Both platforms route email for AI agents. MultiMail adds ECDSA-signed identity headers, formally verified oversight proofs, and pre-send domain intelligence that AgentMail doesn't offer.
AgentMail gives AI agents an inbox and a send endpoint. That's enough for a prototype. It's not enough for a production system where you need to prove which agent sent what, demonstrate regulatory compliance, or block outbound messages to high-risk domains before they leave your infrastructure. As agent deployments scale, the missing layer isn't email delivery — it's accountability. Without cryptographic identity binding, you can't audit agent actions after the fact. Without formal verification of your oversight model, you can't make compliance claims to auditors. Without pre-send domain intelligence, your agent can send to a phishing domain and you won't know until the damage is done.
MultiMail is an email API built specifically for AI agents, with the accountability layer built in from the start. Every outbound message carries an ECDSA-signed `X-MultiMail-Agent-Identity` header that cryptographically binds the sending agent to the message — no post-hoc attribution required. The graduated oversight model (read_only → gated_all → gated_send → monitored → autonomous) is formally verified in Lean 4, so the behavioral guarantees aren't marketing claims — they're machine-checked proofs. Pre-send domain intelligence runs on every recipient address before the message leaves your account, flagging disposable addresses, newly registered domains, and known phishing infrastructure. EU AI Act compliance documentation is included for high-risk AI system operators.
Create a mailbox via the REST API or MCP `create_mailbox` tool. Each mailbox is bound to an agent identity key. When the agent sends, MultiMail automatically attaches a signed `X-MultiMail-Agent-Identity` header containing the agent ID, timestamp, and ECDSA signature — verifiable by any recipient with your public key.
Before any outbound message is delivered, MultiMail scores the recipient domain. Disposable email providers, domains registered within the last 30 days, and domains on threat intelligence feeds are flagged. The `send_email` endpoint returns a domain risk score in the response; your agent can inspect it or configure automatic hold on high-risk scores.
Set `oversight_mode: gated_send` so your agent reads and classifies inbound email autonomously but every outbound message routes to a human approval queue before delivery. Use `list_pending` to retrieve queued messages and `decide_email` to approve or cancel. Upgrade to `monitored` once you've established a baseline of agent behavior you trust.
Every approved send is logged with the agent identity signature, the approver identity, and a content hash. Use `read_email` or `get_thread` to retrieve the full signed audit trail. For EU AI Act Article 13 transparency obligations, the audit log is exportable in structured format with the formal proof reference included.
MultiMail's oversight model is proven correct in Lean 4. The proof source is published and machine-checkable. If your compliance team or an external auditor needs to verify that `gated_send` mode cannot be bypassed by a misbehaving agent, they can run `lake build` against the proof file — no trust in MultiMail's word required.
import multimail
client = multimail.Client(api_key="mm_live_...")
mailbox = client.create_mailbox(
address="[email protected]",
agent_id="agent-crm-support-v2",
oversight_mode="gated_send",
display_name="CRM Support Agent"
)
print(mailbox.address) "cm"># [email protected]
print(mailbox.agent_identity_key_id) "cm"># kid used in X-MultiMail-Agent-Identity headerProvision a mailbox and bind it to an agent ID. The identity key is used to sign all outbound messages from this mailbox.
import multimail
client = multimail.Client(api_key="mm_live_...")
result = client.send_email(
mailbox="[email protected]",
to="[email protected]",
subject="Your support ticket has been resolved",
body="Hi, we&"cm">#039;ve resolved ticket #4821. Let us know if you have questions.",
oversight_mode="gated_send" # queues for human approval before delivery
)
# Domain intelligence is evaluated before queuing
print(result.domain_risk_score) # 0.12 — low risk
print(result.domain_flags) # [] — no flags
print(result.status) # "pending_approval"
print(result.pending_id) # "pend_01J..."
"cm"># If domain_risk_score > 0.7, handle before proceeding
if result.domain_risk_score > 0.7:
print(f"High-risk domain: {result.domain_flags}")
"cm"># Escalate or abort rather than letting it queueThe `send_email` endpoint returns a domain risk assessment before delivery. Inspect the score and cancel if the recipient domain is flagged.
import multimail
client = multimail.Client(api_key="mm_live_...")
