Key Facts
- ✓ VaultSandbox validates SPF, DKIM, DMARC, and rDNS on every incoming message.
- ✓ It supports production providers like MailGun, SES, and Postmark without mocking.
- ✓ The tool uses Server-Sent Events (SSE) for deterministic testing.
- ✓ It is built with NestJS and Angular and has no external database dependency.
- ✓ Incoming mail is encrypted using ML-KEM-768 post-quantum encryption.
Quick Summary
Developers often face the frustrating scenario where email tests pass in continuous integration environments, only to break in production due to protocol-level issues. A new tool, VaultSandbox, aims to resolve this by providing a self-hosted SMTP gateway that validates the entire email protocol stack.
Unlike standard testing tools that act as catch-alls, VaultSandbox checks SPF, DKIM, DMARC, and rDNS for every message. It allows teams to use their existing production providers without mocking or complex configuration changes.
Addressing Protocol Validation Gaps
Standard testing tools often confirm that an email was sent but fail to validate the underlying protocol interactions. This leads to situations where CI pipelines report success, but production mail fails due to TLS handshake errors or authentication mismatches. VaultSandbox was developed to bridge this gap by acting as a strict SMTP gateway.
The tool is designed specifically for network-exposed environments, addressing security concerns found in other tools that lack authentication or have unprotected Web UIs. By validating the protocol, it ensures that the specific conditions causing production failures are replicated during testing.
- TLS handshake validation
- DKIM alignment checks
- SPF and DMARC verification
- rDNS validation
Integration and Workflow
VaultSandbox integrates directly into existing workflows without requiring developers to abandon their preferred email providers. Users can continue utilizing services like Postmark, SendGrid, or SES by simply modifying the recipient domain in their tests. This approach eliminates the need for mocking or extensive configuration changes.
To facilitate automation, the tool provides client SDKs for multiple programming languages, including Node, Python, Go, Java, and .NET. Additionally, a Web UI and CLI are available for manual testing and inspection.
Technical Architecture
The architecture of VaultSandbox focuses on efficiency and security. It utilizes Server-Sent Events (SSE) for deterministic testing, allowing test assertions to trigger the moment mail hits the gateway rather than relying on polling or sleep loops.
The infrastructure footprint is kept minimal. Built with NestJS and Angular, the application has no external database dependency, making the container lightweight and easier to manage. A standout feature is its use of post-quantum encryption. The system employs ML-KEM-768 for the encryption layer, encrypting incoming mail immediately using a client-generated public key and discarding the plaintext. The server only stores encrypted data and cannot decrypt it.
Availability and Licensing
VaultSandbox is distributed under the AGPLv3 license. The developer has noted that the tool is available for self-hosting and is seeking feedback on whether this licensing choice presents a barrier for adoption in development environments.
Quick start guides and documentation are available on the project's website, allowing users to deploy the gateway and begin testing immediately.
