Glossary of email-privacy terms

A reference glossary covering the words you'll meet on this site, in temp-mail provider documentation, and in privacy-related news. Bookmark and refer back as needed.

A

Alias

A forwarding address that delivers mail into your real inbox. You can disable an alias if it leaks. Tools: addy.io, SimpleLogin, DuckDuckGo Email Protection.

Anti-spam

Tools and techniques (filtering, sender authentication, rate limiting) used by mail providers to reduce unwanted messages. Disposable email is an end-user anti-spam tool.

B

BIMI

Brand Indicators for Message Identification. A standard that lets brands publish a verified logo to be displayed next to their authenticated emails in supporting clients. Doesn't apply to temp-mail.

Bounce

A delivery failure. Hard bounces are permanent (address doesn't exist); soft bounces are temporary (mailbox full).

Burner email

Same idea as disposable email. Slightly different connotation in some communities — sometimes implies an alias rather than a true throwaway.

C

Catch-all

A mail server configuration where any local-part at a domain accepts mail. Maildrop is the canonical free catch-all temp-mail provider.

CCPA

California Consumer Privacy Act. Gives California residents rights over personal information. Companies that sell or share data must offer a "Do Not Sell or Share My Personal Information" link.

CORS

Cross-Origin Resource Sharing. Browser policy that controls which other origins can fetch a server's resources. Mail.tm has CORS enabled (we can call it from your browser); Guerrilla Mail does not (we proxy via a server route).

D

DKIM

DomainKeys Identified Mail. The sender signs every outgoing message with a private key; receivers verify against a public key in the sender's DNS. Helps detect forgery.

DMARC

Domain-based Message Authentication, Reporting & Conformance. Tells receivers what to do when SPF or DKIM checks fail, and where to send aggregate reports. The triumvirate of email authentication is SPF + DKIM + DMARC.

Disposable email

An email address with intentionally short retention. The use case for this site.

E

EHLO

The SMTP extended-hello command. Doesn't matter much for end users; appears in raw-source views.

Encryption (in transit)

STARTTLS encrypts the SMTP connection between mail servers. Almost universal in 2026 but not guaranteed.

Encryption (at rest)

Whether the provider stores messages encrypted on disk. Most temp-mail providers do not encrypt at rest in any meaningful way.

F

Forwarding

Routing mail from address A to address B. Aliases use forwarding.

From-spoofing

An attacker forging the visible From: address. Defended by SPF/DKIM/DMARC; if those pass and align, spoofing is hard.

G

GDPR

General Data Protection Regulation. Applies to processing of EEA residents' personal data. Imposes obligations to disclose, minimise, and protect. Gives data subjects rights of access, deletion, portability, and objection.

Greylisting

An anti-spam tactic where the receiving server temporarily rejects an incoming message and asks the sender to retry. Legitimate senders retry; lazy spammers don't.

H

Hashed identifier

An email address transformed via a cryptographic hash, used by some advertising platforms to "link" data across services without exposing the raw address. Less private than it sounds; the hash space is small enough to brute-force.

HSTS

HTTP Strict Transport Security. A response header that tells browsers to always use HTTPS for a site. PocketInbox sets HSTS.

I

IMAP

Internet Message Access Protocol. Lets you read mail from any client. Most temp-mail providers don't expose IMAP — only a custom REST or GraphQL API.

Inbox token

Some providers (TempMail.lol) issue a per-inbox token that's required to read it. Lose the token, lose the inbox.

J

JWT

JSON Web Token. A self-contained signed credential. Mail.tm issues JWTs for inbox authentication.

K

KYC

Know Your Customer. The legal requirement for financial services to verify customer identity. Disposable inboxes are inappropriate for KYC-bound services.

L

Local-part

The bit of an email address before the @. yourname in yourname@mail.tm.

M

MX record

DNS record that tells senders where to deliver mail for a domain. mail.tm's MX points to Mail.tm's mail servers.

Mercure

An open standard for real-time updates over Server-Sent Events. Mail.tm pushes new-mail events through a Mercure hub.

N

Noreply address

A sending-only address (e.g. noreply@stripe.com) used for transactional mail. Don't reply; nobody reads.

O

OTP

One-Time Passcode. Usually a 4–8 digit number sent for verification or two-factor authentication.

P

PHPSESSID

A common name for the cookie that holds a PHP session identifier. Guerrilla Mail uses one; we work around it via an sid_token in URL parameters.

Polling backstop

A periodic refresh that runs alongside any push-based subscription. Catches the cases where SSE/WS silently dies.

Plus-addressing

The you+tag@example.com trick. Mail to either form goes to the same inbox; the tag is searchable. Many sites strip the plus, so it's not as widely useful as it looks.

Q

Quota

Maximum bytes a mailbox can hold. Mail.tm's free quota is 40 MB.

R

Rate limit

A cap on how many requests per unit of time a service accepts. Mail.tm's is 8 QPS per IP.

Restore key

Some providers' per-address secret used to extend or recover a session. Mail.tm/Mail.gw use a JWT, Guerrilla uses a sid_token.

Retention

How long messages or accounts are kept before being purged. Varies by provider: ~1 hour (Guerrilla, TempMail.lol), ~7 days (Mail.tm, Mail.gw), evergreen catch-all (Maildrop).

S

Sandboxed iframe

An <iframe sandbox=...> with restricted permissions. We use this to render email HTML safely.

SPF

Sender Policy Framework. A DNS record that lists the IP addresses authorised to send for a domain.

SSE

Server-Sent Events. A push protocol for one-way streams from server to browser. Mail.tm's real-time delivery uses it.

Subresource Integrity (SRI)

A web standard for guaranteeing third-party scripts haven't been tampered with. We use SRI on the few external scripts we load.

T

Throwaway email

Same as disposable email.

Token bucket

A rate-limiting algorithm. Tokens refill at a set rate; each request takes one. Empty bucket = block. Used per-provider in our aggregation layer.

U

Unsubscribe link

Mandatory in most jurisdictions for marketing email. Don't click in untrusted mail; spammers sometimes use it as a "this address is alive" signal. Block at your provider instead.

V

Verification email

The email a service sends to confirm you control the address. The most common reason to use disposable email.

Verified Pro (Mailinator)

A free-with-approval Mailinator tier with a documented API. Different from the public @mailinator.com domain that anyone can read.

W

Webhook

A server-to-server push notification. Some paid temp-mail tiers (TempMail.lol, Mailsac) offer webhooks; the free tiers usually don't.

WebSocket

A bidirectional persistent connection used by some upstream providers and dev tools. PocketInbox itself uses Mercure SSE for real-time delivery from Mail.tm and Mail.gw.

X

X-Mailer

A header set by the sending mail client. Sometimes useful in identifying the origin tool.

Y

Yopmail

A long-running web-only temp-mail service. No official API; community wrappers scrape the website. We list it as deprecated.

Z

Zero-access encryption

A model where the provider holds encrypted data they themselves cannot decrypt (only the user holds the key). Proton Mail and Tutanota implement this for their paid users. Not a feature of any free temp-mail provider.

Missing a term you wanted to look up? Tell us and we'll add it.