A random email address is useful in tests only if it can actually receive the email your app sends. user-${crypto.randomUUID()}@example.com may be unique, but it will not help a signup, password reset, OTP, or magic-link test unless there is an inbox behind it, a deterministic way to wait for messages, and a cleanup policy that prevents state from leaking into the next run.
For reliable test runs, the goal is not just to get a random email address. The goal is to create a temporary, routable, isolated inbox that your automation or LLM agent can use once, read safely, and expire.
That distinction is what separates stable CI from flaky email tests.
What “random email address” should mean in automated tests
In consumer tools, a random email address often means an address on a public temp-mail website. In engineering workflows, it should mean something more precise: a unique address that maps to a known inbox resource.
A reliable random test address needs these properties:
| Requirement | Why it matters in test runs |
|---|---|
| Unique | Prevents two parallel tests from receiving each other’s messages. |
| Routable | The address must be able to receive real email from your application. |
| Isolated | Each run or attempt should read only its own messages. |
| Observable | Failures should be debuggable with inbox IDs, message IDs, timestamps, and delivery logs. |
| Machine-readable | Tests and agents should consume JSON or structured fields, not scrape a human mailbox. |
| Short-lived | Temporary inboxes reduce stale-message collisions and retention risk. |
| Secure | Webhook payloads should be verified, and email content should be treated as untrusted input. |
This is why a random email address for test automation should usually be created through an inbox API, not by concatenating random strings.
When a random string is enough, and when it is not
There are two very different testing goals that often get mixed together.
If you are only testing email address validation, such as whether your frontend accepts [email protected], you do not need a real inbox. Use reserved domains such as example.com, which are specifically set aside for documentation and examples under RFC 2606. This keeps tests from accidentally sending email to real users.
If you are testing an end-to-end flow that sends email, the address must be deliverable. Examples include:
- Signup verification emails
- Password reset emails
- Magic-link login
- One-time passcodes
- Account invitation flows
- Mobile onboarding journeys
- Agent workflows that must prove ownership of an address
For these flows, a random string alone is not sufficient. You need a random address backed by an inbox that your test runner can query or subscribe to.
Common ways to get a random email address, ranked for reliability
Several approaches can generate unique-looking addresses, but they do not all behave the same under CI parallelism, retries, and LLM-driven automation.
| Approach | Good for | Main risk |
|---|---|---|
| Random local-part on a reserved domain | Validation-only tests | Cannot receive real email. |
Plus-addressing, like [email protected]
|
Lightweight correlation in one mailbox | Shared inbox state, duplicates, provider-specific behavior. |
| Catch-all domain | Controlled test environments | Requires routing, parsing, cleanup, and dedupe logic. |
| Public temp-mail website | Manual one-off checks | Weak privacy, unreliable APIs, no stable automation contract. |
| Disposable inbox API | CI, QA, agents, signup verification | Requires integrating an API, but gives the best determinism. |
The most reliable pattern is to create a disposable inbox per test run or per test attempt. The API returns an email address plus an inbox identifier, then delivers received messages as structured data.
That gives your test a resource it can own, wait on, inspect, and delete.
The recommended pattern: create one inbox per attempt
The key design rule is simple: do not reuse test inboxes across attempts.
A “test run” may retry. A signup test may trigger a resend. A CI job may run in parallel across browsers, regions, or shards. If all of those attempts share the same mailbox, your automation has to guess which email is current. That is where flaky tests come from.
Instead, treat the random email address as a disposable resource:
- Create a new inbox before the action that sends email.
- Store the returned inbox descriptor, not just the email string.
- Use the email address in the application under test.
- Wait for a message in that specific inbox.
- Extract the minimum artifact, such as an OTP or verification link.
- Expire or clean up the inbox after the attempt.
The inbox descriptor is important. Your test harness should know more than email. It should track fields such as inbox_id, created_at, expires_at, run_id, and attempt_id if your provider and internal model support them.
That way, logs can answer the questions that matter when something fails: Which inbox did we create? Which email address did the app use? Did a message arrive? Was it duplicated? Did the test time out before delivery?
A practical workflow to get a random email address for a test run
Here is the provider-neutral flow you want your test harness to implement.
1. Generate correlation IDs first
Before creating the inbox, generate stable identifiers for the workflow. At minimum, track a run ID and attempt ID. These do not need to be exposed to users, but they should be available in logs and test artifacts.
