Each agent gets a mailbox with an Ed25519 signing key. Any receiving agent can verify identity via /.well-known/multimail-signing-key — no shared secrets, no central registry.
Multi-agent systems increasingly operate across organizational and framework boundaries. When Agent A at company X needs to notify Agent B at company Y, most inter-agent protocols fail: they require a shared runtime, a shared message bus, or trust that collapses at the org boundary. Email is the only federated, authenticated messaging protocol that already works across every domain. But standard email has no mechanism for agents to assert or verify identity. Without that, a receiving agent cannot distinguish a legitimate pipeline notification from a spoofed instruction or prompt injection delivered via email. The EU AI Act requires traceable, auditable interactions between AI systems in high-risk categories. Without signed identity and a tamper-evident audit trail, agent-to-agent communication is unverifiable — a compliance liability as multi-agent deployments scale.
MultiMail gives each agent its own mailbox with an Ed25519 signing key pair generated at creation time. Every outbound message automatically carries X-MultiMail-Agent-Id, X-MultiMail-Signature, and X-MultiMail-Timestamp headers. The signature covers the timestamp and message body, making tampering detectable in transit. The /.well-known/multimail-signing-key endpoint publishes each mailbox's public key, so any receiving agent — regardless of framework or organization — can verify the sender's identity with a single HTTP GET and no pre-shared secret. Monitored oversight mode is the default recommendation for agent-to-agent flows: agents send without blocking, human account owners receive notifications, and every exchange is logged to the immutable audit trail. Tighten to gated_send for pipelines that trigger irreversible downstream actions.
Call create_mailbox once per agent. Each mailbox receives a unique Ed25519 key pair on creation. Use your own domain ([email protected]) or a multimail.dev subdomain. The public key is published immediately to /.well-known/multimail-signing-key and is resolvable by any HTTP client.
Call send_email with the sending agent's mailbox in the from field. MultiMail attaches X-MultiMail-Agent-Id, X-MultiMail-Signature, and X-MultiMail-Timestamp headers before delivery. No signing code is required in the agent — the API handles it.
The receiving agent fetches the sender's public key from /.well-known/multimail-signing-key?mailbox=<agent-id> and verifies the X-MultiMail-Signature against the timestamp and body. Messages that fail verification are rejected before processing, blocking spoofed instructions and email-delivered prompt injection.
After verification, the receiving agent reads the full message via read_email and acts on it. Replies via reply_email carry the receiving agent's own identity headers, creating a bidirectional verified conversation. Both sides of the exchange appear in the audit trail with full signature metadata.
In monitored mode, the account owner receives a notification for every send without blocking agent throughput. The full audit trail — sender, recipient, timestamp, signature status — is queryable at any time and satisfies EU AI Act Article 13 traceability requirements for high-risk deployments.
from multimail import MultiMailClient
client = MultiMailClient(api_key="$MULTIMAIL_API_KEY")
response = client.send_email(
mailbox="[email protected]",
to="[email protected]",
subject="Data pipeline completion notification",
body=(
"Pipeline run #847 completed successfully.\n"
"14,329 records processed. 0 errors.\n"
"Output: s3://acme-data/runs/847/\n\n"
"Sent by [email protected]"
),
tags=["agent-to-agent", "pipeline-notification"],
)
print(f"Message ID: {response[&"cm">#039;message_id']}")
print(f"Signed: {response[&"cm">#039;signed']}")
print(f"Signature: {response[&"cm">#039;identity_headers']['X-MultiMail-Signature']}")Send a pipeline completion notification from one agent mailbox to another. MultiMail handles signing automatically — no extra cryptography code required.
import httpx
import base64
from cryptography.hazmat.primitives.serialization import load_pem_public_key
def verify_multimail_sender(headers: dict, body: str) -> bool:
agent_id = headers.get("X-MultiMail-Agent-Id")
signature_b64 = headers.get("X-MultiMail-Signature")
timestamp = headers.get("X-MultiMail-Timestamp")
if not all([agent_id, signature_b64, timestamp]):
return False
resp = httpx.get(
"https://api.multimail.dev/.well-known/multimail-signing-key",
params={"mailbox": agent_id},
timeout=5,
)
resp.raise_for_status()
public_key = load_pem_public_key(resp.content)
signed_payload = f"{timestamp}\n{body}".encode()
signature = base64.b64decode(signature_b64)
try:
public_key.verify(signature, signed_payload)
return True
except Exception:
return False
"cm"># In your agent's email handler:
if not verify_multimail_sender(email["headers"], email["body"]):
raise ValueError(f"Rejected: unverifiable sender for email {email[&"cm">#039;id']}")Fetch the sender's public key from /.well-known/multimail-signing-key and verify the Ed25519 signature. Reject any message that fails — this is the injection guard.
from multimail import MultiMailClient
client = MultiMailClient(api_key="$MULTIMAIL_API_KEY")
inbox = client.check_inbox(
mailbox="[email protected]",
unread_only=True,
)
for message in inbox["emails"]:
full_email = client.read_email(email_id=message["id"])
if not verify_multimail_sender(full_email["headers"], full_email["body"]):
client.tag_email(email_id=message["id"], tags=["rejected-unverified"])
continue
result = run_analysis(full_email["body"])
client.reply_email(
email_id=message["id"],
body=(
f"Analysis complete for pipeline run #847.\n"
f"Result: {result[&"cm">#039;summary']}\n"
f"Anomalies detected: {result[&"cm">#039;anomaly_count']}\n\n"
f"Sent by [email protected]"
),
)
client.tag_email(email_id=message["id"], tags=["processed"])Poll for unread messages, verify each sender, process the payload, and reply with Agent B's own signed identity. Tags mark processed messages to prevent reprocessing.
Email works across every domain without a shared runtime, message bus, or pre-negotiated protocol. Any two agents with MultiMail mailboxes can communicate regardless of which framework, cloud, or organization they belong to.
Every message is signed with Ed25519. The /.well-known/multimail-signing-key endpoint lets any receiver verify the sender without a central directory or pre-shared secret. Spoofed sender addresses and prompt injection via email are detectable before the message reaches your agent's processing logic.
Every send, read, reply, and tag is recorded with sender, recipient, timestamp, and signature verification status. The audit log is tamper-evident and queryable — sufficient for EU AI Act Article 13 transparency requirements in high-risk AI system deployments.
Use the REST API, Python SDK, or MCP server tools from any agent framework: LangChain, CrewAI, AutoGen, Semantic Kernel, or a raw HTTP client. The receiving agent does not need to use MultiMail — it only needs to understand email and HTTP to verify signatures.
Oversight mode is set per mailbox, so different agents in the same pipeline can have different autonomy levels. A notification agent can run in autonomous mode while a contract-sending agent runs in gated_send — all within the same account.
Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a 50-tool MCP server. Formally verified in Lean 4.