MultiMail gives your engineering team purpose-built primitives for agent email: identity, graduated oversight, and deployment patterns that fit API and MCP-based architectures.
Generic email APIs were designed for humans sending transactional messages. Adapting them for AI agents means bolting on approval workflows, building your own audit trails, and hoping the agent does not send something it should not. CTOs evaluating agent email infrastructure need to understand what the system actually guarantees — not what a marketing page implies. That means knowing where identity is enforced, where approval checkpoints sit in the call graph, how the formal security model was verified, and how to roll out gradually without committing your entire email stack on day one.
MultiMail is a purpose-built email API for AI agents. Identity is scoped per mailbox, not per account — each agent gets its own mailbox and credentials. Oversight is a first-class primitive: every outbound action passes through a configurable approval checkpoint before delivery. The security model covering identity, oversight, and authorization is formally verified in Lean 4 and the proofs are published and checked in CI. Integration follows standard patterns: call the REST API directly from any HTTP client or use the MCP server depending on your agent framework. You can start with read-only access, graduate to gated sends requiring human approval, and move to monitored or autonomous operation once your team has established confidence in the agent's behavior.
MultiMail's API surface is a set of discrete, auditable operations: POST /v1/mailboxes/{mailbox_id}/send, POST /v1/mailboxes/{mailbox_id}/reply/{email_id}, GET /v1/mailboxes/{mailbox_id}/emails, GET /v1/mailboxes/{mailbox_id}/emails/{email_id}, GET /v1/mailboxes/{mailbox_id}/threads/{thread_id}, PUT /v1/mailboxes/{mailbox_id}/emails/{email_id}/tags, POST /v1/oversight/decide, POST /v1/contacts, POST /v1/mailboxes, GET /v1/oversight/pending, and POST /v1/mailboxes/{mailbox_id}/emails/{email_id}/cancel. Each operation is separately authorized. Agents authenticate with per-mailbox Bearer tokens (mm_live_... for production, mm_test_... for integration tests). No shared credentials across mailboxes.
Every outbound action can be configured to require human approval before delivery. The oversight_mode field on each mailbox controls this: gated_send (reads are autonomous, sends require approval), gated_all (all actions require approval), monitored (autonomous with human notifications), or autonomous. Pending approvals are queryable via GET /v1/oversight/pending and a still-pending send is cancellable via POST /v1/mailboxes/{mailbox_id}/emails/{email_id}/cancel. Approval checkpoints are enforced server-side — they cannot be bypassed by the agent.
Use mm_test_... tokens to run against the live API without delivering real email. Test tokens have identical behavior to production tokens — same approval flows, same audit logs, same error responses — but outbound messages are intercepted at the delivery layer. Integration tests can cover the full send → approval → deliver path without a live inbox.
Create a dedicated mailbox for the pilot agent via POST /v1/mailboxes, set oversight_mode to gated_send, and designate a human approver. Route a narrow slice of agent email volume through that mailbox. Monitor the approval queue via GET /v1/oversight/pending and check the audit log via GET /v1/audit-log to verify the agent is operating within expected parameters.
Once the pilot establishes a behavioral baseline, create additional mailboxes per agent role, adjust oversight_mode per mailbox based on observed trust levels, and wire up webhooks for inbound email, delivery status, and approval events. The MCP server exposes all 51 tools for MCP-compatible clients (Claude Desktop, Cursor, Windsurf) without requiring direct API integration code.
Pick your platform, copy the prompt, and paste it to your AI agent — it sets up MultiMail and builds the whole flow. Nothing to fill in.
Each agent mailbox has its own credentials and authorization scope. An agent with access to [email protected] cannot read or send from [email protected]. Token compromise is contained to a single mailbox.
Approval checkpoints are implemented in the API, not in client code the agent controls. An agent cannot bypass gated_send by modifying its own requests — the server rejects unapproved outbound messages regardless of what the agent sends.
The identity, oversight, and authorization models are proven correct in Lean 4. The proofs cover core invariants: a gated agent cannot deliver without approval, identity cannot be forged across mailboxes, and oversight mode changes require explicit re-authorization. Proofs are published and checked in CI on every commit.
Start a pilot agent on gated_send with one human approver. Move it to monitored once you have behavioral confidence. Expand to autonomous when your team is ready. oversight_mode is a per-mailbox field — changing it does not require code changes or redeployment.
mm_test_... tokens run the complete API stack including approval flows, audit logging, and webhook delivery, but intercept outbound messages before delivery. Integration tests cover real code paths — not mocked behavior — without touching live inboxes.
MultiMail exposes a REST API you can call directly from any HTTP client (requests, httpx, fetch) and an MCP server (npm @multimail/mcp-server). Agents built on LangChain, CrewAI, AutoGen, Semantic Kernel, or any MCP-compatible client integrate without framework-specific adapters.
Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.