How It Works
Architecture
MailOven runs two servers:
- SMTP server — receives incoming emails on port 25
- Web server — serves the inbox UI and REST API
When an email arrives at anything@acme.mailoven.com, the SMTP server:
- Extracts the domain from the recipient address (
acme.mailoven.com) - Looks up the organization by slug (
acme) - Parses the email (subject, from, body) using MIME parsing
- Sanitizes the HTML body (strips scripts, dangerous tags)
- Stores the email in the database, linked to the organization
Catch-all behavior
You don't need to create inboxes ahead of time. Any address at your subdomain is valid:
signup-test@acme.mailoven.com
password-reset@acme.mailoven.com
order-confirmation-42@acme.mailoven.comEach unique to address becomes its own inbox in the UI.
Multi-tenancy
Every organization is fully isolated:
- Emails are scoped to your organization — no one else can see them
- Team members must be explicitly invited
- API keys only access your organization's data
- Subdomains are globally unique
Email retention
Emails are automatically deleted after a configurable number of days (1–20, default 30). You can change this in Organization Settings → Settings → Email Retention.
A background job runs hourly to purge expired emails.
Security
- All passwords are hashed with bcrypt
- Sessions are signed with HMAC
- Every form is protected with CSRF tokens
- HTML email bodies are sanitized before storage
- API keys are scoped to a single organization