Security & Privacy — How MailScout Handles Your Data

MailScout is designed with privacy as a core principle. We verify email addresses without ever sending an actual message, and we minimize data retention to the absolute necessary. This page explains our security practices in detail.

Unlike some verification services that send a real message and then delete it, MailScout performs only DNS queries and SMTP handshake simulations. We ask the mail server 'does this mailbox exist?' using the SMTP VRFY/RCPT TO protocol — no message body, no subject, no sender identity. The receiving server never delivers anything to the inbox. This is the gold standard for privacy-preserving email verification.

Verification results are cached for 7 days to improve performance for repeat checks. After 7 days, the record is eligible for cleanup. We do not sell, share, or analyze your verification data for any purpose other than providing the service. Email addresses are stored in our SQLite database with the domain separated — a design choice that adds a layer of structural privacy. We do not collect IP addresses, browser fingerprints, or usage analytics beyond basic request logging.

All web traffic to MailScout is served over HTTPS with TLS 1.2+. Our SMTP verification engines attempt STARTTLS upgrade on every connection, falling back to plain text only when the server does not support encryption. The web application runs behind nginx with HSTS headers enabled. API requests should include your key in the Authorization header — never in the URL query string.

MailScout operates under a minimal-data philosophy that aligns with GDPR principles: data minimization, purpose limitation, and storage limitation. We process email addresses solely for verification purposes with legitimate interest as the legal basis. You have the right to request deletion of your data at any time by contacting us. We do not use cookies for tracking, do not embed third-party analytics, and do not share data with advertisers.