Changelog

Closed 3 critical/high findings from adversarial threat model. Scope combinations: API keys can no longer combine send and oversight scopes, preventing self-approval attacks on gated_send oversight. Oversight scope escalation via PATCH now requires admin approval. Webhook bypass closed: update_mailbox no longer accepts webhook_url — webhook changes must go through create_webhook's approval gate. Timing-safe codes: upgrade code verification now uses constant-time comparison. MCP tool descriptions updated with prompt injection warnings across the board.

Branded activation flow replaces the raw API confirmation page. New /confirm and /welcome pages walk new operators through oversight mode selection, API key display, Quill's test email, and agent setup (MCP prompt + config in one copy-paste). Pricing signup adds a use-case picker (Support / Notifications / Scheduling / Other) and oversight mode picker (Training Wheels / Full Review / YOLO Mode). The chosen mode and use case flow through signup → confirm → mailbox creation end-to-end.

Agents can now create accounts entirely through MCP: request_challenge + create_account tools with ALTCHA proof-of-work. New /onboard public MCP endpoint on remote server — no OAuth required. PoW now enforced on all signups. 40 tools total.

ai_disclosure parameter on mailbox tools enables Article 50 compliance. Signed identity claims include ai_generated boolean. Outbound emails from AI mailboxes include X-AI-Generated: true header.

Webhook, API key, and mailbox creation now require operator email approval. read_email separates trusted metadata from untrusted body content. Formally verified security proofs (Lean 4) across 82 endpoints. See proofs →

Large attachments (>50KB) now return a presigned download URL valid for 1 hour instead of inline base64. Email parser preserves original body in forwarded and replied messages, and strips Fwd:/Re: subject prefixes.

New schedule_email tool for scheduling emails for future delivery. Edit or cancel before they send. Also added configure_mailbox for first-run onboarding with soft-nudge. 38 MCP tools total.

Published dedicated landing pages for ai-agent-email-api, mcp-email-server, and agent-email-oversight to help developers discover MultiMail through search.

Added integration guides and examples for LangChain, CrewAI, AutoGen, LlamaIndex, and Vercel AI SDK. Ship email-capable agents in any major framework.

Published the official TypeScript SDK to npm. Typed client for all API endpoints with built-in error handling and retry logic.

Released the Python SDK for MultiMail. Async-first design with Pydantic models for all request and response types.

Added sitemap.xml and JSON-LD structured data to the homepage for better search engine indexing and rich results.

Deployed a dedicated webhook relay worker for more reliable delivery. Also redesigned the verify reputation section in the dashboard.

Added admin dashboard API endpoints for account management and usage monitoring. Staging environment now fully operational with environment-aware verify and unsubscribe URLs.

Fixed mailbox creation for root domains (e.g., [email protected] instead of only subdomains). Moved unsubscribe link below agent footer for cleaner emails.

Shipped 35 tools in the MCP server -- the most complete email toolset for AI agents. Published to npm as @multimail/mcp-server and listed on the official MCP Registry.

Operators can now approve or reject outbound emails via one-click HMAC-signed URLs. No login required -- just click the link in the notification.

Introduced four oversight modes for graduated trust: gated_all, gated_send, monitored, and autonomous. Agents start supervised and earn autonomy over time.

Every outbound email now includes verifiable identity headers -- operator name, oversight mode, and a verification URL. Recipients can confirm an agent's identity before trusting the message.

All inbound attachments are now scanned with ClamAV before delivery. Infected files are quarantined and the agent is notified.

Emails are now grouped into threads using In-Reply-To and References headers. Agents can follow full conversation history with a single API call.

Added a full contacts API -- create, search, tag, and delete contacts. Agents can build and maintain their own address books.

Configure webhook URLs per mailbox to get notified instantly when new email arrives or an outbound message needs approval. HMAC-signed payloads for verification.

MultiMail goes live. API worker built on Cloudflare Workers with D1, R2, KV, and Queues. Postmark integration for reliable delivery. Stripe billing with four tiers from free to Scale.