Verify That an Email Came From an AI Agent

MultiMail signs every outbound agent email with an ECDSA identity header. Decode the X-MultiMail-Identity header to confirm agent origin, model metadata, and disclosure state — without relying on sender logs.


Why this matters

When an AI agent sends email on behalf of a user or organization, downstream systems, security teams, and recipients have no reliable way to confirm the message is authentic. Application logs can be tampered with. Claimed sender identities can be spoofed. There is no standard mechanism to cryptographically bind an email to the specific AI agent that generated it, the model version it ran, or the oversight mode it operated under at send time. This gap creates audit failures, compliance exposure under the EU AI Act's transparency requirements, and opens the door to spoofed automation masquerading as legitimate agent output.


How MultiMail solves this

MultiMail attaches a signed X-MultiMail-Identity header to every email dispatched through the API. The header is a base64url-encoded JSON payload — operator and mailbox identity, oversight mode, capabilities, the AI-generated flag, and an issued-at timestamp — followed by an ECDSA signature using the P-256 curve. MultiMail publishes the corresponding verification public key at the /.well-known/multimail-signing-key endpoint so any recipient system can independently verify the signature without calling back into your application. Verification is purely cryptographic: no trust is placed in the sending application's claims alone, and there are no identity-lookup endpoints — identity is the signed claim in the message plus the one public key.

1

Retrieve the email and its headers

Call GET /v1/mailboxes/{mailbox_id}/emails/{email_id} to fetch the full email record. The response includes a `headers` object containing X-MultiMail-Identity alongside standard fields like Message-ID and Date. For inbound emails that need verification, the same header is preserved when MultiMail receives and stores the message.

2

Decode the identity payload

The X-MultiMail-Identity header value is a dot-separated structure: base64url(payload).base64url(signature). Decode the payload to a JSON object containing fields: operator, oversight, capabilities, ai_generated, verified_operator, service, and an iat (issued-at) timestamp. These fields describe the exact agent state at send time.

3

Fetch the signing public key

Retrieve the signing public key from GET /.well-known/multimail-signing-key. The endpoint returns a JWK object with the P-256 public key — one service key, with no per-tenant or per-agent lookup. Cache it with a 24-hour TTL on the verifier side to avoid per-message roundtrips, and re-fetch on any verification failure.

4

Verify the ECDSA signature

Reconstruct the signed message as base64url(payload) and verify the signature bytes against the public key using ES256 (ECDSA with P-256 and SHA-256). A valid signature confirms the payload has not been tampered with and was produced by MultiMail's signing infrastructure using the tenant's key at the stated timestamp.

5

Check agent metadata against expected values

After signature verification, assert that the decoded fields match your policy: operator matches the expected sender, oversight is not `autonomous` if your policy requires human review, ai_generated is true if EU AI Act disclosure is required, and the iat timestamp falls within an acceptable time window to prevent replay attacks.

6

Log the verification result

Write the verification outcome — pass/fail, operator, oversight, and the claim's iat timestamp — to your audit log. This record satisfies EU AI Act Article 13 transparency requirements and provides evidence for security incident investigations. The signed X-MultiMail-Identity header is itself the portable receipt: re-verify it later against the public key, or have a recipient check it in a browser at https://multimail.dev/verify#<header-value>.


Try it with your agent

Pick your platform, copy the prompt, and paste it to your AI agent — it sets up MultiMail and builds the whole flow. Nothing to fill in.

1. Get MultiMail ready: read https://multimail.dev/llms.txt, connect the MCP server, create a free inbox, and set up a verified sender. 2. In Microsoft 365, use Microsoft Graph change notifications on the relevant mailbox messages so the workflow starts when new mail from an AI-managed mailbox is created or sent. 3. For each triggered message, record the mailbox, agent name, business process, model label supplied by our team, and intended oversight level in the message notes or case record, then send a short verification notice to the security operations mailbox. 4. Send all verification notices through MultiMail in monitored mode, including the business reason, sender identity, and what system action caused the email. 5. To go live, ask me only for Microsoft 365 admin consent, the mailbox to monitor, the security operations address, and approved brand wording.

