Email Infrastructure Built for Web3's Security Requirements

AI agents in crypto handle wallet recovery, security alerts, and OFAC-adjacent communications. MultiMail enforces gated approvals and full audit trails on every send.


Crypto and Web3 organizations face a threat model that most industries do not: users are conditioned to expect phishing attempts, regulators are still writing the rules, and a single misdirected email touching an asset or identity claim can create legal exposure under FinCEN guidance, SEC digital asset frameworks, or OFAC sanctions programs. At the same time, the volume of operational email — transaction confirmations, staking rewards, incident reports, community updates — is high and growing as protocols automate more of their support and governance workflows. AI agents are a natural fit for this volume, but only when the email layer enforces controls that match the risk. An autonomous agent sending a token promotion without human review is a compliance event waiting to happen. The right architecture gates asset-adjacent sends, logs everything, and keeps humans in the approval loop for anything that could be construed as a financial promotion or identity assertion.

Email challenges in Crypto & Web3

Phishing Surface Area

Web3 users are trained to distrust emails claiming to involve wallets, recoveries, or transfers. Any agent-generated email touching these topics must come from authenticated domains with strict DMARC enforcement and must not contain patterns that trigger user suspicion or spam filters.

OFAC and Sanctions Screening

Communications related to account restrictions, jurisdiction blocks, or flagged transactions must be timely, accurate, and tied to a compliance workflow. An AI agent that sends or delays these notices incorrectly creates regulatory exposure under OFAC sanctions programs.

Token Promotion Compliance

Emails about token launches, staking yields, or reward programs can constitute regulated financial promotions under SEC digital asset guidance and equivalent frameworks in other jurisdictions. Agent-generated promotional content requires human review before delivery.

Security Incident Timeliness

Custody incidents, smart contract exploits, and access breaches require fast, accurate outbound communication to affected users. Delayed or templated responses erode trust and may trigger disclosure obligations depending on jurisdiction and data involved.

Audit Trails for Regulated Sends

Under FinCEN guidance and SEC examination procedures, organizations may need to demonstrate what communications were sent, when, to whom, and who approved them. Email infrastructure that lacks per-message audit records is a compliance gap.


How MultiMail helps

Gated Sends for Asset-Adjacent Messaging

Set oversight_mode to gated_send so AI agents can compose transaction confirmations, wallet recovery notices, and staking updates autonomously, but every outbound message waits in a pending queue until a human reviewer approves it. Agents call list_pending and decide_email to surface the queue; your compliance team sees the full message before it leaves your infrastructure.

gated_send

Full Approval Gate for Token Promotions

Token launch emails, yield announcements, and reward program communications carry the highest regulatory risk. Use gated_all so every action — including reads that could inform promotional targeting — requires explicit human sign-off. This creates a documented approval chain that satisfies internal compliance review before any message touches user inboxes.

gated_all

Monitored Mode for Routine Community Updates

Protocol updates, governance vote reminders, and maintenance window notices are lower risk but still benefit from visibility. monitored mode lets AI agents send autonomously while routing a BCC copy to your compliance mailbox. Your team sees every outbound message without blocking delivery velocity.

monitored

Autonomous Incident Alert Routing

Time-sensitive security alerts — smart contract pause notifications, custody platform incidents, suspicious login detections — need to reach users in seconds, not after a queue review. autonomous mode with webhook-driven triggers lets agents fire pre-approved alert templates the moment your monitoring systems detect an event. Templates are reviewed and approved at setup time, not per-send.

autonomous

Read-Only Inbox Monitoring for Compliance Agents

Compliance and fraud detection agents that monitor inbound mail for sanctions keywords, phishing reports, or account recovery abuse patterns do not need send access. read_only mode gives these agents full check_inbox and read_email access with zero outbound capability — containing the blast radius if an agent is compromised or misbehaves.

read_only

Try it with your agent

Pick your platform, copy the prompt, and paste it to your AI agent — it sets up MultiMail and builds the whole flow. Nothing to fill in.

1. Get MultiMail ready by reading https://multimail.dev/llms.txt, connecting the MCP server, creating a free inbox, and setting up a verified sending domain. 2. Use the recovery queue, support inbox, and identity-verification tracker as the source data; include only cases where the user has asked for account or wallet access help. 3. Draft a personalized recovery intake email for each eligible case that explains the next safe step, requests only the missing verification details, and avoids asking for seed phrases, private keys, or signing actions. 4. Run this workflow daily on new and updated cases, grouping urgent lockout or suspected compromise cases first. 5. Use gated_send oversight for every message. Ask me only for the support queue access and approved brand voice needed to go live.

