Back to Blog

How to Prevent Accidental Email Sends in Development

It's 3 PM on a Tuesday. Your staging server just sent 2,000 password reset emails to real customers. The support inbox is flooding. Your manager is on a call asking what happened.

This scenario plays out more often than anyone admits. A misconfigured SMTP setting, a seed script that uses production data, a developer who forgot to update their .env after pulling from main β€” and suddenly your test environment is emailing real people.

Here's how to make it structurally impossible.

Why accidental sends happen

The root cause is almost always the same: a non-production environment has access to a production email provider. The specifics vary:

  • Copy-pasted .env files with production SMTP credentials left in staging
  • Database dumps from production loaded into staging, complete with real email addresses
  • Shared SMTP credentials used across environments without realizing it
  • Missing environment guards in application code
  • CI pipelines that inherit environment variables from production configurations

The common thread is that the path between "test email" and "real inbox" has no safety net.

Layer 1: Use an SMTP sandbox

The most effective prevention is also the simplest: route all non-production email through an SMTP sandbox. The sandbox accepts every email your app sends but never delivers any of them to real recipients.

How it works

Instead of configuring staging to use SendGrid, Mailgun, or your production SMTP server, you point it at a testing service:

# .env (staging)
MAIL_MAILER=smtp
MAIL_HOST=smtp.sendpit.com
MAIL_PORT=587
MAIL_USERNAME=your-mailbox-credentials
MAIL_PASSWORD=your-mailbox-password
MAIL_ENCRYPTION=tls

Every email your app sends gets captured in the sandbox inbox. You can inspect the HTML, check headers, verify recipients β€” but nothing leaves the sandbox. It's structurally impossible for the email to reach a real person.

Tools like Sendpit, Mailtrap, or self-hosted Mailpit all work this way.

Layer 2: Environment-specific configuration

Don't rely on developers remembering to change their .env file. Build environment detection into your application.

Laravel

// config/mail.php
'default' => env('MAIL_MAILER', app()->isProduction() ? 'smtp' : 'smtp'),

// app/Providers/AppServiceProvider.php
public function boot(): void
{
    if (! app()->isProduction()) {
        config([
            'mail.mailers.smtp.host' => env('MAIL_HOST', 'smtp.sendpit.com'),
            'mail.mailers.smtp.port' => env('MAIL_PORT', 587),
        ]);
    }
}

Rails

# config/environments/staging.rb
config.action_mailer.smtp_settings = {
  address: ENV.fetch('MAIL_HOST', 'smtp.sendpit.com'),
  port: ENV.fetch('MAIL_PORT', 587),
}

Django

# settings/staging.py
EMAIL_HOST = os.environ.get('EMAIL_HOST', 'smtp.sendpit.com')
EMAIL_PORT = int(os.environ.get('EMAIL_PORT', 587))

The principle is the same across frameworks: non-production environments should default to a safe SMTP endpoint, even if the environment variable is missing.

Layer 3: Recipient allowlists

Some frameworks and email providers support recipient allowlists β€” a list of email addresses or domains that are allowed to receive mail. Everything else gets silently dropped or redirected.

Laravel Mail Interceptor

Laravel has a built-in way to redirect all mail in non-production environments:

// bootstrap/app.php
->withMiddleware(function (Middleware $middleware) {
    //
})

Or use the Mail::alwaysTo() method in your service provider:

if (app()->environment('staging', 'local')) {
    Mail::alwaysTo('[email protected]');
}

This ensures that even if your SMTP config points at a real provider, all emails go to your team's address instead of real customers.

Layer 4: Sanitize your database

If you load production data into staging for testing, those database rows contain real email addresses. Every email your staging app sends will go to real people unless you sanitize the data first.

During the dump

Strip or replace email addresses when creating your staging database dump:

-- PostgreSQL example
UPDATE users SET email = CONCAT('user_', id, '@test.example.com');
UPDATE customers SET contact_email = CONCAT('customer_', id, '@test.example.com');

Using a library

Laravel packages like spatie/laravel-db-snapshots or custom Artisan commands can automate this:

// Sanitize after restoring a production dump
User::query()->update([
    'email' => DB::raw("CONCAT('user_', id, '@test.example.com')"),
]);

The key is making sanitization part of your database restore process, not a manual step someone might forget.

Layer 5: CI pipeline safety

CI environments are particularly dangerous because they're automated. A misconfigured pipeline can send thousands of emails before anyone notices.

Use a dedicated SMTP sandbox for CI. Create a separate mailbox in your testing service specifically for CI runs. This gives you:

  • Isolation from manual testing emails
  • The ability to inspect emails sent during automated tests
  • Zero risk of production sends from CI

Never store production SMTP credentials in CI. If your CI system needs to send email (for integration tests), it should only have access to sandbox credentials.

Validate your configuration in CI. Add a check at the start of your pipeline:

# Fail the build if MAIL_HOST points at production
if [[ "$MAIL_HOST" == *"sendgrid"* ]] || [[ "$MAIL_HOST" == *"mailgun"* ]]; then
  echo "ERROR: CI is configured to use a production email provider"
  exit 1
fi

The defense-in-depth approach

No single layer is foolproof. The right approach is defense in depth:

  1. SMTP sandbox β€” catches everything, delivers nothing
  2. Environment config β€” defaults to safe settings
  3. Recipient allowlists β€” redirects mail even if the sandbox fails
  4. Database sanitization β€” removes real addresses from test data
  5. CI guards β€” prevents automated pipelines from using production credentials

With all five layers in place, an accidental send requires multiple simultaneous failures. That's the kind of safety margin you want when the alternative is emailing 2,000 real customers from staging.

Getting started

The fastest way to add a safety net is Layer 1: point your staging SMTP at a sandbox. You can do this in under five minutes:

  1. Sign up for Sendpit (free tier available) or install Mailpit locally
  2. Update your staging .env with the sandbox SMTP credentials
  3. Send a test email and verify it appears in the sandbox instead of a real inbox

Then gradually add the other layers as time allows. Each one reduces your risk surface. Together, they make accidental sends virtually impossible.

More from the blog

MailHog Is Dead. Here's What to Use Instead.

MailHog Is Dead. Here's What to Use Instead.

MailHog hasn't been updated since 2020. The project has 200+ open issues, no maintainer, and known bugs that will never be fixed. Here's what happened and what your options are now.