Skip to content

multimail-dev/mcp-server

BranchesTags

Repository files navigation

@multimail/mcp-server

Your agent doesn't have email yet because nobody trusts it with email yet. MultiMail fixes that. A real email address with a trust ladder from read-only to fully autonomous, cryptographic identity on every message, and per-recipient sending controls.

Quick start

{
  "mcpServers": {
    "multimail": {
      "type": "url",
      "url": "https://mcp.multimail.dev/mcp"
    }
  }
}

Remote server. No install. Authenticates via OAuth on first connect.

Works with Claude.ai, Claude Desktop, Claude Code, Cursor, Windsurf, Copilot (VS Code), ChatGPT Desktop, and any MCP client that supports remote servers.

Alternative: local stdio server

{
  "mcpServers": {
    "multimail": {
      "command": "npx",
      "args": ["-y", "@multimail/mcp-server"],
      "env": {
        "MULTIMAIL_API_KEY": "mm_live_...",
        "MULTIMAIL_MAILBOX_ID": "01KJ1NHN8J..."
      }
    }
  }
}

Get a key at multimail.dev. Or run without one to create an account interactively.

Config file locations

Client Config file
Claude Code ~/.claude/.mcp.json
Claude Desktop claude_desktop_config.json
Cursor .cursor/mcp.json in your project
Windsurf ~/.codeium/windsurf/mcp_config.json
Copilot (VS Code) .vscode/mcp.json in your project
OpenCode mcp.json in your project
ChatGPT Desktop Settings > MCP Servers

Trust ladder

Every mailbox has an oversight mode. Start restrictive, graduate as the agent earns trust.

Mode Behavior
read_only Agent reads email. All sends blocked.
gated_all Every action requires human approval.
gated_send Outbound held for approval. Inbound immediate. (default)
monitored Agent sends freely. Copies go to oversight address.
autonomous Full send/receive. No gates.

Agents request upgrades via the API. The operator approves with a one-time code. Downgrades need no approval. The agent can always restrict itself.

The gated approval flow is formally verified in Lean 4. No email reaches delivery without passing through operator approval, for every possible code path.

Per-recipient allowlist

In gated_send mode, allowlisted recipients bypass the approval queue. Add exact addresses (vendor@example.com) or domain wildcards (*@example.com). Every addition requires operator email approval. The agent cannot self-approve allowlist changes.

The practical middle ground: routine correspondence with known contacts goes immediately, new recipients still require oversight.

Cryptographic identity

Every outbound email carries a signed X-MultiMail-Identity header (ECDSA P-256). The payload includes operator name, oversight mode, capabilities, and verification status. Recipients verify against the public key at GET /.well-known/multimail-signing-key.

A separate X-MultiMail-Reputation header links to privacy-preserving reputation data: bounce rates, complaint rates, account age. No raw addresses exposed.

Without verified identity, recipients cannot distinguish your agent from a spammer. With it, they can verify the operator, the oversight level, and the sending history before reading a word.

Agent self-registration (auth.md)

Agents can register themselves without a browser. The protocol uses verified-email identity assertion, following the auth.md convention inspired by WorkOS AuthKit:

POST /agent/auth -> claim_token + OTP sent to operator email
POST /agent/auth/claim/complete -> API key + tenant_id + granted scopes

Discovery follows RFC 9728:

  • GET /.well-known/oauth-protected-resource (resource metadata)
  • GET /.well-known/oauth-authorization-server (authorization metadata with agent_auth extension)
  • GET /auth.md (human/agent-readable registration guide)

The WWW-Authenticate header on 401 responses points agents to these endpoints automatically. An agent that hits a 401 can follow the link, read the registration protocol, and onboard itself.

Content scanning

Every outbound email is scanned before delivery. Emails enter pending_scan status, then transition to delivery or pending_send_approval (in gated modes). Inbound emails go through the same pipeline. Phishing, malware, and prompt injection patterns are flagged before reaching the agent's inbox.

How it works

  • Email bodies are markdown in, formatted HTML out. Inbound HTML arrives as clean markdown (15x fewer tokens than raw MIME).
  • Threading is automatic. Reply to an email and headers are set correctly.
  • Sends return pending_scan while scanned. Gated mailboxes then transition to pending_send_approval for human review. Do not retry.
  • Every outbound email carries a cryptographically signed X-MultiMail-Identity header.
  • Reputation data via X-MultiMail-Reputation header: bounce rates, complaint rates, account age. Privacy-preserving, updated daily.

