AI agents in crypto handle wallet recovery, security alerts, and OFAC-adjacent communications. MultiMail enforces gated approvals and full audit trails on every send.
Crypto and Web3 organizations face a threat model that most industries do not: users are conditioned to expect phishing attempts, regulators are still writing the rules, and a single misdirected email touching an asset or identity claim can create legal exposure under FinCEN guidance, SEC digital asset frameworks, or OFAC sanctions programs. At the same time, the volume of operational email — transaction confirmations, staking rewards, incident reports, community updates — is high and growing as protocols automate more of their support and governance workflows. AI agents are a natural fit for this volume, but only when the email layer enforces controls that match the risk. An autonomous agent sending a token promotion without human review is a compliance event waiting to happen. The right architecture gates asset-adjacent sends, logs everything, and keeps humans in the approval loop for anything that could be construed as a financial promotion or identity assertion.
Web3 users are trained to distrust emails claiming to involve wallets, recoveries, or transfers. Any agent-generated email touching these topics must come from authenticated domains with strict DMARC enforcement and must not contain patterns that trigger user suspicion or spam filters.
Communications related to account restrictions, jurisdiction blocks, or flagged transactions must be timely, accurate, and tied to a compliance workflow. An AI agent that sends or delays these notices incorrectly creates regulatory exposure under OFAC sanctions programs.
Emails about token launches, staking yields, or reward programs can constitute regulated financial promotions under SEC digital asset guidance and equivalent frameworks in other jurisdictions. Agent-generated promotional content requires human review before delivery.
Custody incidents, smart contract exploits, and access breaches require fast, accurate outbound communication to affected users. Delayed or templated responses erode trust and may trigger disclosure obligations depending on jurisdiction and data involved.
Under FinCEN guidance and SEC examination procedures, organizations may need to demonstrate what communications were sent, when, to whom, and who approved them. Email infrastructure that lacks per-message audit records is a compliance gap.
Set oversight_mode to gated_send so AI agents can compose transaction confirmations, wallet recovery notices, and staking updates autonomously, but every outbound message waits in a pending queue until a human reviewer approves it. Agents call list_pending and decide_email to surface the queue; your compliance team sees the full message before it leaves your infrastructure.
Token launch emails, yield announcements, and reward program communications carry the highest regulatory risk. Use gated_all so every action — including reads that could inform promotional targeting — requires explicit human sign-off. This creates a documented approval chain that satisfies internal compliance review before any message touches user inboxes.
Protocol updates, governance vote reminders, and maintenance window notices are lower risk but still benefit from visibility. monitored mode lets AI agents send autonomously while routing a BCC copy to your compliance mailbox. Your team sees every outbound message without blocking delivery velocity.
Time-sensitive security alerts — smart contract pause notifications, custody platform incidents, suspicious login detections — need to reach users in seconds, not after a queue review. autonomous mode with webhook-driven triggers lets agents fire pre-approved alert templates the moment your monitoring systems detect an event. Templates are reviewed and approved at setup time, not per-send.
Compliance and fraud detection agents that monitor inbound mail for sanctions keywords, phishing reports, or account recovery abuse patterns do not need send access. read_only mode gives these agents full check_inbox and read_email access with zero outbound capability — containing the blast radius if an agent is compromised or misbehaves.
import multimail
client = multimail.Client(
api_key="mm_live_...",
oversight_mode="gated_send"
)
"cm"># Called by agent after detecting confirmed on-chain transfer
def send_transfer_confirmation(to_address: str, user_email: str, amount: str, token: str, tx_hash: str):
result = client.send_email(
mailbox="[email protected]",
to=user_email,
subject=f"{token} Transfer Confirmed",
body=(
f"Your transfer of {amount} {token} has been confirmed on-chain.\n\n"
f"Transaction: {tx_hash}\n"
f"To address: {to_address}\n\n"
"If you did not initiate this transfer, contact support immediately."
),
tags=["transaction", "confirmation", token.lower()],
metadata={
"tx_hash": tx_hash,
"token": token,
"amount": amount
}
)
"cm"># result.status == "pending" — waits for human approval
return result.message_id
"cm"># Compliance reviewer approves pending messages
def approve_pending():
pending = client.list_pending(limit=50)
for msg in pending.messages:
"cm"># Review msg.subject, msg.body, msg.metadata before approving
client.decide_email(message_id=msg.id, decision="approve")An AI agent composes a transaction confirmation after a on-chain event fires. The message enters the pending queue rather than sending immediately. A compliance reviewer approves or rejects it via the API before delivery.
import multimail
import requests
client = multimail.Client(
api_key="mm_live_...",
oversight_mode="gated_all"
)
def send_account_restriction_notice(user_email: str, restriction_type: str, case_id: str):
"""
Sends OFAC-adjacent account restriction notice.
gated_all ensures compliance team reviews before delivery.
All sends are logged with case_id for audit trail.
"""
result = client.send_email(
mailbox="[email protected]",
to=user_email,
subject="Important Notice Regarding Your Account",
body=(
"We are writing to inform you that your account has been placed under review "
f"({restriction_type}) in accordance with our regulatory compliance obligations.\n\n"
f"Case reference: {case_id}\n\n"
"Access to certain services may be limited during this review. "
"You may receive a follow-up request for additional documentation. "
"For questions, reply to this message."
