I often come across test email addresses that people have created and I’m alarmed. It’s common to see something like firstname.lastname@example.org or email@example.com. But beware, these are real domains.
Consider the following example. You are working away on your site and you need to create a test admin user and you use something funky like the above. You do your thing and forget about it. Months later an email gets sent out to all the administrators on your site. And guess what you just sent an email out to a real domain. Someone reads it, comes to your site and uses the password recovery tool to get admin access to your site. Not good.
Now there’s a simple solution. Either use only email addresses at your own domain, or use something at example.com, example.org or example.net. These domain names are reserved for use in documentation and are not available for registration. Any email sent to them will essentially fall into a black hole.
On a somewhat related note it’s good practice to use the devel module on all of your non-production sites (development, QA, staging, testing etc.) to send all Drupal-generated emails to the watchdog log and not out into the internets.