A good pattern is:
run_id = ci_job_id + test_file + worker_id
attempt_id = run_id + retry_number + random_suffix
The random suffix prevents collisions. The deterministic parts make debugging possible.
2. Create a disposable inbox via API
Ask your inbox provider to create a new disposable inbox. The response should include an email address and a stable inbox handle.
Conceptually, your code might look like this:
const inbox = await emailProvider.createInbox({
metadata: {
runId,
attemptId,
purpose: "signup-verification"
}
});
// Use inbox.email in the application under test.
// Use inbox.id when waiting for messages.
The important rule is that the generated email address must be tied to an inbox your automation can read. Do not discard the inbox ID after creation.
3. Trigger the email-producing action
Use the address exactly as a real user would. For a signup flow, submit the form with the disposable address. For a password reset, request a reset for that test account.
If your product has multiple clients, such as web and mobile, make the email verification step part of your platform-level test contract. Teams building mobile onboarding flows, whether internally or with a partner like Appzay’s mobile app development agency, should treat verification emails as a testable integration point rather than a manual QA step.
4. Wait deterministically, not with fixed sleeps
Fixed sleeps are one of the most common sources of email-test flakiness. A five-second sleep is too slow when delivery takes 500 ms and too short when an email provider delays a message.
Use one of two deterministic waiting patterns:
| Waiting method | Best use | Notes |
|---|---|---|
| Webhook-first | CI, parallel test runs, event-driven systems | Low latency, avoids constant polling, but requires a public receiver or tunnel in some environments. |
| Polling fallback | Local tests, restricted networks, recovery paths | Easier to set up, but needs deadlines, cursors, and dedupe. |
The strongest setup uses webhooks as the primary path and polling as a fallback. If a webhook is delayed or your worker restarts, polling can still retrieve the message before the test deadline.
5. Match narrowly and extract only what you need
Once an email arrives, do not let the test or agent read a whole mailbox and “figure it out.” The message is already scoped to a specific inbox, so your matcher can be narrow.
Good matchers include:
- Expected sender domain
- Expected subject pattern
- Message received after inbox creation
- Presence of a verification link or OTP
- Correlation token if your application includes one
Then extract only the artifact needed to continue the test. For example, return { "otp": "123456" } or { "verification_url": "https://..." } to the test runner. Avoid exposing raw HTML to an LLM agent unless you have a specific, sandboxed reason to do so.
Reference pseudocode for a reliable test helper
This example avoids provider-specific endpoints, but captures the core control flow.
async function verifySignupEmail(app, emailProvider, userData) {
const runId = process.env.CI_JOB_ID ?? crypto.randomUUID();
const attemptId = crypto.randomUUID();
const inbox = await emailProvider.createInbox({
metadata: { runId, attemptId, flow: "signup" }
});
await app.signUp({
...userData,
email: inbox.email
});
const message = await emailProvider.waitForMessage({
inboxId: inbox.id,
deadlineMs: 60_000,
match: {
subjectIncludes: "Verify",
after: inbox.createdAt
}
});
const verificationUrl = extractVerificationUrl(message);
await app.openVerificationUrl(verificationUrl);
await emailProvider.expireInbox(inbox.id);
return {
email: inbox.email,
inboxId: inbox.id,
messageId: message.id
};
}
The exact API will differ by provider, but the invariants should not change: create, trigger, wait, extract, clean up.
How to make random email addresses retry-safe
Retries are where most “random email” strategies break down. A retry can create a second account, resend a second email, or process a stale message from the first attempt.
Use these rules to keep tests retry-safe:
| Problem | Fix |
|---|---|
| Retry reads an old email | Create a new inbox per attempt and only accept messages received after inbox creation. |
| Duplicate webhook delivery | Dedupe by delivery ID, message ID, and extracted artifact hash. |
| Multiple OTP emails arrive | Prefer the latest matching message within the same inbox and enforce consume-once semantics. |
| CI workers collide | Include worker, run, and attempt IDs in metadata and logs. |
| Test times out without context | Attach the inbox descriptor and message list summary to CI artifacts. |
A reliable random address is not just unique. It is also traceable. When a test fails, your logs should make the failure obvious instead of requiring someone to log into a mailbox.
Special considerations for LLM agents
LLM agents should not be handed a human mailbox and asked to browse it. Email is untrusted input. It can contain malicious HTML, misleading links, prompt-injection text, tracking pixels, or irrelevant content.
