MultiMail gives security teams cryptographic agent identity, formally verified oversight policies, and a complete audit trail — built for AI email risk, not retrofitted from generic ESPs.
When an AI agent sends email on behalf of your organization, security teams face four hard questions: Who authorized it? What controls prevented unauthorized sends? Can you prove the sending agent is who it claims to be? And if something goes wrong, can you reconstruct exactly what happened and why? Generic ESPs were built for human senders. They have no concept of agent identity, policy-enforced oversight, or action-level auditability. AI agents operating through conventional email infrastructure create an accountability gap that regulators — including under the EU AI Act — increasingly expect to be closed before deployment.
MultiMail addresses the CISO evaluation checklist with four concrete controls. Cryptographic identity: Every outbound message carries ECDSA-signed headers identifying the sending agent, tenant, and oversight policy in effect at send time. Recipients and auditors can verify these headers without contacting MultiMail. Formally verified oversight: Oversight mode policies are specified and verified in Lean 4. The gated_send guarantee — that no message is delivered without human approval — is not a test result; it is a machine-checked proof that holds for all possible API call sequences. Pre-send domain intelligence: Before any email leaves the system, MultiMail evaluates each recipient domain against DNS signals — MX, SPF, DMARC presence and policy, Spamhaus listing, disposable-domain detection — plus platform bounce history, assigning a green/yellow/red tier. Red-tier domains are blocked before reaching the approver queue; the gate fails open on DNS errors. Immutable audit trail: Every action — read, compose, send request, approval, rejection, cancellation — is logged with agent ID, policy state, and timestamp. Each entry is tied to the cryptographic identity of the actor.
Every outbound message carries an X-MultiMail-Identity header: an ECDSA P-256 signed claim — a base64url payload plus a base64url signature — covering the operator and mailbox identity, the oversight mode in effect at send time, the agent's capabilities, and the AI-generated flag. Any recipient or auditor verifies the claim against the public key published at https://api.multimail.dev/.well-known/multimail-signing-key — no round-trip to MultiMail required, and without trusting the From header.
Oversight modes are configured per mailbox and enforced at the API layer, not in application code. Under gated_send, the POST /v1/mailboxes/{mailbox_id}/send endpoint queues messages for human approval rather than delivering them, regardless of how the API call is constructed. The agent has no code path to force delivery — the enforcement is in MultiMail's infrastructure.
The audit trail captures every action the agent takes: emails read, drafts composed, sends requested, approvals granted or denied, and messages cancelled. Each event is linked to the agent's cryptographic identity and the oversight policy active at the time. Events are queryable via the REST API and streamable to a SIEM via webhooks.
Pre-send checks run before every outbound message, evaluating recipient domains against DMARC presence and policy, MX and SPF records, Spamhaus listing, disposable-domain detection, and platform bounce history. Each domain resolves to a green, yellow, or red tier. Red-tier domains are blocked before the message reaches the approver queue, limiting the blast radius of a compromised or misbehaving agent.
The CISO evaluation package includes: the identity signing model and the public key endpoint (https://api.multimail.dev/.well-known/multimail-signing-key), Lean 4 proof artifacts for the oversight model, audit log schema and retention policy documentation, and domain intelligence coverage summary. This provides a documented, attestable evidence set for internal governance and regulatory reporting under the EU AI Act.
Pick your platform, copy the prompt, and paste it to your AI agent — it sets up MultiMail and builds the whole flow. Nothing to fill in.
ECDSA-signed headers on every outbound message prove which agent sent it, under which tenant, and which oversight policy applied. Verification is offline — recipients and auditors use the tenant's published public key and do not need to call MultiMail. This provides non-repudiation suitable for legal and regulatory proceedings.
Oversight mode policies are specified in Lean 4 and formally verified. The gated_send guarantee — no message delivered without human approval — holds for all possible API call sequences, not just tested ones. Proof artifacts are available for independent review as part of the CISO evaluation package.
Every recipient domain is evaluated before delivery against DMARC presence and policy, MX and SPF records, Spamhaus listing, disposable-domain detection, and platform bounce history, resolving to a green/yellow/red tier. Red-tier domains are blocked before they reach the approver, reducing the blast radius of a compromised or misbehaving agent.
Every read, compose, approval request, approval decision, and cancellation is logged with agent ID, oversight mode, and timestamp. The log is append-only and each entry is cryptographically attributed to the acting agent. Webhook streaming delivers events to your SIEM in real time.
The EU AI Act requires traceability (Article 13), human oversight (Article 14), and transparency for systems interacting with humans (Article 52). MultiMail's audit trail, gated_send enforcement, and ECDSA identity signing address these requirements directly for AI systems that send email on behalf of organizations.
Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.