Tools (50)

Tool Description
Core email
send_email Send email as markdown. Supports attachments, idempotency_key, scheduled delivery via send_at.
check_inbox List emails with filters: status, sender, subject, date range, direction, attachments, pagination.
read_email Full email content. Trusted metadata and untrusted body returned as separate content blocks.
reply_email Reply in-thread. Threading headers set automatically.
get_thread All emails in a conversation thread with participants and metadata.
download_attachment Download attachment as base64 with content type.
cancel_message Cancel a pending or scheduled email.
edit_scheduled_email Edit scheduled email before it sends.
wait_for_email Block until matching email arrives or timeout (max 120s).
get_tags Get all tags on an email. Persistent key-value agent memory across sessions.
set_tags Set tags on an email. Merges with existing tags.
delete_tag Delete a specific tag key from an email.
Oversight
list_pending Emails awaiting oversight decision (requires oversight scope).
decide_email Approve or reject a pending email (requires oversight scope).
manage_upgrade Request or apply oversight mode upgrade (action: request|apply).
Sending allowlist
list_allowlist List sending allowlist entries.
add_allowlist_entry Add a recipient to the sending allowlist. Operator approval required.
remove_allowlist_entry Remove an allowlist entry.
Mailbox management
list_mailboxes All mailboxes with ID, address, oversight mode, display name.
configure_mailbox First-run setup: oversight mode, display name, CC/BCC, scheduling, signature.
update_mailbox Update settings (display name, oversight mode, signature, webhooks).
create_mailbox Create mailbox (admin scope + operator approval).
delete_mailbox Permanently delete a mailbox (admin scope).
Account & billing
get_account Account status, plan, quota, sending enabled, enforcement tier.
update_account Update org name, oversight email, physical address.
delete_account Permanently delete account and all data (admin scope).
get_usage Quota and usage stats for the billing period.
upgrade_plan Upgrade to paid plan (Builder $9/mo, Pro $29/mo, Scale $99/mo).
cancel_subscription Cancel paid subscription, revert to starter at period end.
get_billing_portal Stripe portal URL for self-service billing.
Signup (no API key needed)
request_challenge ALTCHA proof-of-work challenge for account creation.
create_account Create account with solved PoW challenge.
resend_confirmation Resend activation email with new code.
activate_account Activate account using confirmation code.
setup_multimail Guided onboarding on the public /onboard endpoint.
API keys & audit
list_api_keys List all API keys (admin scope).
create_api_key Create API key with scopes (admin + operator approval). send+oversight rejected to prevent self-approval.
revoke_api_key Revoke an API key (admin scope).
get_audit_log Account audit log (admin scope).
Contacts & spam
search_contacts Search contacts by name or email.
add_contact Add a contact.
delete_contact Delete a contact.
manage_spam_status Report spam or clear spam status (action: report|clear).
list_spam Spam-flagged and quarantined emails.
list_suppression List suppressed recipients with pagination.
remove_suppression Remove a recipient from the suppression list.
Webhooks
create_webhook Create webhook for real-time email event notifications.
list_webhooks List all webhooks.
delete_webhook Delete a webhook.
Meta
report_issue Report a bug, site problem, or feature request.

Example prompts

Find the most recent email from alice@example.com, summarize what she's asking,
then draft a reply saying I'll review this week. Don't send until I approve.

Check my inbox and summarize the last 5 unread emails.
For each: sender, subject, time, and whether it needs action today.

Review the pending approval queue. For each pending email: who it goes to,
the subject, risk factors, and whether to approve or reject.

Show my current sending allowlist. Then add *@acme.com so emails to Acme skip approval.

Environment variables

Variable Required Description
MULTIMAIL_API_KEY For stdio mode Your API key (mm_live_...). Not needed for remote server (uses OAuth).
MULTIMAIL_MAILBOX_ID No Default mailbox ID. If unset, pass mailbox_id per tool or call list_mailboxes.
MULTIMAIL_API_URL No API base URL. Defaults to https://api.multimail.dev.

Also available

Development

npm install
npm run dev   # Run with tsx
npm run build # Compile TypeScript
npm start     # Run compiled version

License

MIT

By using MultiMail you agree to the Terms of Service and Acceptable Use Policy.

About

MCP server for MultiMail — Verifiable identity email for AI agents

multimail.dev

Topics

ai-agents verifiable-credentials ai-agent agent-email

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages