MailFade is built for QA, CI, and AI-agent evaluation. We actively do not want to be a tool for credential stuffing, account takeover, phishing, or harassment.

What we consider abuse

• Using MailFade to register accounts at third-party services in violation of those services’ terms.
• Using MailFade addresses in phishing campaigns, scams, or to harvest password-reset tokens for accounts you do not own.
• Automated mass-creation of accounts against any single target.
• Using MailFade to receive mail intended for a person without their consent — e.g. to intercept verification emails for an account that is not yours.

How we prevent it

• Per-IP rate limits on the free tier — meaningful but not punishing for honest users, restrictive enough to disrupt automated misuse.
• Per-key monthly quotas on paid tiers.
• Inbound abuse_blocks table — sender addresses, recipient addresses, and subject patterns we have classified as abusive cause inbound mail to be rejected at the SMTP layer.
• Cooperation with hosts and abuse desks. When a legitimate service operator contacts us about MailFade being used to attack their signup flow, we will work with them to block the relevant addresses and patterns.

Reporting abuse

If you believe MailFade is being used against you or your service, please email [email protected] with:

• The affected service or domain.
• Any sample headers, message IDs, or @mailfade.dev addresses you have observed.
• A description of the abuse pattern.

We aim to acknowledge abuse reports within 24 hours and act within 72 hours where the evidence supports a block.

What we will not do

• We will not share the contents of any inbox with a third party except as required by valid legal process directed at the operator.
• We will not deanonymize free-tier API users to anyone; we genuinely do not collect the data that would let us do so.