vsx.email

Instant DNS for self-hosted email sandboxes.

What This Is

vsx.email is a DNS server that gives any public IPv4 address an instant subdomain. No signup, no config, no waiting for propagation.

Your IP 203.0.113.10 → 1mzhr2y.vsx.email

We built this for VaultSandbox — a Docker container that receives email. The container needs a domain with MX records and a TLS certificate. This DNS service provides both without any setup.

How It Works

1
Your IPv4 address is encoded to base36: 203.0.113.10 → 1mzhr2y
2
Our DNS server probes your gateway: GET http://{ip}/.well-known/vaultsandbox
3
DNS queries resolve to your IP: 1mzhr2y.vsx.email → A and MX records

If you're running VaultSandbox, the probe endpoint is handled automatically. No setup required.

If the probe fails, you get NXDOMAIN. No gateway running = no DNS.

Why Sending Spam Won't Work

Before you get ideas: these domains are hardcoded to be useless for sending email.

Every subdomain returns these records:

Record	Value	Effect
`SPF`	`v=spf1 -all`	All outbound email fails SPF
`DMARC`	`p=reject; sp=reject`	Receiving servers reject spoofed mail
`DKIM`	`v=DKIM1; p=`	Empty key — no valid signatures possible

Gmail, Outlook, Yahoo, and any compliant mail server will reject email claiming to be from *.vsx.email. These domains can receive mail, not send it.

To send spam from here you'd need to:

Rent a server (costs money)
Keep port 80 open and serving our probe endpoint (effort)
Accept that your email goes straight to spam/reject anyway

It's easier to buy a $10 .xyz domain.

Additional protections:

CAA records: Only Let's Encrypt can issue certificates
Deep subdomain blocking: Only {base36}.vsx.email resolves — foo.{base36}.vsx.email returns NXDOMAIN
Private IP blocking: 10.x, 172.16-31.x, 192.168.x, localhost, etc. all fail
Rate limiting: Response Rate Limiting (RRL) enabled
No recursion: We only answer for *.vsx.email, nothing else
ANY query blocking: Returns HINFO per RFC 8482

DNS Records Reference

Root Domain: `vsx.email`

Type	Value	TTL	Notes
`A`	Bunny CDN IP	60s	CNAME flattening for landing page
`MX`	`0 .`	300s	Null MX (RFC 7505) — no mail accepted
`TXT`	`v=spf1 -all`	300s	Hard fail all senders
`NS`	`ns1.vsx.email`, `ns2.vsx.email`	300s

Gateway Subdomains: `{base36}.vsx.email`

Only returned if probe succeeds:

Type	Value	TTL
`A`	Your decoded IP	300s
`MX`	`10 {base36}.vsx.email.`	300s
`TXT` (SPF)	`v=spf1 -all`	300s
`CAA`	`0 issue "letsencrypt.org"`	300s

Email Security Records

For any valid gateway at {base36}.vsx.email:

Query	Type	Value
`_dmarc.{base36}.vsx.email`	TXT	`v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s`
`*._domainkey.{base36}.vsx.email`	TXT	`v=DKIM1; p=`
`_mta-sts.{base36}.vsx.email`	TXT	`v=STSv1; id=20231025;`

Base36 Encoding

IPv4 → 32-bit integer → base36 string.

Enter your IP:

Enter an IP address

Examples:

IP Address      Base36      Domain
───────────────────────────────────────
203.0.113.10    1mzhr2y     1mzhr2y.vsx.email
8.8.8.8         2h4s9s      2h4s9s.vsx.email
1.2.3.4         a2f44       a2f44.vsx.email

Max 7 characters. Lowercase alphanumeric only.
IPv4 only. IPv6 would make subdomains too long.

Check-In API

GET https://api.vsx.email/check-in

Called by gateways at boot time to verify connectivity.

Success (200):

{
  "status": "ready",
  "ip": "203.0.113.10",
  "domain": "1mzhr2y.vsx.email",
  "message": "You are live! DNS is active."
}

Probe Failed (503):

{
  "status": "error",
  "ip": "203.0.113.10",
  "error": "Probe failed. Could not reach your gateway on port 80.",
  "action": "Please ensure port 80 is forwarded to your VaultSandbox container..."
}

Gateway Requirements

To get DNS resolution, your server must:

Have a public IPv4 address (no NAT/CGNAT without port forwarding)
Respond to GET http://{ip}/.well-known/vaultsandbox with HTTP 200
Keep port 80 open (required for probe and Let's Encrypt HTTP-01 challenge)

Important: The probe does not follow redirects. If your reverse proxy redirects HTTP → HTTPS, the probe will fail. Ensure /.well-known/vaultsandbox responds on port 80 without redirecting.

Blocked IP Ranges

These will never resolve:

Range	Reason
`0.0.0.0/8`	Current network
`10.0.0.0/8`	Private (RFC 1918)
`100.64.0.0/10`	CGNAT (RFC 6598)
`127.0.0.0/8`	Loopback
`169.254.0.0/16`	Link-local
`172.16.0.0/12`	Private (RFC 1918)
`192.168.0.0/16`	Private (RFC 1918)
`224.0.0.0/4`	Multicast
`240.0.0.0/4`	Reserved

Privacy

No analytics. We don't track users or keep long-term logs.

Test It

# Resolve the root domain
dig vsx.email A +short

# Check MX record
dig vsx.email MX +short

# See SPF
dig vsx.email TXT +short

# Test an invalid subdomain (should be NXDOMAIN)
dig invalid-test.vsx.email A

# Test a private IP (returns NXDOMAIN)
# 10.0.0.1 = base36 "2rvxtt"
dig 2rvxtt.vsx.email A

Questions

Why not just use sslip.io or nip.io?

Those only provide A records for HTTP/HTTPS. We provide A (for the API and ACME challenges) and MX (for SMTP). The other records (SPF, DMARC, DKIM) aren't needed for receiving email — they exist specifically to prevent sending.

Can I use this for non-VaultSandbox things?

Technically you can if you expose the probe endpoint. But please don't — this service exists for VaultSandbox users.

What if my IP changes?

Your domain changes too. {new-ip}.vsx.email will work as soon as you pass the probe.

Is this on the Public Suffix List?

We're applying. This matters for cookie isolation and Let's Encrypt rate limits.