Better Email MCP
This MCP server enables AI agents to manage email via IMAP/SMTP across multiple accounts, supporting search, reading, sending, organizing, and attachment handling.
Search & Read (
messages): Search using filters likeUNREAD,FLAGGED,SINCE YYYY-MM-DD,FROM email,SUBJECT text, or combined queries; read individual emails by UID across one or all accounts.Organize (
messages): Mark emails as read/unread, flag/unflag, move to folders, archive, or trash — individually or in batch.Send (
send): Compose new emails with To/CC/BCC; reply (auto-maintainsIn-Reply-To/Referencesthreading headers, prepends "Re:"); forward (prepends "Fwd:", includes original body).Folders (
folders): List all mailbox folders (names, paths, flags) for one or all accounts.Attachments (
attachments): List attachments on a specific email or download them as base64-encoded content.Multi-account: Manage Gmail, Outlook, Yahoo, iCloud, Zoho, ProtonMail, and custom IMAP accounts simultaneously via comma-separated credentials.
Auto-discovery: IMAP/SMTP settings are automatically detected from the email address domain.
Configuration (
config): Set up, reset, and check credential status; supports app passwords and Outlook OAuth2 device-code flow.Deployment: Runs in
stdiomode for local single-user setups orHTTPmode for multi-user deployments with OAuth 2.1; supports Docker and Cloudflare serverless with encrypted token storage.Help (
help): Retrieve full documentation for any tool on demand.
Allows searching, reading, and sending emails through Gmail accounts using IMAP and SMTP protocols with support for App Passwords.
Provides tools for managing emails on iCloud and Me.com accounts, including searching, reading, sending, and organizing messages via IMAP/SMTP.
Enables interaction with ProtonMail accounts through the ProtonMail Bridge, supporting operations like searching, reading, and sending emails.
Supports email operations for Zoho Mail accounts, allowing users to search, read, send, and organize messages via IMAP and SMTP.
Better Email MCP
mcp-name: io.github.n24q02m/better-email-mcp
IMAP/SMTP email for AI agents -- read, send, organize folders, and manage attachments across multiple accounts, with auto-discovery.
Project | Tagline | Tag |
Knowledge graph for token-efficient code reviews -- semantic search and call-... | MCP | |
IMAP/SMTP email for AI agents -- read, send, organize folders, and manage att... | MCP | |
Composite MCP server for Godot Engine -- 17 composite tools for AI-assisted g... | MCP | |
Markdown-first Notion for AI agents -- pages, databases, blocks, and comments... | MCP | |
Telegram for AI agents -- messages, chats, media, and contacts across both bo... | MCP | |
Claude Code plugin marketplace for the n24q02m MCP servers -- install web sea... | Marketplace | |
Image and video understanding + generation for AI agents -- across Gemini, Op... | MCP | |
Chrome Extension for bulk operations on Jules tasks via batchexecute API -- a... | Tooling | |
Shared foundation for building MCP servers -- Streamable HTTP transport, OAut... | MCP | |
Persistent AI memory with hybrid search and embedded sync. Open, free, unlimi... | MCP | |
Lightweight Qwen3 text embedding and reranking via ONNX Runtime and GGUF | Library | |
Secrets without the server. | CLI | |
TACET: a self-distilling neuro-symbolic cascade that amortises LLM cost in kn... | Tooling | |
Shared web infrastructure package for search, scraping, HTTP security, and st... | Library | |
Open-source MCP server for AI agents: web search, content extraction, and lib... | MCP |
Table of contents
Related MCP server: MCP Email Server
Features
Multi-account support -- manage 6+ email accounts (Gmail, Outlook, Yahoo, iCloud, Zoho, ProtonMail, custom IMAP)
App Passwords -- no OAuth2 setup required for most providers; clone and run in 1 minute
5 composite tools with 21 actions (plus
help+config__open_relay) -- search, read, send, reply, forward, organize, and credential setup in single callsAuto-discovery -- provider settings detected from email address, custom IMAP host supported
Thread-aware -- reply/forward maintains In-Reply-To and References headers
Tiered token optimization -- compressed descriptions + on-demand
helptool + MCP Resources
Install
The server runs in two modes: stdio (default, single-user, credentials from env vars) and HTTP (opt-in, multi-user with OAuth 2.1). For stdio, add it to your MCP client config:
{
"mcpServers": {
"better-email": {
"command": "npx",
"args": ["--yes", "@n24q02m/better-email-mcp@latest"],
"env": {
"EMAIL_CREDENTIALS": "user@gmail.com:app-password"
}
}
}
}Multiple accounts are comma-separated: user1@gmail.com:pass1,user2@outlook.com:pass2. See Configuration for all env vars, and Remote (HTTP Mode) to run a hosted multi-user server.
