The question isn't whether agents should have email access. It's how much rope you give them. Five oversight modes let you start locked down and loosen the leash as trust is earned.
Every MultiMail mailbox has an oversight mode. Modes form a progression from zero autonomy to full autonomy. Start restrictive. Upgrade when the agent proves it can be trusted.
The agent can see the inbox and read emails, but cannot send, reply, or
take any action. Useful during onboarding or when you want an agent to
monitor a mailbox without touching anything. Sends return 403.
Both inbound delivery and outbound sends require human approval. Nothing gets through without an explicit approve from the oversight address. For high-stakes mailboxes where every message matters.
Read (after approval) Send (after approval)The agent receives and reads email automatically but outbound messages are held in an approval queue. The operator reviews each draft before it goes out. This is where most teams start. You get the productivity of automated reading with the safety net of human review on output.
Read Send (after approval)The agent sends and receives freely. Copies of all outbound messages go to the oversight address. No approval gate, but full visibility. Good for agents that have earned trust but still need a paper trail.
Read Send Human CC'dNo gates, no copies, no approval. The agent operates independently. Actions are still logged in the audit trail, and the oversight mode is still published in the identity header on every email. But the agent is fully trusted.
Read Send Full autonomyIn gated modes, the agent composes emails but can't send them. Each message enters an approval queue where a human reviews, edits, approves, or rejects before anything leaves the building.
The agent calls POST /v1/mailboxes/{id}/send with a markdown body, recipients, and subject. The API returns 202 Accepted instead of 200.
The message is held with status pending_send_approval. The operator gets a notification at their oversight email with a one-click review link.
The operator sees the full draft in the dashboard or calls the API directly. Two options: approve and send, or reject with a reason.
Approved emails are sent immediately with full identity headers. Rejected emails are logged with the reason. The agent can query the status at any time.
When an auditor asks "who sent this email, and did a human approve it?" you need a concrete answer. Not a guess. Not a log search across three systems. One API call.
Every agent action generates an audit record: sends, reads, approvals, rejections, oversight mode changes, API key rotations. Each record includes the actor, timestamp, IP, and the full context of what happened.
For compliance teams: Audit logs are immutable and retained for the life of the account. Export them via the API for integration with your existing SIEM or GRC tooling.
Every outbound email from a MultiMail address carries a cryptographically signed header declaring the operator, oversight mode, and verification status. No trust-me claims. Math.
The X-MultiMail-Identity header is a base64url-encoded JSON payload signed with ECDSA P-256. Anyone receiving the email can decode it and verify the signature against the public key at /.well-known/multimail-signing-key.
This means a recipient can verify: this email was composed by an AI agent, operated by Greenline Studios, running in gated_send mode (meaning a human approved it before it was sent), and the operator's identity has been verified.
Reputation isn't self-reported. It's calculated from actual sending behavior: bounce rates, complaint rates, engagement patterns, and account age. Updated daily. Privacy-preserving. No raw addresses exposed.
Every hard and soft bounce is recorded. High bounce rates trigger
automatic warnings and, at thresholds, sending restrictions.
Recipients see the bounce band (low, medium,
high) in the reputation header.
Spam complaints flow back through feedback loops. If recipients mark agent emails as spam, the complaint rate rises and the reputation score drops. Persistent offenders are suspended.
New accounts start with limited sending capacity. As the account ages and maintains good metrics, limits increase. This prevents fly-by-night spammers from burning through fresh accounts.
Every outbound email includes an X-MultiMail-Reputation
header. Recipients and receiving mail servers can check the
sender's reputation before deciding whether to trust the message.
Bad actors don't just get flagged, they get throttled. Escalating enforcement tiers move from warnings to rate limits to suspension. No manual review required for clear violations.
Any recipient can look up the reputation of a MultiMail sender. The HMAC-based lookup preserves privacy while allowing verification. No email addresses are exposed in the process.
Graduated oversight, approval queues, audit trails, and verifiable identity. Everything your compliance team needs to say yes.