"cm"># Pull pending sends awaiting approval
pending = client.list_pending(mailbox="[email protected]")
for msg in pending.messages:
print(f"ID: {msg.pending_id}")
print(f"To: {msg.to}")
print(f"Subject: {msg.subject}")
print(f"Agent: {msg.agent_id}")
print(f"Signed: {msg.identity_signature_valid}")
print(f"Domain risk: {msg.domain_risk_score}")
print()
"cm"># Approve a specific message
approval = client.decide_email(
pending_id="pend_01J...",
decision="approve",
reviewer_id="human-ops-alice"
)
print(approval.status) "cm"># "delivered"
print(approval.audit_ref) "cm"># cryptographic receipt referenceHuman reviewers pull the pending queue, inspect the signed message, and approve or cancel. The `decide_email` call records the reviewer identity alongside the agent identity in the audit log.
"cm">// MCP tool call — send_email
{
"tool": "send_email",
"arguments": {
"mailbox": "[email protected]",
"to": "[email protected]",
"subject": "Your support ticket has been resolved",
"body": "Hi, we've resolved ticket #4821. Let us know if you have questions."
}
}
// MCP tool response
{
"status": "pending_approval",
"pending_id": "pend_01J...",
"domain_risk_score": 0.12,
"domain_flags": [],
"identity_header": "v=1; kid=key_01J...; sig=MEUCIQ...",
"message": "Message queued for human approval before delivery."
}Using MultiMail's MCP server, an agent running in Claude Desktop can send email through the same gated_send pipeline without any code changes.
import httpx
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives import hashes, serialization
import base64, json
"cm"># Header value from received email
identity_header = "v=1; kid=key_01J...; agent=agent-crm-support-v2; ts=1713542400; sig=MEUCIQ..."
"cm"># Fetch MultiMail's public key for this kid
resp = httpx.get("https://api.multimail.dev/v1/identity/keys/key_01J...")
pubkey_pem = resp.json()["public_key_pem"]
public_key = serialization.load_pem_public_key(pubkey_pem.encode())
"cm"># Parse header fields
fields = dict(f.strip().split("=", 1) for f in identity_header.split(";"))
sig_bytes = base64.b64decode(fields["sig"])
message = f"{fields[&"cm">#039;agent']}:{fields['ts']}".encode()
# Verify
try:
public_key.verify(sig_bytes, message, ec.ECDSA(hashes.SHA256()))
print("Identity verified — message authentically from", fields["agent"])
except Exception:
print("Signature invalid — reject message")Recipients can verify the ECDSA signature in the X-MultiMail-Agent-Identity header using MultiMail's public key endpoint.
import multimail
from datetime import datetime, timedelta
client = multimail.Client(api_key="mm_live_...")
"cm"># Export 90-day audit log for EU AI Act Article 13 review
audit = client.export_audit_log(
mailbox="[email protected]",
since=datetime.now() - timedelta(days=90),
format="jsonl",
include_proofs=True "cm"># includes Lean 4 proof references per oversight decision
)
for entry in audit.entries:
print({
"message_id": entry.message_id,
"agent_id": entry.agent_id,
"identity_signature": entry.identity_signature,
"oversight_mode": entry.oversight_mode,
"approver_id": entry.approver_id, "cm"># null if autonomous
"decision": entry.decision,
"domain_risk_score": entry.domain_risk_score,
"proof_ref": entry.lean4_proof_ref, "cm"># machine-checkable proof ID
"timestamp": entry.timestamp.isoformat()
})Export a structured audit log covering all agent-sent messages, approver decisions, and identity signatures for a compliance review period.
Every outbound message carries an ECDSA-signed `X-MultiMail-Agent-Identity` header. Recipients and auditors can verify which agent sent a message without relying on MultiMail's logs. AgentMail has no equivalent — you get a sender address, not a verifiable identity.
MultiMail's oversight modes are proven correct in Lean 4. The behavioral guarantees — that `gated_send` cannot be bypassed, that approval decisions are recorded before delivery — are machine-checked proofs, not documentation claims. This matters when auditors ask you to demonstrate your AI system's human oversight controls.
Every outbound address is scored before the message leaves your account. Disposable providers, newly registered domains, and threat-intelligence matches are flagged in the `send_email` response so your agent or your pipeline can decide before delivery, not after a bounce or abuse report.
For operators running high-risk AI systems under EU AI Act Article 13, MultiMail provides structured audit logs with proof references, transparency disclosures, and oversight mode documentation. AgentMail has no compliance documentation layer.
Start at `gated_send` during evaluation, move to `monitored` once you've established a behavioral baseline, and switch to `autonomous` for fully trusted agents. Each mode change is reflected in the audit log. AgentMail offers no oversight progression model.
Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a 50-tool MCP server. Formally verified in Lean 4.