DKIM Proves the Domain. Not the Agent.

Standard DKIM tells you an email left through a trusted mail server. It says nothing about which AI agent authored it, what oversight applied, or whether a human approved the send.


Why this matters

When an AI agent sends email through a standard ESP, DKIM signs the message with the ESP's private key — not yours, not your agent's. A passing DKIM check confirms the message transited infrastructure you configured. It does not confirm which agent generated the content, which oversight mode was active, or whether the send was authorized by your access control policy. For most consumer email this distinction doesn't matter. For agentic systems operating at high volume with real business consequences, it does. An auditor asking 'which software actor sent this email and was it authorized?' cannot answer that question from DKIM alone. Neither can your incident response team.


How MultiMail solves this

MultiMail signs every outbound message with an ECDSA P-256 key before handing it to the sending infrastructure. This signature travels as the X-MultiMail-Identity header alongside standard DKIM. Recipients and auditors can verify it independently of the ESP, against the public key at /.well-known/multimail-signing-key. The signed claim covers the operator and mailbox identity, the oversight mode, the agent's capabilities, and the AI-generated flag. Standard DKIM remains in place for MTA-level authentication. MultiMail's identity layer answers the question DKIM was never designed to answer: which accountable software actor sent this, and under what oversight.

1

Standard DKIM authenticates the sending path

When MultiMail delivers your message, the outbound MTA applies a standard DKIM signature using a key published in your DNS records. Receiving MTAs verify this signature to confirm the message was not tampered with in transit and originated from infrastructure authorized to send on behalf of your domain. This is table stakes — it stops spoofing at the infrastructure layer.

2

MultiMail adds an ECDSA identity signature

Before the message reaches the MTA, MultiMail builds a signed claim using an ECDSA P-256 key. The base64url claim payload covers the operator and mailbox identity, the active oversight mode, the agent's capabilities, and the AI-generated flag, plus an issued-at timestamp inside the payload. The resulting payload-plus-signature is attached as the X-MultiMail-Identity header.

3

Receivers verify the identity layer independently

Any party — your compliance team, an audit system, a counterparty — can verify the X-MultiMail-Identity claim without contacting MultiMail. The signing public key is published at /.well-known/multimail-signing-key. Verification confirms the message was sent from a specific operator and mailbox, under a stated oversight mode, and that the claim has not been altered since signing.

4

Inbound messages are read with sender identity preserved

When MultiMail receives inbound email, it stores the message and preserves its headers. Your agent fetches it via GET /v1/mailboxes/{mailbox_id}/emails/{email_id} and, for mail from another MultiMail sender, verifies the X-MultiMail-Identity claim before acting on the content. This lets you build policies that treat mail carrying a verifiable agent-identity claim differently from unauthenticated inbound.

5

Audit log ties both layers together

Every send logged in MultiMail's audit trail records the oversight mode active at send time alongside the message identity. This gives forensic investigators a complete chain: domain authentication via DKIM, agent attribution via the signed X-MultiMail-Identity claim, and authorization state via oversight mode — all correlated to a single message id.


Try it with your agent

Pick your platform, copy the prompt, and paste it to your AI agent — it sets up MultiMail and builds the whole flow. Nothing to fill in.

1. Read https://multimail.dev/llms.txt, connect the MCP server, create a free inbox, and set up a verified sender. 2. In HubSpot, use a workflow enrollment trigger for the exact business event we care about, such as a contact becoming a sales-qualified lead, a deal entering a named stage, or a form submission, then add HubSpot's webhook action so the workflow notifies you when the event happens. 3. When the webhook fires, fetch the relevant HubSpot contact, company, deal, and recent activity context, then draft the appropriate agent-authored email with the recipient's name, company, lifecycle stage, owner, and last interaction reflected naturally. 4. Send or schedule the email from the MultiMail inbox in monitored oversight mode, using the verified sender and keeping the message concise, factual, and tied to the HubSpot record that triggered it. 5. Ask me only for the HubSpot credentials, webhook destination details, verified sending domain, and brand voice needed to go live.

