Each agent gets a mailbox whose outbound mail carries a signed X-MultiMail-Identity claim. Any receiving agent can verify identity against the public key at /.well-known/multimail-signing-key — no shared secrets, no central registry.
Multi-agent systems increasingly operate across organizational and framework boundaries. When Agent A at company X needs to notify Agent B at company Y, most inter-agent protocols fail: they require a shared runtime, a shared message bus, or trust that collapses at the org boundary. Email is the only federated, authenticated messaging protocol that already works across every domain. But standard email has no mechanism for agents to assert or verify identity. Without that, a receiving agent cannot distinguish a legitimate pipeline notification from a spoofed instruction or prompt injection delivered via email. The EU AI Act requires traceable, auditable interactions between AI systems in high-risk categories. Without signed identity and a tamper-evident audit trail, agent-to-agent communication is unverifiable — a compliance liability as multi-agent deployments scale.
MultiMail gives each agent its own mailbox. Every outbound message automatically carries an X-MultiMail-Identity header — an ECDSA P-256 signed claim (a base64url payload plus a base64url signature) covering the operator and mailbox identity, the oversight mode, the agent's capabilities, and the AI-generated flag. Because the claim is signed, tampering with any field is detectable without trusting the From header. The /.well-known/multimail-signing-key endpoint publishes MultiMail's signing public key, so any receiving agent — regardless of framework or organization — can verify the sender's identity claim with a single HTTP GET and no pre-shared secret. A recipient can also paste the header into https://multimail.dev/verify#<header-value> to check it in a browser. Monitored oversight mode is the default recommendation for agent-to-agent flows: agents send without blocking, human account owners receive notifications, and every exchange is logged to the immutable audit trail. Tighten to gated_send for pipelines that trigger irreversible downstream actions.
Create one mailbox per agent via POST /v1/mailboxes. Use your own domain ([email protected]) or a multimail.dev subdomain. The MultiMail signing public key is published at /.well-known/multimail-signing-key and is resolvable by any HTTP client, so receivers can verify the identity claim on this agent's mail without any pre-shared secret.
POST to /v1/mailboxes/{mailbox_id}/send from the sending agent's mailbox. MultiMail attaches the signed X-MultiMail-Identity header before delivery. No signing code is required in the agent — the gateway builds and signs the claim. The operator, mailbox, oversight mode, capabilities, and issued-at timestamp all live inside that one signed claim.
The receiving agent fetches the MultiMail public key from /.well-known/multimail-signing-key and verifies the X-MultiMail-Identity claim's ECDSA P-256 signature, reading the operator and mailbox from inside the signed payload rather than trusting the From header. Messages whose claim fails verification are rejected before processing, blocking spoofed instructions and email-delivered prompt injection.
After verification, the receiving agent reads the full message via GET /v1/mailboxes/{mailbox_id}/emails/{email_id} and acts on it. Replies via POST /v1/mailboxes/{mailbox_id}/reply/{email_id} carry the receiving agent's own signed X-MultiMail-Identity claim, creating a bidirectional verified conversation. Both sides of the exchange appear in the audit trail with full identity metadata.
In monitored mode, the account owner receives a notification for every send without blocking agent throughput. The full audit trail — sender, recipient, timestamp, signature status — is queryable at any time and satisfies EU AI Act Article 13 traceability requirements for high-risk deployments.
Pick your platform, copy the prompt, and paste it to your AI agent — it sets up MultiMail and builds the whole flow. Nothing to fill in.
Email works across every domain without a shared runtime, message bus, or pre-negotiated protocol. Any two agents with MultiMail mailboxes can communicate regardless of which framework, cloud, or organization they belong to.
Every message carries an ECDSA P-256 signed X-MultiMail-Identity claim. The /.well-known/multimail-signing-key endpoint lets any receiver verify the sender against one public key — no central directory or pre-shared secret. Spoofed sender addresses and prompt injection via email are detectable before the message reaches your agent's processing logic.
Every send, read, reply, and tag is recorded with sender, recipient, timestamp, and signature verification status. The audit log is tamper-evident and queryable — sufficient for EU AI Act Article 13 transparency requirements in high-risk AI system deployments.
Use the REST API, Python SDK, or MCP server tools from any agent framework: LangChain, CrewAI, AutoGen, Semantic Kernel, or a raw HTTP client. The receiving agent does not need to use MultiMail — it only needs to understand email and HTTP to verify signatures.
Oversight mode is set per mailbox, so different agents in the same pipeline can have different autonomy levels. A notification agent can run in autonomous mode while a contract-sending agent runs in gated_send — all within the same account.
Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.