Build a Real AI Email Agent, Not a Demo

LLMs can draft text. MultiMail gives them an actual inbox, approval controls, thread awareness, and delivery guarantees — the infrastructure layer real agents need.


Why this matters

Getting an LLM to compose an email is straightforward. Making that agent reliable in production is not. You need inbox access with proper authentication, a way to queue outbound messages for human review before they send, reply threading so responses land in the right conversation, and an audit trail when something goes wrong. Most developers wire these pieces together from scratch — SMTP credentials, a polling loop, a webhook handler, a queue — and end up with brittle glue code that breaks the first time an approval is missed or a reply lands in the wrong thread.


How MultiMail solves this

MultiMail is purpose-built email infrastructure for AI agents. You connect once via MCP or REST API, configure an oversight mode that matches your trust level, and get primitives for the full email lifecycle: check_inbox, read_email, get_thread, draft_reply, decide_email, send_email, and list_pending. The gated_send mode lets your agent read and draft autonomously while queuing every outbound message for human approval before delivery — a practical default for new agents that haven't yet earned full send permissions.

1

Create a mailbox and get your API key

Create a mailbox at your own domain or use a @multimail.dev address. Your API key (mm_live_... or mm_test_...) authenticates all requests. Set the oversight mode to gated_send so the agent can read and draft without sending anything unsupervised.

2

Connect via MCP or REST

Add MultiMail to your agent's MCP config to expose all 51 tools directly to your LLM runtime, or call the REST API at https://api.multimail.dev with a Bearer token. Both surfaces expose the same primitives: check_inbox, read_email, get_thread, send_email, reply_email, decide_email, and list_pending.

3

Read the inbox and load thread context

The agent calls check_inbox to discover new messages, then read_email to retrieve full content, and get_thread to load prior conversation history. Thread context is essential — agents that reply without it produce responses that ignore what was already said.

4

Draft a reply and queue for approval

With thread context in hand, the agent drafts a reply and calls reply_email. In gated_send mode the message is queued rather than sent immediately. The human reviewer sees the full draft via the approval webhook or the list_pending endpoint and can approve or reject.

5

Send and track delivery

After approval, MultiMail delivers the message and fires a delivery webhook. The agent can poll or listen for bounce events, open tracking, and reply-back notifications to decide its next action — closing the loop without manual intervention.


Try it with your agent

Pick your platform, copy the prompt, and paste it to your AI agent — it sets up MultiMail and builds the whole flow. Nothing to fill in.

1. Read https://multimail.dev/llms.txt, connect the MultiMail MCP server to the agent runtime, create a free inbox, and set up a verified sender. 2. In OpenAI, build the agent with tool access enabled through MCP, and trigger the workflow from your application when a user, task, or CRM record requires an email. 3. Have the agent read the relevant inbox thread, gather the recipient context from the triggering record, draft a concise reply or outbound email, preserve the correct thread when replying, and summarize why the message should be sent. 4. Run MultiMail in gated_send mode so every outbound email is queued for human approval before delivery, while the agent can still read, draft, and prepare follow-ups. 5. Ask me only for the OpenAI project credentials, the brand voice, the verified sending domain details, and the first production trigger to enable.

What you get

Inbox access without SMTP plumbing

MultiMail handles delivery, bounce handling, DKIM signing, and inbound parsing. Your agent calls check_inbox and read_email — no SMTP credentials, no polling loop, no MX record management.

Approval queue built in

gated_send mode queues every outbound message before delivery. You get list_pending and decide_email endpoints, plus webhooks — no separate approval service to build and maintain.

Thread-aware reply routing

get_thread returns the full conversation history in a single call. Replies land in the correct thread with proper In-Reply-To headers, so responses appear correctly in every email client your recipients use.

Audit trail for every action

Every read, draft, approval, and send is logged with agent identity headers. When a message causes a problem, you can trace exactly what the agent saw and when it acted.

Graduated trust as the agent matures

Start at gated_send, move to monitored once you trust the agent's judgment, and eventually to autonomous. The oversight mode is a single config change — no code rewrites, no new infrastructure.

MCP and REST on the same primitives

Whether you use an MCP client like Claude Desktop or call the REST API directly, you get the same 51 tools with the same behavior. You can prototype in an MCP client and deploy via REST without rewriting logic.


Recommended oversight mode

Recommended
gated_send
New email agents should not send autonomously until their judgment is proven in production. gated_send lets the agent read and draft without restriction — maintaining its ability to respond to inbound messages quickly — while requiring human approval before any message is delivered. This is the right default for a first deployment: it surfaces edge cases the agent handles poorly without letting those cases reach your users' inboxes.

Common questions

Do I need to manage SMTP credentials or MX records?
No. MultiMail handles delivery infrastructure, DKIM signing, bounce processing, and inbound parsing. You authenticate with a Bearer token and call the REST API or use the MCP server — there are no SMTP credentials to rotate or DNS records to configure beyond pointing your domain's MX to MultiMail.
How does gated_send mode work technically?
When your agent calls reply_email or send_email in gated_send mode, the message is stored with status pending_approval instead of being delivered. MultiMail fires an approval webhook to your endpoint. A human reviewer calls decide_email with decision: approve or reject. On approval, MultiMail delivers the message and fires a delivery webhook.
Can the agent read emails it did not receive — for example, a shared inbox?
Yes. You can create mailboxes at your own domain ([email protected] routed through MultiMail) or at @multimail.dev addresses. Any mailbox your API key has access to is readable via check_inbox and read_email. Permissions are scoped per mailbox in your account.
What happens if a message bounces after approval?
MultiMail fires a delivery status webhook with the bounce reason. The agent can listen for this event via your webhook handler or poll the message status endpoint. Bounce details include the SMTP error code and a classification (hard vs. soft), which the agent can use to decide whether to retry or escalate.
How do I prevent the agent from replying to the same email twice?
Read the email's thread_id before replying. get_thread shows every message in the conversation, including pending approvals. Your agent should check whether a pending or sent reply already exists in the thread before drafting a new one. The list_pending endpoint also surfaces queued replies by thread.
Is there a test mode for building without sending real email?
Yes. API keys prefixed mm_test_ operate in sandbox mode. Emails are processed and stored normally — check_inbox, read_email, and get_thread all work — but delivery is simulated. Inbound test messages can be injected via the API. Switch to mm_live_ to go to production.
Can I use MultiMail with LangChain or CrewAI instead of calling the REST API directly?
Yes. MultiMail has framework integrations for LangChain, CrewAI, AutoGen, and Semantic Kernel. Each integration wraps the same REST primitives as tool-callable functions. The MCP server works with any MCP-compatible runtime, including Claude Desktop, Cursor, and Windsurf.

Explore more use cases

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.