Test email address best practice

The following outlines best practice when it comes to testing software that requires you to enter an email address as part of an account setup process or login but where you are not testing the sending of any emails.

Most test environments lock down access to the outside world or route access through a firewall as a matter of best practice. However for some it is hard to lock down access to a test environment completely. For example it may be hosted in the cloud or there may be a need to share access with external companies or individuals that are also working on the same project.

Where it is not possible to lock down a test environment completely, we advise that no real data is used and where volumes of test data is required, to use batch scripts to create the data.

Some may prefer to use a copy of their own customer or user data to support the testing effort against advice. In such a case we highly recommend that this data is scrambled or obscured first so that it is not possible to identify a real person or account information from this data if it were to fall into the wrong hands.

Some testers have been known to use their own personal email address or an email address that they believe is made up when creating an account or login on a test system. This is also not recommended. A test system may start sending out emails if email access were made available for whatever reason. If any of the 'test' email addresses were real then emails may be delivered containing test data that may be of use to someone that you never intended to receive the data. These emails may also expose the test system to unauthorised access attempts.

It is best practice that where a tester needs to enter an email address into software under test that they use a made-up account that does not exist in the real world. The account should conform to a valid email format but it should never exist.

We have witnessed testers entering email address that they believe are made-up because they use a domain name they know off by heart but change one or more characters. The problem with this method is that the email address or domain name may still be valid and may accept any emails being sent to it.

New domain names are being registered every day and a quick whois lookup would show whether this domain name exists or not. It may not exist today but that doesn't mean it won't exist tomorrow or next week or next month.

To avoid your test emails and test data from ever being sent to a real email account that you have no control over we recommend that you use a top level domain that does not exist in the real world. So instead of an email address that ends in .com or .co.uk etc. use .iop as that is not a valid top-level domain name and your emails won't go anywhere giving you peace of mind that if anyone ever enabled an email server on any of your test environments that your test accounts cannot be used to send emails.

Article date: 28th February 2015