Regulatory considerations

RegulationRequirementHow MultiMail helps
OFAC SanctionsOrganizations must not provide services to sanctioned individuals or jurisdictions. Account restriction and service termination notices must be delivered accurately and their transmission must be auditable.gated_all oversight mode creates a documented approval chain for every sanctions-adjacent communication. Per-message tags support case_id linkage so compliance teams can reconstruct the full communication record during examinations. Webhook delivery confirmations provide timestamped proof of send.
SEC Digital Asset GuidanceEmail communications about token offerings, staking yields, or investment returns may constitute regulated financial promotions. These require disclosures, must not be misleading, and may require pre-review by compliance staff.gated_send and gated_all modes route all promotional drafts to a pending queue before delivery. Compliance reviewers can inspect message body, recipient list, and tags before approving. Rejected messages are logged with the reviewer's decision — creating a record that a human reviewed the content before it was blocked or approved.
FinCEN GuidanceVirtual asset service providers (VASPs) operating under FinCEN's MSB framework must maintain records of customer communications related to transactions and account actions. Records must be available for examination.MultiMail stores per-message send records including sender, recipient, timestamp, oversight mode, and approval status. Agents can attach transaction IDs or case references as tags on each message, making it straightforward to retrieve the complete communication record for any transaction.
GDPRUser communications containing personally identifiable information — wallet addresses linked to identities, KYC data, transaction histories — must be handled with data minimization and purpose limitation principles. Users in EEA jurisdictions retain the right to erasure.Mailboxes can be scoped to specific use cases and data types. The set_tags and search_contacts tools allow agents to manage data retention without manual intervention. Dedicated compliance mailboxes with read_only oversight isolate PII-handling agents from send access, reducing the attack surface for data exposure.
CAN-SPAMCommercial email messages must include accurate header information, a physical postal address, and a functional unsubscribe mechanism. Transactional messages are exempt but must be genuinely transactional in nature.MultiMail enforces sender authentication (SPF, DKIM, DMARC) on all outbound sends from multimail.dev and custom domains. Tags let agents distinguish transactional from promotional sends at the message level, supporting accurate classification for CAN-SPAM purposes.

Common questions

Can MultiMail help prevent phishing by impersonators of our protocol?
MultiMail configures SPF, DKIM, and DMARC on all sending domains, including custom domains like [email protected]. This means receiving mail servers can verify that messages actually originated from your infrastructure. DMARC with a reject policy instructs receiving servers to discard messages that fail authentication — reducing the effectiveness of spoofing attacks that impersonate your domain. You should also configure BIMI if brand logo authentication is part of your anti-phishing strategy.
How does gated_send differ from gated_all for a compliance workflow?
gated_send lets agents read inboxes and retrieve email data autonomously — only outbound sends require human approval. gated_all requires approval for every action, including reads. For most crypto compliance workflows, gated_send is the right default: it gives agents the context they need to draft accurate responses while ensuring nothing leaves your infrastructure without a human sign-off. Use gated_all when the read action itself carries risk — for example, an agent that reads sensitive KYC documents and whose access should be logged and approved per-query.
Does MultiMail provide the audit trail format required for regulatory examinations?
Each message has a unique id, a send timestamp, the oversight mode it was sent under, the approver identity if applicable, and any tags you attach at send time. You can retrieve this record via read_email at any time. For FinCEN and SEC examinations, attaching case references or transaction IDs as tags at send time is the recommended pattern — it makes retrieval straightforward without requiring a separate audit log system.
We need to send time-sensitive security alerts within seconds of detection. Can agents do this without a queue?
Yes. Set oversight_mode to autonomous for mailboxes used by incident response agents. The tradeoff is that messages send immediately without human review — appropriate for templates that have been reviewed and approved in advance. The recommended pattern is to maintain a library of pre-approved alert templates, parameterize them at send time (incident ID, affected systems, timestamp), and restrict the autonomous mailbox to only those template types. Reserve gated_send for non-templated outbound communication.
Can an agent monitor for inbound phishing reports without having send access?
Yes. read_only oversight mode gives agents full access to check_inbox and read_email on a designated abuse or phishing-report mailbox, with no outbound capability. If you want the agent to also send acknowledgment replies, use gated_send — replies will queue for human approval before delivery. This architecture contains the blast radius: a compromised read-only agent cannot send phishing emails from your domain.
How should we handle the Travel Rule for transaction notification emails?
The FATF Travel Rule requires VASPs to share originator and beneficiary information for transfers above threshold. MultiMail's per-message tags let agents annotate the message record with originator/beneficiary references at send time, supporting auditability of what information accompanied a notification. The actual Travel Rule data exchange between VASPs happens via IVMS101 or similar protocols — MultiMail handles the customer-facing notification layer, not the inter-VASP data transfer.
Can we use MultiMail for token launch announcements and staking reward emails?
Yes, with the right oversight mode. Token promotions and yield-related emails are the highest-risk category under SEC digital asset guidance. Use gated_send or gated_all so compliance staff review the content before delivery. Agents can draft the emails and populate recipient lists autonomously — the approval step ensures a human reviews the claims, disclosures, and recipient scope before the message goes out. Never use autonomous mode for emails that mention yields, returns, or investment performance.

Explore more industries

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.