long does an inbox last?

It depends on the upstream provider. Mail.tm and Mail.gw retain accounts for about seven days of inactivity. Guerrilla Mail addresses last about an hour and can be extended. TempMail.lol's free tier lasts about an hour. Maildrop's catch-all addresses are evergreen but message retention varies.

Can I send email from a PocketInbox address?

No — by design. Disposable inboxes are receive-only. Sending email is the line between "anti-spam tool" and "anonymous spam tool"; we deliberately don't cross it.

Are emails encrypted in transit?

Most modern senders deliver via STARTTLS to upstream MX servers. Once mail lands on the upstream provider, it's stored in plaintext. Our connection to the provider is HTTPS. End-to-end encryption is not part of the disposable-mail model — assume operators of the upstream provider could read messages if they wanted.

Why didn't a verification code arrive?

Likely reasons, in order of probability: the sender's domain reputation system blocks the disposable provider's domain; a per-IP rate limit upstream is throttling delivery; the message hit the provider's spam quarantine; or the sender simply hasn't sent yet (give it 60 seconds). Try a different domain in our domain picker, or switch providers via Settings → Default provider.

Are emails private?

Disposable inboxes are public or semi-public. Some providers (e.g. Mail.tm) authenticate you with a JWT, so only you can read the messages. Others (e.g. Maildrop) are catch-all and anyone who guesses the local-part can read it. Don't use disposable email for private business.

Why are some providers greyed out?

We probe upstream health on demand. If a provider is currently rate-limited or returning errors, we hide it from the picker. The integration is still in the codebase; the next time we successfully ping it, it returns to the list.

Can I use the same inbox on multiple devices?

Today we store inbox credentials in your browser's local storage. There's no signed-in account that syncs across devices. If you generate the inbox on a phone and want to read it on a laptop, copy the address and password yourself; or scan the QR code we render under the address.

Is this safe? I see HTML in the email reader.

We sanitise every HTML body with DOMPurify (stripping <script>, <iframe>, event handlers, etc.) and render the result inside a sandboxed iframe with no script permissions. Cross-site scripting attempts in incoming mail can't run. Tracking pixels still load by default — disable images in your reader if that bothers you.

What is OTP detection?

Most one-time passcodes are 4 to 8 digits and appear near words like "code," "OTP," or "verification." We highlight the first such number we find and offer a one-tap copy button. The detection is heuristic — wrong matches occasionally happen for delivery-status emails with tracking numbers.

Do you support custom local-parts?

Where the upstream allows it: yes. Mail.tm, Mail.gw, Guerrilla Mail, and Maildrop all accept a custom local-part. Some providers issue random addresses you can't override — we grey out the input in those cases.

Can I bring my own domain?

Mailsac and several self-hosted backends (Inboxkitten, burner.kiwi) support custom domains. We don't expose that flow in the UI today, but the underlying API integrations are ready. If this matters to you, send us a feature request.

Why does my inbox say 'expired'?

Each provider has retention rules. Mail.tm purges inactive accounts after about seven days; Guerrilla Mail expires addresses after about an hour. When we detect a 401 on a previously-working inbox, we mark it expired and offer a quick "Generate new."

Is PocketInbox affiliated with Mail.tm or Guerrilla Mail?

No. We're an independent client. The providers' names and trademarks belong to their owners; we link back to each provider as required by their terms.

Can I delete a single message?

Yes — swipe-left on mobile or tap the Trash button in the message reader. Where the upstream supports per-message delete (Mail.tm, Mail.gw, Guerrilla, Maildrop) we delete it on the server too. Otherwise the message is hidden locally only.

Can I delete the entire inbox?

Yes — the "Burn" action on the inbox detail screen. For providers that expose an account-delete endpoint, the address can no longer receive mail after you burn it.

Where is the data stored?

Inbox addresses, theme preference, and consent choices live in your browser's localStorage. Email content lives on the upstream provider's servers per their retention policy. Our servers see only the request URL and IP for the few API proxy routes we run (Guerrilla, Mail.gw, TempMail.lol, contact form), not the message contents.

What does my contact form do?

It sends your message to hello@pocketinbox.app. Without an SMTP relay configured, our server logs a redacted record server-side and returns success. Configure the SMTP env variables in .env.local to enable real delivery.

Is there a mobile app?

Not currently. The web app is designed to feel like a native iOS app — and it works equally well on Android. Add it to your home screen via your browser's "Add to Home Screen" option for an app-like experience.

How do I report abuse, copyright issues, or bugs?

Email hello@pocketinbox.app or use the contact form. We aim to respond within two business days.

PocketInbox
Free disposable email inboxes. No signup. Receive verification codes instantly.
PocketInbox is an aggregator over public temp-mail providers (Mail.tm, Mail.gw, Guerrilla Mail, Maildrop, TempMail.lol and others). We are not affiliated with these services. Each provider's own terms and privacy policies apply concurrently.
© 2026 PocketInbox. All rights reserved.