VaultSandbox: In-VPC production-like email testing for real SMTP services

TL;DR

VaultSandbox is a Docker-deployable sandbox that lets teams test real SMTP/TLS/DNS behavior inside their VPC without sending customer data to third-party inboxes. It preserves real provider configuration (Postmark, SendGrid, SES, etc.), validates SPF/DKIM/DMARC and TLS, and stores messages encrypted and in-memory for CI-friendly, disposable testing.

What happened

A new tooling approach called VaultSandbox offers production-fidelity email testing by routing real outbound messages from transactional providers into isolated inboxes inside a customer's VPC. Rather than mocking SMTP clients or disabling TLS checks, teams deploy a Docker gateway that can auto-provision ACME certificates and DNS via a zero-config option (vsx.email) or accept a user domain with A/MX records. Incoming messages are processed with full SMTP/TLS negotiation, rDNS checks and MIME parsing; authentication checks for SPF, DKIM and DMARC are performed on every message. Storage is encrypted and handled in-memory; VaultSandbox says private keys are generated locally and plaintext never touches disk. The environment blocks outbound mail and exposes deterministic, SSE-driven wait semantics and SDKs for integration in CI pipelines. The project publishes its core engine as open-source (AGPLv3) with SDKs and UI under MIT.

Why it matters

• Reduces a common blind spot where mocks hide authentication, TLS, or rendering failures that only surface in production.
• Allows teams to validate domain crypto (SPF/DKIM/DMARC) and TLS behavior before deploying changes.
• Keeps test data inside a customer's infrastructure for compliance and data-sovereignty requirements.
• Aims to eliminate flaky CI patterns (polling/sleeps) by providing deterministic, event-driven waits.

Key facts

• Works with real transactional providers such as Postmark, SendGrid, SES and others by changing only the recipient address.
• Deployable with a single Docker Compose file; offers a zero-config DNS option (vsx.email) that encodes your IP into a subdomain.
• Infrastructure requirements include a public IP and ports 25/80/443 open to enable real SMTP, HTTP and ACME certificate provisioning.
• Performs full message validation: SPF, DKIM, DMARC and rDNS checks are run on every message.
• Terminates real SMTP and TLS; ACME certificates for SMTP and HTTPS can be auto-provisioned.
• Storage is encrypted, 100% in-memory for CI usage, and plaintext is claimed not to be written to disk; outbound mail is hard-blocked.
• Core gateway engine is open-source under AGPLv3; SDKs and UI are MIT-licensed.
• Provides official SDKs and examples for Node.js, Python, Go, Java and .NET and uses Server-Sent Events for deterministic delivery waits.
• Supports disposable inboxes, full MIME parsing, HTML rendering previews, link extraction and a terminal UI for real-time monitoring.

What to watch next

• Phase 2 enterprise control plane work: planned features include SSO (OIDC/SAML), audit logs and retention controls (roadmap item).
• Local persistence and longer-term storage are noted as coming soon in the roadmap; current builds prioritize 100% in-memory operation.
• Adoption, performance at scale, and enterprise support offerings: not confirmed in the source.

Quick glossary

• SMTP: Simple Mail Transfer Protocol — the standard protocol for sending email between mail servers.
• TLS: Transport Layer Security — a cryptographic protocol that provides encrypted communication over networks.
• SPF: Sender Policy Framework — an email authentication method that specifies which IPs are allowed to send email for a domain.
• DKIM: DomainKeys Identified Mail — an email authentication technique that uses cryptographic signatures to verify message origin and integrity.
• DMARC: Domain-based Message Authentication, Reporting and Conformance — a policy layer that uses SPF and DKIM results to instruct receivers how to handle unauthenticated mail.

Reader FAQ

Do I need a public IP and domain to run VaultSandbox?
Yes. The gateway requires a public IP and open ports 25/80/443; you can use the zero-config vsx.email option or point your domain with A and MX records.

Is the Gateway truly free? What’s the catch?
The core engine is published under AGPLv3 and SDKs/UI under MIT, but the source does not confirm whether there are paid services or commercial tiers.

Can I use this as a temporary QA email service?
Yes. VaultSandbox supports disposable inboxes, in-memory storage and automatic cleanup suited for CI and temporary QA use cases.

How can the system claim 'zero-knowledge' if it receives email via SMTP?
According to the project, private keys are generated locally, emails are encrypted in-memory on receipt, plaintext never touches disk, and decryption occurs only on the client.

Production-Like Email Testing Without Mocks Keep your provider and your config. Just swap the recipient to validate real TLS, DNS, and SPF/DKIM entirely inside your VPC. Works with Postmark, SendGrid,…

Sources

• Show HN: VaultSandbox – Test your real MailGun/SES/etc. integration
• vaultsandbox/gateway – Docker Image
• VaultSandbox.Client 0.6.0 on NuGet
• Sending test emails in Amazon SES with the simulator

Related posts

• Redox OS December 2025: 10th Anniversary, Intel GPU Driver, ARM64 Linking
• Inside V8’s RISC-V Port: Recent Changes, Performance, and Deprecation
• SMTP Tunnel: A SOCKS5 proxy that masks TCP as SMTP to bypass DPI