Changelog

Split 4 MCP tools that mixed safe (GET) and unsafe (POST/PUT/DELETE) HTTP methods into 10 single-method tools. tag_email → get_tags + set_tags + delete_tag. manage_contacts → search_contacts + add_contact + delete_contact. manage_suppression → list_suppression + remove_suppression. manage_webhooks → list_webhooks + delete_webhook. Each tool now uses exactly one HTTP method, satisfying the Claude connector directory review criteria. 50 tools total.

Operators can now define a per-mailbox allowlist of approved recipient addresses and domain wildcards. Emails to allowlisted recipients bypass gated_send and gated_all oversight queues — sent immediately without human approval. Emails to non-listed recipients still require approval. Three new MCP tools: list_allowlist, add_allowlist_entry, remove_allowlist_entry. Approval lockout after 5 failed codes. HMAC-SHA256 signing on bypass webhook notifications. 50 tools total.

Five-phase rollout: client-side click-ID and UTM capture to localStorage, server-side attribution persistence on signup endpoints, Consent Mode v2 banner with EEA/GPC detection, consent-gated Meta Pixel and Google Ads gtag.js, and atomic first_send_at timestamp on first successful outbound send. New Cookies & Tracking disclosure page. Privacy policy updated with consent legal basis and accurate tracking inventory.

Updated the stdio MCP server and Cloudflare worker to the current MCP SDK registration API, migrated the worker to newer Cloudflare agents and Zod dependencies, preserved KV tool-usage tracking through a typed registration helper, and unified mailbox ID guidance across mirrored tools. No tool API changes.

Four new pages mapping MultiMail to recent agent-platform launches: Microsoft Agent 365 / Entra Agent ID, Stripe Projects.dev CLI provisioning, ServiceNow AI Gateway (one-click MCP registry import), and Mastercard Verifiable Intent for end-to-end signed agent action chains.

Closed 3 critical/high findings from adversarial threat model. Scope combinations: API keys can no longer combine send and oversight scopes, preventing self-approval attacks on gated_send oversight. Oversight scope escalation via PATCH now requires admin approval. Webhook bypass closed: update_mailbox no longer accepts webhook_url — webhook changes must go through create_webhook's approval gate. Timing-safe codes: upgrade code verification now uses constant-time comparison. MCP tool descriptions updated with prompt injection warnings across the board.

Branded activation flow replaces the raw API confirmation page. New /confirm and /welcome pages walk new operators through oversight mode selection, API key display, Quill's test email, and agent setup (MCP prompt + config in one copy-paste). Pricing signup adds a use-case picker (Support / Notifications / Scheduling / Other) and oversight mode picker (Training Wheels / Full Review / YOLO Mode). The chosen mode and use case flow through signup → confirm → mailbox creation end-to-end.

Agents can now create accounts entirely through MCP: request_challenge + create_account tools with ALTCHA proof-of-work. New /onboard public MCP endpoint on remote server — no OAuth required. PoW now enforced on all signups. 50 tools total.

ai_disclosure parameter on mailbox tools enables Article 50 compliance. Signed identity claims include ai_generated boolean. Outbound emails from AI mailboxes include X-AI-Generated: true header.

Webhook, API key, and mailbox creation now require operator email approval. read_email separates trusted metadata from untrusted body content. Formally verified security proofs (Lean 4) across 82 endpoints. See proofs →

Large attachments (>50KB) now return a presigned download URL valid for 1 hour instead of inline base64. Email parser preserves original body in forwarded and replied messages, and strips Fwd:/Re: subject prefixes.

New schedule_email tool for scheduling emails for future delivery. Edit or cancel before they send. Also added configure_mailbox for first-run onboarding with soft-nudge. 38 MCP tools total.

Published dedicated landing pages for ai-agent-email-api, mcp-email-server, and agent-email-oversight to help developers discover MultiMail through search.

Added integration guides and examples for LangChain, CrewAI, AutoGen, LlamaIndex, and Vercel AI SDK. Ship email-capable agents in any major framework.

Published the official TypeScript SDK to npm. Typed client for all API endpoints with built-in error handling and retry logic.

Released the Python SDK for MultiMail. Async-first design with Pydantic models for all request and response types.

Added sitemap.xml and JSON-LD structured data to the homepage for better search engine indexing and rich results.

Deployed a dedicated webhook relay worker for more reliable delivery. Also redesigned the verify reputation section in the dashboard.

Added admin dashboard API endpoints for account management and usage monitoring. Staging environment now fully operational with environment-aware verify and unsubscribe URLs.

Fixed mailbox creation for root domains (e.g., [email protected] instead of only subdomains). Moved unsubscribe link below agent footer for cleaner emails.

Shipped 35 tools in the MCP server -- the most complete email toolset for AI agents. Published to npm as @multimail/mcp-server and listed on the official MCP Registry.

Operators can now approve or reject outbound emails via one-click HMAC-signed URLs. No login required -- just click the link in the notification.

Introduced four oversight modes for graduated trust: gated_all, gated_send, monitored, and autonomous. Agents start supervised and earn autonomy over time.

Every outbound email now includes verifiable identity headers -- operator name, oversight mode, and a verification URL. Recipients can confirm an agent's identity before trusting the message.

All inbound attachments are now scanned with ClamAV before delivery. Infected files are quarantined and the agent is notified.

Emails are now grouped into threads using In-Reply-To and References headers. Agents can follow full conversation history with a single API call.

Added a full contacts API -- create, search, tag, and delete contacts. Agents can build and maintain their own address books.

Configure webhook URLs per mailbox to get notified instantly when new email arrives or an outbound message needs approval. HMAC-signed payloads for verification.

MultiMail goes live. API worker built on Cloudflare Workers with D1, R2, KV, and Queues. Postmark integration for reliable delivery. Stripe billing with four tiers from free to Scale.