What you get

Cryptographic proof, not log trust

The ECDSA signature in X-MultiMail-Identity is verifiable by any party with the public key. You do not need to query the sending application's logs or database to confirm authenticity — the header is self-contained evidence.

EU AI Act Article 13 transparency support

The identity payload includes the ai_generated flag, the operator and mailbox identity, and the oversight mode, giving recipients the information required under EU AI Act transparency obligations for automated decision-making systems. The signed header is itself a storable audit artifact.

Replay attack detection

Each identity claim includes an iat (issued-at) timestamp. Verifiers can reject claims outside an acceptable time window so a replayed header from an old message is not accepted as fresh verification evidence.

One public key, simple to cache

Verification depends on a single service signing key published at /.well-known/multimail-signing-key. Cache it with a short TTL and re-fetch on any verification failure — there is no per-tenant or per-agent key to track, which keeps verifier-side key management trivial.

Works across all oversight modes

Identity headers are attached regardless of whether the email was sent under gated_all, monitored, or autonomous oversight. Security teams can verify not just that an agent sent a message but what constraints it was operating under at send time.


Recommended oversight mode

Recommended
monitored
Verification workflows are typically triggered by inbound events — a recipient's security system checking an email it received, or an audit pipeline reviewing sent messages. The verifying agent needs read access to emails and identity receipts but does not need to gate or block sending. Monitored mode gives the agent autonomous read access while keeping a human-visible trail of every verification query it performs, which is the appropriate posture for a security-adjacent automation reading sensitive message metadata.

Common questions

What algorithm does MultiMail use for the identity signature?
MultiMail uses ECDSA with the P-256 curve and SHA-256 (ES256 in JWA terminology). The signature is computed over the base64url-encoded payload string, not the decoded JSON bytes. The public key is served as a JWK object from GET /.well-known/multimail-signing-key — one service key for all senders, with no per-tenant or per-agent lookup.
Can an email lack the X-MultiMail-Identity header?
Yes — emails sent directly via SMTP relay or inbound emails received from external senders will not carry this header. Your verification logic should treat a missing header as unverified, not as invalid. Only emails dispatched through the MultiMail send_email or reply_email API endpoints carry a signed identity header.
How does the verifier stay current with the signing key?
Verification uses a single service signing key published at /.well-known/multimail-signing-key. Cache it with a short TTL (24 hours is reasonable) and re-fetch on any verification failure — the endpoint always returns the current key, so a verifier that re-fetches on failure self-heals without any per-message key-version tracking.
Is the X-MultiMail-Identity header preserved if the email is forwarded?
Standard email forwarding strips or rewrites many headers. The header will be present in the original message as received by the first recipient, but may not survive subsequent forwards. For audit purposes, capture the X-MultiMail-Identity header value from the first recipient and store it — the header is the self-contained receipt and stays verifiable against the public key regardless of later forwarding.
Does verification require calling the MultiMail API, or can it be done offline?
Signature verification itself is fully offline once you have the public key. The only network call required is fetching the JWK from the unauthenticated GET /.well-known/multimail-signing-key, which you can cache. Everything you need to verify a message is in the X-MultiMail-Identity header plus that one public key — no per-message API call.
What does the ai_generated field in the claim mean?
ai_generated is true for agent-originated mail — it signals that the message was composed by an AI agent, as required by the EU AI Act for automated communications. AI disclosure is gateway-enforced per mailbox (the ai_disclosure setting is locked on and cannot be disabled), so agent-sent mail always carries ai_generated: true plus the human-readable disclosure footer; a verifier can treat its presence as a reliable signal rather than something a sender could suppress.
How do I verify an email's identity from Python?
Use the REST API directly as shown in the code samples above: GET /v1/mailboxes/{mailbox_id}/emails/{email_id} returns the full headers object including X-MultiMail-Identity, then verify the claim's ECDSA P-256 signature against the JWK from /.well-known/multimail-signing-key using the cryptography library. No special SDK is required — any HTTP client plus a standard crypto library works.

Explore more use cases

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.