),
tags=["compliance", "ofac-review", restriction_type],
metadata={
"case_id": case_id,
"restriction_type": restriction_type,
"requires_legal_review": True
}
)
return result.message_id
def get_audit_log(message_id: str):
"""Retrieve full send record including approver and timestamp."""
return client.read_email(message_id=message_id)When a compliance workflow flags a user account for sanctions screening review, an agent sends a jurisdiction restriction notice. Uses gated_all so both the read context and the outbound notice require approval before any action completes.
import multimail
from datetime import datetime, timezone
client = multimail.Client(
api_key="mm_live_...",
oversight_mode="autonomous" "cm"># Templates pre-approved at setup
)
def broadcast_security_incident(
incident_type: str,
affected_systems: list[str],
user_emails: list[str],
incident_id: str
):
"""
Sends pre-approved security alert to affected users.
autonomous mode fires immediately — appropriate only for
templates that have been reviewed and approved in advance.
"""
sent_ids = []
timestamp = datetime.now(timezone.utc).isoformat()
for email in user_emails:
result = client.send_email(
mailbox="[email protected]",
to=email,
subject=f"Security Notice: {incident_type}",
body=(
f"We detected a security incident affecting: {&"cm">#039;, '.join(affected_systems)}.\n\n"
f"Detected at: {timestamp}\n"
f"Incident ID: {incident_id}\n\n"
"Our team is actively responding. As a precaution:\n"
"- Review recent account activity\n"
"- Do not share seed phrases or private keys with anyone, including support staff\n"
"- We will never ask for your private key via email\n\n"
"We will send a follow-up within 2 hours with full details."
),
tags=["security", "incident", incident_type.lower().replace(" ", "-")],
metadata={
"incident_id": incident_id,
"incident_type": incident_type,
"broadcast_timestamp": timestamp
}
)
sent_ids.append(result.message_id)
return sent_idsA monitoring agent fires pre-approved security alert templates when an incident is detected. Uses autonomous mode with webhook delivery confirmation to ensure time-sensitive alerts reach users without queue delays.
import multimail
client = multimail.Client(api_key="mm_live_...")
def process_phishing_reports():
"""
Reads inbound abuse reports, tags by severity,
and sends acknowledgment replies.
"""
inbox = client.check_inbox(
mailbox="[email protected]",
limit=25,
unread_only=True
)
for msg in inbox.messages:
email = client.read_email(message_id=msg.id)
"cm"># Tag for triage
severity = "high" if any(
keyword in email.body.lower()
for keyword in ["wallet", "seed phrase", "private key", "recovery"]
) else "standard"
client.tag_email(
message_id=msg.id,
tags=["phishing-report", f"severity-{severity}"]
)
"cm"># Send acknowledgment
client.reply_email(
message_id=msg.id,
body=(
"Thank you for reporting this. Our security team has received your report "
f"(reference: {msg.id}).\n\n"
"We investigate all phishing reports and use them to protect the community. "
"If you believe your account was compromised, reset your access immediately and "
"do not use any links from the suspicious message."
)
)
if severity == "high":
"cm"># Escalate to security team mailbox
client.send_email(
mailbox="[email protected]",
to="[email protected]",
subject=f"High-severity phishing report: {msg.id}",
body=f"Escalated report from {email.from_address}.\n\nOriginal message ID: {msg.id}\n\nBody preview:\n{email.body[:500]}",
tags=["escalation", "phishing", "high-severity"]
)An agent monitors a dedicated abuse mailbox for user-reported phishing attempts. It reads and tags inbound reports, escalates high-confidence matches to the security team, and sends an acknowledgment reply — all without human intervention on the inbound triage step.
| Regulation | Requirement | How MultiMail helps |
|---|---|---|
| OFAC Sanctions | Organizations must not provide services to sanctioned individuals or jurisdictions. Account restriction and service termination notices must be delivered accurately and their transmission must be auditable. | gated_all oversight mode creates a documented approval chain for every sanctions-adjacent communication. Message metadata supports case_id linkage so compliance teams can reconstruct the full communication record during examinations. Webhook delivery confirmations provide timestamped proof of send. |
| SEC Digital Asset Guidance | Email communications about token offerings, staking yields, or investment returns may constitute regulated financial promotions. These require disclosures, must not be misleading, and may require pre-review by compliance staff. | gated_send and gated_all modes route all promotional drafts to a pending queue before delivery. Compliance reviewers can inspect message body, recipient list, and attached metadata before approving. Rejected messages are logged with the reviewer's decision — creating a record that a human reviewed the content before it was blocked or approved. |
| FinCEN Guidance | Virtual asset service providers (VASPs) operating under FinCEN's MSB framework must maintain records of customer communications related to transactions and account actions. Records must be available for examination. | MultiMail stores per-message send records including sender, recipient, timestamp, oversight mode, approval status, and custom metadata fields. Agents can attach transaction IDs or case references via the metadata parameter on send_email, making it straightforward to retrieve the complete communication record for any transaction. |
| GDPR | User communications containing personally identifiable information — wallet addresses linked to identities, KYC data, transaction histories — must be handled with data minimization and purpose limitation principles. Users in EEA jurisdictions retain the right to erasure. | Mailboxes can be scoped to specific use cases and data types. The tag_email and manage_contacts tools allow agents to manage data retention without manual intervention. Dedicated compliance mailboxes with read_only oversight isolate PII-handling agents from send access, reducing the attack surface for data exposure. |
| CAN-SPAM | Commercial email messages must include accurate header information, a physical postal address, and a functional unsubscribe mechanism. Transactional messages are exempt but must be genuinely transactional in nature. | MultiMail enforces sender authentication (SPF, DKIM, DMARC) on all outbound sends from multimail.dev and custom domains. Tags and metadata let agents distinguish transactional from promotional sends at the message level, supporting accurate classification for CAN-SPAM purposes. |
Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a 50-tool MCP server. Formally verified in Lean 4.