The Hidden Risk of Email Testing
Email functionality testing is an essential component of developing any SaaS application, but there is a hidden risk: sending test messages to actual users by mistake. Developers frequently need to confirm that emails look correct and contain the correct information and data for tasks like password resets and signup confirmations. Especially debugging HTML emails with inline attachments like images, can be especially hard during development.
However, testing against an actual SMTP server and sending real emails in development environments can result in:
- Deliverability issues - Test emails may bounce or be marked as spam
- Compliance problems - GDPR violations if test data reaches real users
- Embarrassing leaks - Test messages get sent to real customer email addresses
- Domain reputation damage - Spam filters flagging your domain, resulting in important messages not getting delivered to your customers in productuin
Testing emails in a controlled setting without letting them leave your development setup is the safest course of action.
Common Approaches to Email Testing
Teams often try quick remedies that seem convenient but have significant drawbacks:
Whitelisting Test Addresses
Approach: Only send to specific test email addresses.
Problems:
- Too much room for human error and typos in addresses may result in emails being sent to real users
- Still uses real SMTP infrastructure and introduces avoidable complexity
Disabling Email Sending in Development
Approach: Turn off email functionality entirely during development.
Problems:
- Unable to test email flows end-to-end, especially inline attachments and HTML email rendering are hard to get right
- Might forget to enable in staging or production, resulting in emails not getting delivered
- Integration issues might get discovered too late
Why Accidental Emails Are a Real Risk
Unintentional emails sent during testing can cause major issues rather than just being a trivial error. When test messages are seen by actual users, they can result in misunderstandings, embarrassment, and a decline in product confidence. If those emails include personal information, you might expose data outside of your intended environment, which could lead to GDPR or other compliance difficulties.
Sending test emails to actual addresses on a regular basis can cause spam filters to activate and harm your domain's reputation, making it more difficult for your legitimate production emails to reach inboxes.
Mock SMTP Servers: Better, convenient and safer
A safer solution is to use a mock SMTP server, a tool that captures outgoing emails without ever delivering them to the outside world. A mock SMTP server acts as a regular SMTP server towards the application that should get tested. The application's SMTP server is set to use the mock SMTP server address and credentials during development or staging environments. When the application now sends emails, instead of sending to real users and real inboxes, the mock SMTP server routes them to a dedicated catch-all inbox where you can:
- View the subject, body, headers, and attachments
- See exactly how emails would appear in users email client
- Test email workflows end-to-end
- Share results with your team
- View and inspect HTML emails
- Images that are attached as inline attachments gets rendered correctly
Because no external delivery takes place, there's zero risk of spamming real users.
This approach gives you realistic, end-to-end testing of your email workflows while keeping everything safely contained within your development or staging environment.
Setting up an emails testing and development environment with Mockmail
Setting up Mockmail and integrating it into exsiting development and staging environments only takes a few minutes.
Step 1: Create an account and inbox
- Sign up at mockmail.io
- After signup you will be asked to create a new inbox. An inbox acts as a dedicated mock SMTP server, each with different SMTP credentials and separated list of received email. You may create multiple inboxes to separate different environments (staging, Q&A, different local dev environments).
- Mockmail will generate dedicated SMTP credentials for this specific inbox:
- Host
- Port
- Username
- Password
Step 2: Configure Your Application
Add the SMTP credentials to your app's mail settings.
Laravel example (.env):
MAIL_HOST=mockmail.io
MAIL_PORT=25
MAIL_USERNAME=your_inbox_username
MAIL_PASSWORD=your_inbox_password
MAIL_ENCRYPTION=TLS
Node.js (Nodemailer) example:
const nodemailer = require('nodemailer');
const transporter = nodemailer.createTransport({
host: 'mockmail.io',
port: 25,
secure: true,
auth: {
user: 'your_inbox_username',
pass: 'your_inbox_password',
},
});
Python (Django settings.py) example:
EMAIL_HOST = 'mockmail.io'
EMAIL_PORT = 25
EMAIL_HOST_USER = 'your_inbox_username'
EMAIL_HOST_PASSWORD = 'your_inbox_password'
EMAIL_USE_TLS = True
EMAIL_USE_SSL = True
WordPress (WP Mail SMTP plugin):
- Install and activate WP Mail SMTP plugin
- Choose "Other SMTP" as mailer
- Enter Mockmail credentials
- Set encryption to None
Step 3: Trigger an Email and inspect the results
Perform an action in your app that sends an email, like user signup, password reset, etc. When the mock SMTP receives a new email, it will automatically be listed in your mockmail inbox web ui and is ready for inspection and further development:
- Preview HTML and plain-text versions - See how your email renders
- Check headers and raw source - Debug delivery issues
- Download or view attachments - Verify PDFs, images, calendar invites
- Search and filter - Find specific test emails quickly
- Share links - Send preview URLs to stakeholders
Advanced Use Cases
Mockmail can power even more advanced testing and automation scenarios.
