Frequently asked questions

A disposable email address is a short-lived inbox you can hand to a website that demands an email but doesn't have a good reason to keep one. The address works exactly like a normal email address — you can receive verification codes, confirmation links, password resets, and PDF download links — but it expires automatically after a fixed window. Once it expires, neither you nor the original sender can recover anything that was sent there.

The category exists because most websites that ask for your email don't actually need ongoing contact with you. A coupon code, a one-time download, a forum post you'll never revisit — these are perfect cases for a disposable address. Your real inbox stays clean, and the company that wanted to nurture you into a monthly newsletter audience just gets one delivery to an address that no longer exists by the time they queue up the next one.

When you open the home page we generate a random six-character address ending in @tenmin.app. The randomness is real — it's seeded by your browser's cryptographic random number generator, not a hash of your IP or a counter on our side — so the same person opening the site twice gets two unrelated addresses.

Cloudflare's Email Routing service catches anything sent to *@tenmin.appand forwards the raw message to a Cloudflare Worker. The Worker parses the MIME envelope, identifies which inbox the recipient address belongs to, and writes the message to a key-value store with a 600-second time-to-live. The frontend you're looking at polls that store every three seconds for new mail.

When the 10-minute timer hits zero, the storage entry has already expired. There's no cleanup job, no scheduled deletion — Cloudflare's KV store simply stops returning the key after its TTL passes, and the data is removed from disk at the next compaction.

Ten minutes is long enough for almost every legitimate disposable-email use case — newsletter signup, coupon claim, download link, verification code — and short enough that an address you grabbed in the morning won't quietly keep receiving mail in the afternoon.

We picked it after looking at how other services tune the same trade-off. The five-minute services feel rushed; the 24-hour services feel like they're collecting rather than discarding. Ten minutes is a round number in the same ballpark as the average time it takes a human to: open a site, sign up, switch back to this tab, and click a verification link. If you need more time, the Extend button gives you another ten.

Yes. The MIME parser preserves any attachments the sender included, and they're stored as part of the message envelope. We do enforce a soft size cap to stay within Cloudflare's per-request limits, and we do not currently render previews for attachments in the UI — the message header will show that an attachment is present, but downloading it from this version of the interface is limited. If you specifically need to receive a file via this service, send the message and check the raw body in the expanded view.

No. tenmin.app is receive-only by design. There is no SMTP outbound, no "reply" button, and no forwarding configured by default. This is intentional: a service that sends mail attracts spammers, gets blocklisted by the major providers, and ruins the receiving address space for everyone else. Keeping the service one-directional is what lets us run it at a domain reputation that actually delivers to Gmail and Outlook.

The countdown stops, polling stops, and the inbox screen tells you the address has expired. On the storage side, the time-to-live on the KV entry passes and the data is removed from Cloudflare's storage layer.

The address itself stops being routed — if a sender tries to deliver mail to it after the window closes, Cloudflare Email Routing returns a bounce. There is no archive on our side, no backup, and no admin override that can resurrect the messages. If you missed a delivery, you'll need to start a fresh inbox and request the sender retry.

Yes. The Extend button resets the countdown for the current address. Each press refreshes the storage TTL by another ten minutes, so the inbox keeps receiving and displaying mail. There is no hard cap on how many times you can extend, but the practical limit is that you have to keep the tab open — close the tab and the address resumes its normal decay.

We don't store IP addresses, fingerprints, or any account that ties an address to a person. The link between "you" and "this inbox" lives only in the URL bar of your browser tab — close it and we can't tell who held that address.

That said, this is not an anonymity tool. Your network operator can see that you connected to tenmin.app. The site you sign up for can correlate the timestamp of your signup with their own logs. And if you use a disposable address to register for something illegal, "I used a temp-mail" is not a defence — law enforcement can subpoena the receiving service. Treat tenmin.app as convenient, not as private in a hard sense.

No human reads the messages flowing through tenmin.app. The Worker that parses mail runs unattended, and the storage layer is keyed by the inbox ID — we'd have to know which address you happened to generate to even find your messages, and we don't log that association anywhere. Mail is auto-deleted after 600 seconds regardless. If you are worried about machine-side reading: we don't run ML or content analysis on the messages either.

We render HTML, but with two layers of defence. First, the HTML is run through a sanitiser that strips <script>, <style>, <iframe>, all on* event handlers, and javascript: URLs. Second, the cleaned HTML is rendered inside a sandboxed <iframe> with no allowances — no scripts, no top-level navigation, no access to the parent page.

Practically, that means tracking pixels still load (we don't strip remote images, because doing so would break too many legitimate emails), but anything trying to execute code or read your browser state will not run. If you want to read a suspicious email with maximum paranoia, switch to the plain-text view by collapsing and re-expanding the message — the body is also stored as text.

The visible characters in the address bar are always lowercase hex digits, which match the local-part validation regex ([a-z0-9._-]{1,64}) we enforce on delivery. Mail systems treat the local-part as case-insensitive in practice, so a sender who types [email protected] will still reach an inbox we stored under abcdef.

Not from your side. There is no per-user quota because there is no user account. The service does have a global rate limit on the email-processing Worker — driven by Cloudflare's free-tier limits — but at normal traffic this is invisible. If we ever hit the limit during a spike, incoming mail will bounce with a transient failure that the sending server should retry automatically.

Most of it is documented openly in our About page and in the repository's runbook. We're not currently publishing the email-parser Worker source because it includes anti-abuse heuristics we don't want to telegraph, but the frontend and the read-only API are mundane enough that you can reverse-engineer them from network traffic if curious.

If you need an address that lives longer than ten minutes but still isn't your real one, what you actually want is an aliasing service rather than a disposable one. Email aliasing services issue stable addresses that forward to your real inbox and let you turn forwarding off when a sender starts abusing the alias. We're not affiliated, but SimpleLogin, Addy.io, and Apple's "Hide My Email" are all good in this category. If you need an address you control end-to-end, set up a custom domain through Cloudflare Email Routing — the same plumbing tenmin.app is built on, but pointed at your own mailbox.