Tempmails

Self-hosted. Privacy-first. Fully yours.

Tempmails turns your WordPress site into a self-hosted temporary email
service. Visitors generate a random disposable email address, receive
messages in a real-time inbox, and discard them when done — all without
leaving your site.

Unlike third-party services, Tempmails runs entirely on your own server
and IMAP mailbox. You own the data, the domain, and the brand.

🔒 No third-party email APIs
📬 Real IMAP inbox — not a simulation
🎨 Material Design 3 UI — beautiful out of the box
⚡ AJAX-powered — no page reloads

🚀 Quick Links

Everything you need to get started, get help, and stay connected:

• 🌐 Official Website — tempmails.cv — docs,
  roadmap, and addon announcements
• 🎬 Installation Tutorial — Watch the step-by-step video guide below
• 📺 YouTube Channel — NeoSmartApps on YouTube
  — tutorials, walkthroughs, and new release demos
• ☕ Support the Project — Buy us a coffee via PayPal
  — Tempmails is free forever; your support keeps development alive
• 🖥️ Need Hosting? — Tempmails works best on a VPS or shared host with
  catch-all IMAP support. We recommend Hostinger
  (affiliate link — we earn a small commission at no extra cost to you)

🎬 Watch: Full Installation Tutorial

Core Features

📨 Email Engine

• IMAP Email Fetching — connects to any catch-all IMAP mailbox
• Auto Email Generation — random disposable addresses on your own domains
• Real-time Inbox — AJAX-powered message viewer with configurable
  auto-refresh
• Attachment Support — download files with 40+ allowed extensions

🎨 Design & UI

• Material Design 3 UI — modern, responsive inbox with Inter & Poppins fonts
• White-labeled — fully rebrandable, no third-party branding in the UI
• Design Panel — live color picker and label customization in admin

🛡️ Privacy & Data

• Soft Delete — messages are never hard-deleted; safe for compliance
• Cookie-based sessions — no user accounts or registration required
• Zero external data transmission — all data stays on your server

⚙️ WordPress Native

• Uses WP database, cron, options, nonces, and security APIs throughout
• Settings API compliant admin panel
• Full i18n/l10n support with .pot file included

Shortcode

Place the inbox anywhere on your site with one shortcode:

[tempmails_inbox]

This renders the full inbox UI — email generation, copy button,
auto-refresh, message list, and message viewer modal.

Addon Ecosystem

Tempmails Core is frozen infrastructure. All new functionality is
delivered via addons using a documented, stable hook system — your site
never breaks on Core updates.

Available addon hooks cover: email generation, message routing, inbox
access control, multi-domain support, billing integration, and more.
See the Hooks section below for the full reference.

Privacy

Tempmails stores temporary email addresses in browser cookies to
maintain inbox sessions between page loads. No personal data is collected,
stored against user accounts, or transmitted to any external service.
See External Services below for details on the optional GitHub
ecosystem feed.

Hooks

Tempmails exposes a complete hook system for addon developers. All hooks
below are stable and frozen — they will not be renamed, removed, or
have their signatures changed in any minor version.

Action Hooks

• tempmails_loaded — Core fully initialized; safe for addon bootstrap
• tempmails_core_ready — fires after DB integrity check; passes Core
  version string
• tempmails_activated — fires on plugin activation; safe for addon setup
• tempmails_deactivated — fires on plugin deactivation
• tempmails_email_generated — new address generated; params: $email,
  $ip
• tempmails_inbox_accessed — user opened inbox; params: $email, $ip
• tempmails_message_received — new message stored; params: $message_id,
  $to_address
• tempmails_message_marked_seen — message read; params: $message_id
• tempmails_message_deleted — soft delete triggered; params: $message_id,
  $email
• tempmails_cleanup_completed — cron cleanup finished; params:
  $deleted_count
• tempmails_fetch_completed — fetch cycle finished; params: $results
  array

Filter Hooks

• tempmails_registered_addons — register your addon for the Addons admin
  page
• tempmails_generated_email — modify a generated address before returning
  it
• tempmails_available_domains — modify the domain list available for
  generation
• tempmails_can_fetch_messages — allow/block a fetch cycle; params:
  $bool, $engine
• tempmails_can_process_message — allow/block a single message; params:
  $bool, $message
• tempmails_can_store_message — allow/block DB insert; params: $bool,
  $data
• tempmails_can_read_inbox — allow/block inbox access; params: $bool,
  $email
• tempmails_message_content — filter body before display; params:
  $content, $message_id
• tempmails_default_settings — modify default option values on activation
• tempmails_inbox_attributes — modify shortcode default attributes
• tempmails_admin_dashboard_stats — extend dashboard stat cards
• tempmails_settings_tabs — add custom tabs to the Settings page

External Services

Ecosystem Feed (Optional — Default On)

Tempmails fetches a public JSON file from GitHub to display addon and
ecosystem information inside the WordPress admin panel.

