About 10Mail
10Mail provides on-demand temporary inboxes across 560 domains in our database. Tracked since 2026-04-12, the service is commonly used to bypass mandatory email signups, register for free trials repeatedly, or evade newsletter lists. The service requires no account creation and provides immediate access to a throwaway inbox. Each session typically generates a new address with a unique local part on one of 10Mail's rotating domains, and messages received are visible in a public-style web inbox for a short retention window before being purged. From a product operator's perspective, that pattern is indistinguishable from a fake-signup attack.
Live status
Status: not actively monitoredSample domains operated by 10Mail
A small sample of the 560 domains we track for this service. The complete list is available through the EmailProbe API — single integration blocks every current and future 10Mail domain automatically.
| Domain |
|---|
kiep.10mail.org |
rux.10mail.org |
rvj.10mail.xyz |
rx.10mail.xyz |
rxcj.10mail.org |
rxu.10mail.org |
ryde.10mail.org |
ryg.10mail.org |
rz.10mail.xyz |
owdp.10mail.org |
560 total domains tracked. Detect every one of them via the API →
Mail infrastructure
MX servers
Why people use 10Mail
Legitimate use cases
Privacy-conscious users rely on 10Mail when they want to interact with an unfamiliar service without exposing their primary inbox. Common scenarios include downloading a whitepaper or e-book that requires an email address, trying a SaaS free trial before committing, signing up for a one-time event or webinar, or evaluating a product before deciding whether to share real contact details. For these low-stakes use cases, 10Mail provides a clean buffer between the user and the service. Journalists, researchers, and security professionals also use temporary inboxes when testing how a third-party service handles signups, to avoid contaminating their permanent address book with marketing lists or, in the worst case, with mail from a service that has been breached.
Abuse patterns
Bad actors exploit 10Mail to create fake accounts at industrial scale. Typical abuse patterns include fraudulent free-trial farming where multiple accounts are created to reset a trial counter, abusing referral or sign-up bonus programs, bypassing one-account-per-user rate limits on marketplaces, creating synthetic identities for click fraud, and registering throwaway credentials for credential-stuffing attacks on other platforms. Because 10Mail domains are publicly known and require no identity verification, they are a first-choice tool for automated account creation. The economic effect on a SaaS business is real: inflated signup metrics that mislead growth planning, support costs spent triaging fake accounts, increased risk of credential abuse on subsequent product surfaces, and contaminated retention cohorts where the denominator includes accounts that were never going to be real users in the first place.
How to block 10Mail signups
Three approaches, ordered by accuracy:
Manual regex (least reliable)
const BLOCK = /@(10mail\.[a-z]{2,4}|10mail\.com)$/i;
if (BLOCK.test(email)) reject();Free EmailProbe API (recommended for low volume)
curl https://api.emailprobe.dev/open/v1/disposable/10mail.comAuthenticated API (production)
curl -H "Authorization: Bearer $KEY" \
-d '{"email":"[email protected]"}' \
https://api.emailprobe.dev/v1/validateFrequently asked questions
Is 10Mail safe to use?
10Mail is operated by anonymous third parties and offers no privacy guarantees. Anyone who knows the address can read incoming mail — there is no password or access control on the inbox. Sensitive data sent to a 10Mail address, such as password reset links, financial documents, or personal identification, is effectively public. Do not use 10Mail addresses for password resets, account recovery, two-factor authentication codes, or any communication you expect to remain private. From an operator's perspective, allowing 10Mail addresses for high-value flows like account recovery or invoicing is itself a security risk — an attacker who guesses or pre-claims an address can intercept any messages sent to it.
Can I receive emails on 10Mail?
Yes — 10Mail addresses receive incoming email and display it in a public or pseudo-private inbox until the address expires or is recycled. The inbox is typically accessible to anyone who types in the address, which means it offers no real privacy. Some 10Mail domains also accept email for any subdomain or random string, making it easy to generate effectively unlimited distinct addresses on demand. This catch-all behavior is one of the strongest signals we use to classify 10Mail as disposable: a single MX record accepting mail for thousands of distinct local parts on hundreds of distinct domains is not how legitimate inboxes work.
Is using 10Mail legal?
Using a temporary email service like 10Mail is legal in most jurisdictions. However, individual sites' terms of service often explicitly prohibit disposable addresses, and using one to bypass paid-account limits, circumvent fraud controls, or inflate signup metrics can breach those terms and, in some jurisdictions, constitute fraud or computer misuse. For ordinary privacy use cases — such as downloading content anonymously — 10Mail usage is generally permissible. For product operators on the receiving end, declining to accept addresses from 10Mail is similarly legal and well-supported by industry practice: every major SaaS company maintains some form of disposable-domain block list, either internally or through a third-party API like EmailProbe.
How does EmailProbe detect 10Mail emails?
EmailProbe matches addresses against 560 known 10Mail domains plus the service's mail-server infrastructure. Detection happens at the edge in under 50ms.
Can I block all 10Mail domains at once?
Yes — every 10Mail domain is flagged as disposable by the EmailProbe API. A single integration blocks every current and future 10Mail domain without a manual list.
How long do 10Mail email addresses stay active?
Address lifetime on 10Mail varies — some addresses are intentionally short-lived (a few minutes to an hour) while others persist as long as the user keeps the browser session open. After the retention window, incoming mail is silently discarded. For a SaaS operator, the practical implication is that any automated follow-up email (a day-2 onboarding nudge, a billing notice, a security alert) is likely to land in an inbox that no human will ever check.
Can users still verify their email if they signed up with 10Mail?
Most 10Mail domains do receive verification emails — that's the entire point of using one — so a plain double opt-in will not filter them out. Effective filtering requires checking the domain against a known disposable list before the verification email is sent, ideally during the signup form submission itself. EmailProbe's free API call returns a verdict in under 50ms, which is fast enough to gate signup without harming the user experience for legitimate addresses.
Why do new 10Mail domains keep appearing?
Disposable services rotate domains continuously to evade simple block lists. 10Mail alone operates 560 domains today, and that number grows weekly as new domains are registered or repurposed. Maintaining a static text-file blocklist means you ship code every time a new domain appears; using an API like EmailProbe means new 10Mail domains are flagged automatically without any change on your side.