Show HN：VaultSandbox – 測試您的真實 MailGun/SES 等整合

Production-Like Email Testing Without Mocks

Keep your provider and your config. Just swap the recipient to validate real TLS, DNS, and SPF/DKIM entirely inside your VPC.

Works with Postmark, SendGrid, SES, and more.

Get Started in 5 Minutes

Deploy VaultSandbox with a single Docker Compose file. Auto-provisions TLS and DNS.

Mocks hide the exact email failures that break production

You mock the email client to get a green build. But in production, you use real SMTP, real TLS, and real DNS.
This disconnect creates a dangerous blind spot.

The Dangerous Test Config

The "Works on My Machine" Shortcuts:

No TLS, DNS, or MX records — a fantasy environment.

Flaky CI tests relying on sleep(5) break pipelines.

Risky data leaks on public cloud tools.

The Real-World Failures You Miss

SPF, DKIM, and DMARC only break on real domains. Mocks always pass.

SSL/TLS issues surface only in production once you disable checks in dev.

HTML emails render differently in real clients vs. plain text viewers.

Real Domains. Real SMTP. Real TLS.Zero Risk to Customer Data.

VaultSandbox provides isolated inboxes that behave exactly like production — without exposing a single byte of
customer data.

How it works (inside your VPC)

Infrastructure requirements: Public IP, ports 25/80/443 open.

Two DNS Options

Zero-config: Use
vsx.email
— your IP is encoded into a subdomain automatically. No DNS setup required.

Your domain: Point an A record and MX record to the container.
Subdomains supported.

Terminates Real SMTP + TLS

ACME certificates for SMTP and HTTPS auto-provisioned.

Full Message Validation

SPF, DKIM, DMARC, and rDNS checks on every message.

True Isolation

Email storage is encrypted in a sandbox; outbound mail is hard-blocked.

Production Fidelity

Test authentication, MX, DNS, MIME, and TLS exactly as they behave in the real world.

What You Gain

Keep secure: true

No more weakening TLS or SMTP configs just to make tests pass.

Catch Auth Issues Early

Validate domain crypto before deployment.

Data Sovereignty

All data stays in your infrastructure — never shared, never leaked.

Deterministic Pipeline

No guesswork, no polling, no sleeps.

Beyond Local Mocks and Public SaaS

Is This For You?

You should use VaultSandbox if:

Zero-Trust Email Testing

Zero-Knowledge Storage Architecture

The server literally cannot decrypt your emails, even if compromised.

Private keys are generated locally and never touch the server.

Emails are encrypted in-memory on receipt; plaintext never hits the disk.

Decryption happens exclusively on your client. Your data remains sovereign.

Production-Like Message Analysis

VaultSandbox validates and inspects mail like a hardened email gateway:

SPF, DKIM, DMARC, and rDNS verdicts instantly returned.

Full MIME parsing — boundaries, attachments, HTML structure.

Strict SMTP protocol compliance, catching failures mocks silently ignore.

Ephemeral by Design (CI-Optimized)

VaultSandbox is built for high-velocity pipelines.

100% In-Memory: Lightning-fast execution with zero disk I/O bottlenecks.

Automatic Cleanup: No need to manually flush databases; restart the container to wipe the slate clean.

Disposable Inboxes: Generate random addresses that exist only for the duration of one test.

Real World Scenarios

QA tester creates [email protected], signs up, checks
the inbox. Done. No shared credentials, no data leaks.

CI pipeline triggers a real password reset via Postmark. VaultSandbox catches the email, extracts the
reset link, and "clicks" it. A true end-to-end integration test.

You rotated your DKIM keys. Send one test email to VaultSandbox and instantly verify if the signature is
valid. Catch authentication rot before it blocks your newsletter.

Inspect Rendered HTML & Headers in Real-Time

A debugging workflow built for engineers:

Create disposable inboxes instantly

Full HTML preview (rendered as recipients see it)

Automatic link extraction + status checking

Auth results at a glance: SPF/DKIM/rDNS

Full header explorer

Real-Time Email Testing from Your Terminal

A powerful CLI for developers who live in the terminal:

Interactive TUI dashboard with real-time email monitoring

Multi-inbox watching with SSE streaming

CI/CD ready with blocking wait command for pipelines

Portable inboxes with export/import for sharing

Deterministic SDKs for Automated Tests

Powered by Server-Sent Events (SSE) for true real-time, deterministic test behavior.

Real-time delivery where tests wait on actual delivery events instead of sleeps

Zero flakiness with no polling and no guessing

Clean promise-based API for auth and content assertions

Official SDKs for Node.js, Python, Java, .NET, and Go

Official SDKs

Need a different language?

We're always looking to expand our SDK support. Let us know what language you'd like to see next.

Open Source & Commercially Safe

The core engine is open-source and un-gated — the Docker image you pull is the same engine used in production
setups.

No Artificial Limits

Unlimited inboxes, connections, containers

Unlimited volume (hardware-bound only)

100% in-memory for high-speed CI (Local persistence coming soon)

Full Encryption by Default

Quantum-safe cryptography is built in from day one.

Roadmap: Foundation First

PHASE 1: CORE FOUNDATION

PHASE 2: ENTERPRISE CONTROL PLANE

For compliance-heavy teams:

Have governance needs? Help shape the specs.

Frequently Asked Questions

Still have questions? Drop a line to [email protected]

Yes. The Core Gateway is AGPLv3 and free forever — no limits on domains, messages, or retention. We only charge for optional Enterprise features (SSO, Audit Logs).

Yes, to unlock full production parity. To issue real Let's Encrypt certificates (ACME) and perform valid SPF/DKIM checks, the container must be publicly reachable on Ports 80, 443, and 25.

Absolutely. VaultSandbox acts as a catch-all for your testing domains. Create infinite inboxes like [email protected] instantly.

No. VaultSandbox omits heavy components like antivirus or spam filtering — optimized strictly for testing.

Storage is zero-knowledge:

We're building from scratch, so we used modern standards. ML-KEM-768 is NIST's finalized post-quantum algorithm—the performance cost is negligible, so there's no reason not to future-proof. Regulated industries will likely require it eventually; we're already there.

No. The SMTP server has multiple layers of protection:

Bottom line: your sandbox only accepts mail for addresses you explicitly create, and rate limiting stops any single source from overwhelming it.

Emails are ephemeral by default — restart wipes them. API keys and certificates are persisted, so your test environment stays configured; only inbox contents reset.

Yes. The Gateway exposes a standard REST API. SDKs are convenience wrappers with SSE support for real-time waiting. You can poll or integrate however you like, though you'll need to manage key creation and decryption yourself.

Full client spec: vaultsandbox.dev/sdk/client-spec

No — the SDKs handle key-pair generation and decryption automatically. Just call getEmail() and get plaintext back. If you're using the REST API directly, you'll need to handle decryption yourself (see the client spec).

Until the container restarts (in-memory only), until the inbox TTL expires (configurable when you create the inbox), or until you delete the inbox — whichever comes first.

Ready to drop your mocks?

Stop guessing if your emails will land. Spin up the full VaultSandbox environment in your VPC in minutes.

Open Source (AGPLv3/MIT) • Deploys via Docker

Stay in touch with VaultSandbox

Subscribe for product updates, security releases, and deep dives on building production-grade email testing
inside your VPC.