What you get

Agent attribution survives ESP infrastructure changes

If you switch ESPs, rotate DKIM keys, or change sending domains, the signed X-MultiMail-Identity claim remains verifiable because it is signed by MultiMail's own key, independent of your mail infrastructure. Your audit trail stays intact across infrastructure migrations.

Sender identity is a verifiable claim, not a guess

For inbound mail from another MultiMail sender, your agent verifies the X-MultiMail-Identity claim against one public key and reads the operator, mailbox, and oversight mode straight from the signed payload. It can branch logic on a cryptographically verified sender identity rather than trusting the From header or parsing Authentication-Results.

Oversight mode is part of the signed record

The ECDSA signature covers the oversight mode active at send time, not just the message content. An auditor can verify that a given message was sent under monitored mode — not autonomous — without relying on a mutable database record. The proof is in the message itself.

Formally verified authorization model

MultiMail's oversight and identity models are proven correct in Lean 4. The properties the signed X-MultiMail-Identity claim covers — agent attribution and oversight mode binding — are verified to hold for all valid inputs, not just tested on sampled cases.


Recommended oversight mode

Recommended
monitored
DKIM signing is infrastructure-level and happens on every send regardless of oversight mode. Monitored is the right default for high-volume agent sending where human review of every message is impractical but a human should be able to see what went out. The identity signature provides a verifiable record of agent attribution and oversight state for post-hoc audit, which is the actual control mechanism at this volume. Use gated_send when the content is high-stakes enough that pre-send review outweighs latency cost.

Common questions

Does a passing DKIM check mean the AI agent was authorized to send the email?
No. DKIM verifies that the message left through sending infrastructure authorized to use your domain's DKIM key. It says nothing about which software process generated the content, whether an oversight policy permitted the send, or whether a human approved it. A compromised agent with valid API access would produce passing DKIM just like an authorized one.
Why ECDSA instead of RSA for the identity signature?
ECDSA-P256 produces shorter signatures than RSA-2048 at equivalent security level, which matters when the signature travels as an email header. It is also faster to verify. Standard DKIM commonly uses RSA; MultiMail's identity layer uses ECDSA specifically to keep the two signing systems distinct and to avoid confusion between them during verification.
Can I verify the X-MultiMail-Identity claim without calling MultiMail's API at verification time?
Yes. Fetch MultiMail's signing public key once from /.well-known/multimail-signing-key and cache it. Verification is then entirely offline — you split the header into its base64url payload and signature, then verify the ECDSA P-256 signature over the payload against the cached key. This means verification works in air-gapped audit environments and does not create a dependency on MultiMail's availability.
What happens to DKIM if I use a custom sending domain?
MultiMail generates DKIM DNS records for your custom domain during domain setup (POST /v1/domains). You publish the TXT record at the provided selector._domainkey.yourdomain.com and confirm it via POST /v1/domains/{id}/verify. Standard DKIM verification will then pass for messages from your domain. The X-MultiMail-Identity claim is separate and is not affected by domain configuration.
Can I act on the sender's identity from an inbound webhook?
Yes. Inbound webhook payloads carry the message and its headers, so your handler can read and verify the sender's X-MultiMail-Identity claim the same way the read path does — fetch MultiMail's public key once, then verify the claim's ECDSA P-256 signature offline. That gives you a cryptographically verified sender identity without parsing raw Authentication-Results headers.
If an agent sends under gated_send and the human rejects the message, is a DKIM or identity signature still created?
No. For gated_send and gated_all flows, the message is held for approval until a human approves it via POST /v1/oversight/decide. DKIM signing and the X-MultiMail-Identity claim are produced at delivery time, not while the message is held. A rejected message never reaches the MTA and no signature is produced — only approved sends are delivered and signed.

Explore more use cases

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.