An agent holding your Gmail credentials sends as you, and you find out afterward. MultiMail gives it a mailbox of its own, fed by your Gmail forwarding, where every reply waits for your approval before it sends. Every agent starts supervised, and the good ones earn autonomy.
Everyone wires up their agent the same way, with an OAuth grant straight into Gmail, and it works beautifully right up until it doesn't. One Thursday the agent answers a thread it should have left alone, in your name, to a client, and you find out about it when the client does. Email is the one tool in your stack with no undo button.
The root problem is that Gmail only offers one kind of trust, which is all of it. There is no permission that says read everything but let a human sign off before anything goes out. So don't grant anything. Give the agent a mailbox of its own and point a Gmail forwarding rule at it: the original mail stays in your inbox, your credentials never leave your hands, and in gated_send, the default mode, every reply the agent writes waits for your approval before it ships. You review before delivery instead of after, and that one change is the whole fix.
And trust doesn't have to be all-or-nothing per agent, either. Maybe you want your agent emailing your vendor autonomously, but not your competitor. A per-recipient allowlist lets you make those decisions one time: approve the vendor's address once and mail to them just sends, while everyone else still waits for your tap.
Marcus at your packaging vendor wants an answer: three pallet configurations, prices held through Friday, and one question about lead time. A careful reply takes the twenty minutes a Tuesday morning never has.
It stays right where it always lands, because forwarding only sends a copy.
It drafts a reply: confirm the mid-tier option, ask about lead time.
The mailbox runs gated_send, so the draft joins your approval queue and nothing has left the building.
Your email gets the full draft, with approve and reject links.
At 9:48 you read it while the train is late. The draft confirms the configuration you would have picked, asks the question you would have asked, and when you go looking for the sentence you would rewrite, you don't find one. You tap approve.
The reply goes out from the agent's own address, threaded into Marcus's conversation, and if it had missed the mark you would have tapped reject and nothing would ever have sent. The whole exchange took six minutes and exactly one decision from you, without sharing a single credential.
A month of Tuesdays later, the agent has never missed with Marcus, so you put his address on the allowlist. Now the 9:46 reply sends itself and your phone stays in your pocket, while mail to anyone you haven't approved still waits. That is what earning autonomy looks like: one recipient at a time, on your say-so.
Sign up at multimail.dev and pick your name; that becomes your domain. Confirmation codes go to the email you sign up with. Keep that address yours, not the agent's.
An address like [email protected]. Creating one needs your sign-off: a confirmation code comes to your email first. Every mailbox you add starts in gated_send; the mailbox created at signup starts in whichever mode you picked there.
In Gmail, open Settings, "Forwarding and POP/IMAP", and add the agent's address. Gmail sends a confirmation email; it lands in the agent's mailbox, where you or the agent reads it and confirms. No permissions screen, nothing to install. Walkthrough in the docs.
From then on, whatever Gmail forwards, the agent reads. It drafts replies; in gated_send every draft waits. Waiting is the feature: nothing goes out until you say so.
Each held draft reaches you by email: recipient, subject, full text, two links. One tap sends it from the agent's address; one tap kills it. Decide there, from the dashboard, or through your agent's own tools.
The gate treats everyone the same, and that is both its strength and its flaw: the vendor you have emailed every Tuesday for a year gets held at the door like a total stranger. Tap approve on the same address enough times and the gate stops protecting you and starts training you to wave things through.
The sending allowlist is the granular fix. The mode sets the floor and the allowlist layers per-recipient trust on top of it, as an exact address or a whole domain. You make the decision once, mail to that recipient sends instantly from then on, and the audit trail shows exactly what skipped the queue. Your agent ends up autonomous with the vendor and supervised with everyone else, which is precisely the arrangement you would have designed by hand.
Adding someone to the list is deliberately heavier than sending an email: a confirmation code lands in your inbox first, and removing someone works the same way. The agent can't quietly expand its own freedoms, and the list never grows because some inbound email told it to.
read_only: the agent can read, never send.
gated_all: everything waits for your approval, both directions.
gated_send: outbound waits for you, inbound flows. The default.
monitored: the agent sends freely; you get copies.
autonomous: no gates.
You control the mode. The agent can ask for an upgrade, and asking changes nothing: a one-time code goes to your email, works once, and dies in 24 hours. The mode moves when you hand over the code. The allowlist carves exceptions inside gated_send, the default mode.
No OAuth grant, no app password, no Google account access. Just a forwarding rule you can switch off any time.
Added mailboxes always start in gated_send (your signup mailbox starts in the mode you chose), and only your emailed code can raise any mailbox's autonomy afterward.
Approve a vendor once and mail to them sends instantly; everyone else still waits. Entries need your emailed confirmation, never an email's say-so.
Outbound sends from the agent's address, never yours, and replies land in the sender's existing conversation.
Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a remote MCP server at mcp.multimail.dev. Formally verified in Lean 4.