What this connection does:

• Fires only when viewing Tempmails admin pages
• Retrieves only public, non-personal JSON content
• Transmits no user data, site URL, or any identifiable information
• Results are cached locally for 1 hour to minimize requests

Remote endpoint:
https://raw.githubusercontent.com/ubermensch-site/tempmails-ecosystem/main/ecosystem.json

Service provider: GitHub
Privacy policy: https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement

To disable this connection entirely, uncheck Ecosystem Feed under
Tempmails → Settings → General. Hardcoded fallback content is shown
instead — no requests are made.

Google Fonts

The frontend inbox loads the Inter and Poppins typefaces and the
Material Symbols icon font from Google Fonts CDN.

What this connection does:

• Fires only on pages where [tempmails_inbox] is rendered
• Transmits the visitor’s IP address to Google as part of a standard font
  request

Service provider: Google Fonts
Privacy policy: https://developers.google.com/fonts/faq/privacy

To avoid this (e.g. for GDPR compliance), dequeue tempmails-google-fonts
and load self-hosted font copies instead.

Developers

This section documents internal implementation details, security practices,
and notes for addon developers.

Security Hardening Log

All security changes are tracked here for auditing purposes.

2026-04-04 — Security Review Pass (v1.0.7 patch)

1. class-core.php — ajax_delete_message(): $_POST['message_id']
   was wp_unslash()-ed but not sanitized, with a phpcs:ignore
   suppression comment masking the warning. Now wrapped with
   sanitize_text_field( wp_unslash( … ) ). Suppression comment removed.

2026-04-02 — Security Review Pass (v1.0.7 patch)

1. class-design.php — Removed raw <style> echo from render_page().
   Static CSS moved to assets/css/admin.css.
2. class-design.php — inject_css_variables() refactored: replaced
   echo “…” with wp_add_inline_style('tempmails-admin', ...).
   All $v() return values now pass through esc_attr().
3. class-design.php — inject_frontend_css_variables() refactored:
   all CSS values escaped with esc_attr(), wp_strip_all_tags() applied.
4. class-design.php — wp_footer fallback replaced raw echo '<style>'
   with a dummy registered style handle.
5. class-tempmails-shortcodes.php — Inline <script> replaced with
   wp_add_inline_script(‘tempmails-frontend’, …).
6. class-ecosystem.php — Inline <script> replaced with
   wp_add_inline_script(‘tempmails-admin’, …).
7. class-core.php — ajax_mark_seen(): sanitized with
   sanitize_text_field( wp_unslash( … ) ).
8. class-admin.php — save_settings(): Raw $_POST replaced with
   $clean_post = array_map(‘sanitize_text_field’, wp_unslash($_POST)).
9. class-email-generator.php — get_emails(): Cookie data sanitized
   with array_values(array_filter(array_map('sanitize_email', $raw))).

Addon Development Notes

Hook Stability Guarantee

All hooks listed in the == Hooks == section are frozen. Signatures will
not change in any 1.x release. Breaking changes will only occur in a major
version bump with a migration guide.

$clean_post in save_settings hooks

As of the 2026-04-02 security patch, both tempmails_before_save_settings
and tempmails_before_save_imap_settings receive a sanitized copy of
$_POST. If your addon previously relied on raw values via these hooks,
retrieve those fields directly from $_POST with appropriate sanitization.

CSS Variable Injection

inject_css_variables() now attaches inline CSS to the `tempmails-admin`

style handle. If your addon dequeues tempmails-admin, Design color
variables will not be applied on admin pages.

inject_frontend_css_variables() uses a priority waterfall:

1. Attaches to tempmails-frontend if registered/enqueued
2. Falls back to tempmails-frontend-css
3. Registers a dummy handle tempmails-design-vars in wp_footer at
priority 1

File Structure

tempmails/
├── assets/
│ ├── css/
│ │ ├── admin.css
│ │ ├── frontend.css
│ │ └── ecosystem.css
│ └── js/
│ ├── admin.js
│ ├── admin-design.js
│ └── frontend.js
├── core/
│ ├── class-core.php
│ ├── class-admin.php
│ ├── class-design.php
│ ├── class-ecosystem.php
│ ├── class-email-generator.php
│ └── class-addon-handler.php
├── includes/
│ ├── class-tempmails-shortcodes.php
│ ├── class-tempmails-database.php
│ ├── class-tempmails-settings.php
│ ├── class-tempmails-imap.php
│ └── class-tempmails-fetcher.php
└── tempmails.php