For agent workflows, expose a small tool contract instead:
| Agent tool | Purpose |
|---|---|
create_random_inbox |
Returns a disposable email address and inbox ID. |
wait_for_email |
Waits inside one inbox with a deadline and narrow matcher. |
extract_verification_artifact |
Returns only the OTP, magic link, or relevant structured field. |
expire_inbox |
Ends the inbox lifecycle after the attempt. |
The model should see the smallest safe view possible. For example, an agent validating a signup does not need the full raw email. It needs the verification code or link, plus enough metadata to know the artifact came from the expected message.
Your backend should handle webhook signature verification, replay detection, URL allowlisting, and deduplication outside the model. The LLM should orchestrate the workflow, not decide whether an inbound HTTP request is authentic.
Shared domain or custom domain?
When you get a random email address from an inbox API, the domain strategy matters.
A shared provider domain is usually fastest. You can create disposable inboxes immediately without touching DNS. This is ideal for prototypes, internal QA, agent experiments, and many CI workflows.
A custom domain or subdomain is better when third-party systems require allowlisting, when you want environment separation, or when you need more governance over test traffic. For example, you might route qa.example.com to your disposable inbox provider and generate addresses under that subdomain.
| Domain strategy | Choose it when |
|---|---|
| Shared provider domain | You want the fastest setup and do not need allowlisting. |
| Custom subdomain | You need control, allowlisting, environment separation, or clearer audit trails. |
| Dedicated test domain | You run high-volume flows or want stronger isolation from production domains. |
Keep domain choice as configuration. Your test code should ask for an inbox, not hardcode domain-specific assumptions.
Where Mailhook fits
Mailhook is built for this inbox-first workflow. It provides programmable disposable email inboxes via API and returns received emails as structured JSON, which makes them easier for test runners and LLM agents to consume safely.
For reliable random email addresses in test runs, the relevant Mailhook primitives are:
- Disposable inbox creation via RESTful API
- Structured JSON email output
- Real-time webhook notifications
- Polling API for fallback retrieval
- Instant shared domains for quick setup
- Custom domain support when you need domain control
- Signed payloads for webhook security
- Batch email processing for higher-volume workflows
For exact integration details and the machine-readable contract, use the Mailhook llms.txt reference. It is the best place to point agents, automation, and implementation scripts when they need to understand how to use Mailhook’s API safely.
Checklist: a reliable random email address for every test run
Before you call your random email strategy production-ready, verify that it passes this checklist:
- The address is generated by creating an actual inbox, not just a string.
- The test stores both
emailandinbox_id. - Each retry or attempt gets a fresh inbox.
- The wait uses webhooks, polling, or both, with a real deadline.
- Message selection is scoped to the inbox and expected intent.
- The parser extracts only the required OTP, link, or artifact.
- Duplicate deliveries cannot trigger duplicate actions.
- Webhook payloads are verified before processing.
- Raw email content is treated as untrusted input.
- The inbox expires or is cleaned up after use.
- CI logs include enough IDs to debug delivery failures.
If any item is missing, the test may still pass locally, but it is likely to flake under parallel CI or autonomous agent execution.
Frequently Asked Questions
Can I just generate a random email address with a UUID? Only for validation tests that do not send real email. For signup, OTP, password reset, or magic-link flows, the random address must be backed by a routable inbox your automation can read.
Should I create one random email per test run or per retry attempt? Per attempt is safer. Retries can produce duplicate or stale emails, so a fresh inbox per attempt gives you clean isolation and simpler message matching.
Are plus-addresses enough for automated testing? Plus-addressing can help with lightweight correlation, but it still routes to a shared mailbox. For parallel CI and LLM agents, isolated disposable inboxes are more reliable.
How should an LLM agent handle verification emails? Give the agent a small tool interface that creates an inbox, waits for a matching message, and returns only the OTP or verification link. Do not expose raw mailbox content unless it has been minimized and sanitized.
What should I log when a random email test fails? Log the inbox ID, email address, run ID, attempt ID, wait deadline, message IDs received, and the matcher used. Avoid logging sensitive full email bodies unless your retention and privacy policy allows it.
Start with a real inbox, not a random string
A random email address only makes test runs reliable when it is attached to a programmable inbox lifecycle. Create the inbox, use the generated address, wait deterministically, extract the verification artifact, and clean up.
Mailhook gives developers and agents the primitives for that workflow: disposable inboxes via API, JSON email output, webhooks, polling, signed payloads, shared domains, and custom domain support. To start integrating, visit Mailhook or review the canonical llms.txt integration reference.