Inbound Email Testing
Every inbox comes with its own dedicated email address. You can send messages directly to this address to simulate user replies or test workflows that rely on inbound parsing, such as "reply to comment" features.
Automated Workflows with Webhooks
Configure a webhook URL, and Mockmail will instantly forward incoming emails as structured JSON. This makes it easy to:
- Trigger automated tests in CI/CD pipelines
- Populate test databases with email data
- Send notifications to Slack or Microsoft Teams
- Assert email content in integration tests
Example Jest test:
test('password reset email contains correct link', async () => {
// Trigger password reset
await api.post('/reset-password', { email: 'test@example.com' });
// Wait for webhook
const email = await waitForEmail();
// Assert content
expect(email.subject).toBe('Password Reset Request');
expect(email.content.html).toContain('https://app.com/reset/');
});
Read our detailed step by step guide on how to forward all emails to a webhook.
Team Collaboration
You can share access to any inbox with other users. Simply invite team members by email and assign permissions so they can view all messages received and stored in that inbox. This makes it easy for QA, product, and support teams to review test emails without digging through server logs, taking screenshots, or sharing credentials. Learn more about Mockmail's shared test email inboxes.
Best Practices for Safe Email Testing
1. Use Separate Inboxes for Different Environments
Create dedicated inboxes for:
- Local development
- Feature branch testing
- Staging environment
- QA testing
- Demo environments
This prevents email mixing and makes debugging easier.
2. Use Descriptive Inbox Names
Name inboxes clearly so team members know their purpose:
✅ Good names:
- "Staging - User Onboarding Flow"
- "QA - Payment Receipts"
- "Dev - Password Resets"
❌ Bad names:
- "Test Inbox 1"
- "My Inbox"
- "Emails"
3. Never Use Production SMTP in Development
Always configure mock SMTP for non-production environments:
# ❌ DANGEROUS - Uses production SMTP
MAIL_HOST=smtp.sendgrid.net
# ✅ SAFE - Uses mock SMTP
MAIL_HOST=mockmail.io
Consider using environment-specific configuration files or feature flags to ensure production SMTP is never used in development.
4. Use Webhooks for CI/CD Email Testing
Integrate Mockmail webhooks into your continuous integration pipeline:
- Configure test inbox with webhook endpoint
- Run your test suite
- Webhook receives emails as JSON
- Assert email content in tests
- Pass or fail build based on results
5. Test Both HTML and Plain Text Versions
Always verify both email formats:
- HTML - Layout, images, links, styling
- Plain text - Fallback for email clients that block HTML
Many email clients (including Outlook) show plain text by default.
6. Check Email Headers
Inspect headers to debug deliverability issues:
- From/Reply-To - Verify sender identity
- Content-Type - Check MIME type
- Message-ID - Unique identifier
- Custom headers - App-specific metadata
Troubleshooting Common Issues
Emails Not Appearing in Mockmail
Problem: Your application sends emails but they don't appear in the inbox.
Solutions:
- Review your application's SMTP configuration
- Check application logs for SMTP errors
- Check network connectivity
- Check your firewall rules, port 25 will often be blocked by default
- Verify port 25 is not blocked by your hosting provider. You can test this by using the
nccommand via your terminal.
Conclusion
Email is one of the most important touchpoints between your application and its users, but testing it safely has always been a challenge. Accidental emails can damage trust, create compliance issues, and even harm your domain's deliverability.
By using a mock SMTP server like Mockmail, you can capture every message in a secure, controlled inbox no risk, no leaks, and no stress.
From simple previews to advanced workflows with webhooks and CI integration, Mockmail gives developers and QA teams the confidence to test email flows end-to-end.
Ready to start testing safely? Create a free Mockmail account and get your first inbox set up in minutes.