Most providers use an App Password (no OAuth setup); Outlook/Hotmail/Live use a bundled OAuth device-code flow in HTTP mode. Settings (IMAP/SMTP host, port) are auto-discovered from the email domain.
Documentation
Full docs at mcp.n24q02m.com/servers/better-email-mcp/setup/:
Setup -- install methods for Claude Code, Codex, Gemini CLI, Cursor, Windsurf, mcp.json
Modes overview -- stdio (default) and HTTP (opt-in, multi-user with OAuth 2.1)
Multi-user setup -- per-JWT-sub credential model
Install with AI agent -- paste this to your AI coding agent:
Install MCP server
better-email-mcpfollowing the steps at https://raw.githubusercontent.com/n24q02m/claude-plugins/main/plugins/better-email-mcp/setup-with-agent.md
Tools
Tool | Actions | Description |
|
| Search, read, and organize emails |
|
| List mailbox folders |
|
| List and download email attachments |
|
| Compose, reply, and forward emails |
|
| Credential setup via browser relay, status check, reset, re-resolve, cache clear |
| - | Open the relay configuration form in the browser and return the relay URL |
| - | Get full documentation for any tool |
MCP Resources
URI | Description |
| Message operations reference |
| Folder operations reference |
| Attachment operations reference |
| Send/compose reference |
| Credential setup and runtime configuration reference |
| Full documentation |
Comparison
How better-email-mcp stacks up against direct competitors in each pillar:
Capability | better-email-mcp | |||
IMAP/SMTP (provider-agnostic) | Yes | Yes | No (Gmail API only) | Yes |
Multi-account | Yes (comma-separated creds) | Yes | No (single global credential) | No (single account per instance) |
App Passwords | Yes (no OAuth setup) | Yes | No (OAuth2 only) | Yes |
Auto-discovery from email address | Yes | Yes (8 providers) | n/a (Gmail only) | No (manual host/port) |
Bundled Outlook OAuth (no user Azure app) | Yes (device-code, Thunderbird-pattern client) | partial (OAuth2 XOAUTH2, experimental) | No (user-supplied Google OAuth) | No |
Attachments (list + download) | Yes | Yes | Yes | Yes |
HTTP multi-user mode (per-JWT-sub) | Yes (OAuth 2.1, self-hostable) | No (stdio only) | No (stdio only) | No (stdio only) |
Remote (HTTP Mode)
Run as a multi-user HTTP server with OAuth 2.1 authentication:
{
"mcpServers": {
"better-email": {
"type": "http",
"url": "https://email.n24q02m.com/mcp"
}
}
}Self-Hosting (HTTP Mode)
Single multi-user mode (relay form for App-Password providers + bundled Outlook OAuth device-code):
docker run -p 8080:8080 \
-e PORT=8080 \
-e PUBLIC_URL=https://your-domain.com \
n24q02m/better-email-mcp:latestUsers provide their own email credentials through the OAuth flow / paste form. No server-side EMAIL_CREDENTIALS needed. With the default Docker self-host, per-user credentials are held in an in-memory store (cleared on restart); users re-submit after a restart. Outlook OAuth uses the bundled public Azure client (d56f8c71-9f7c-43f4-9934-be29cb6e77b0, Thunderbird-pattern) -- no user-side Azure app registration needed.
Cloudflare serverless mode (KV-only)
Deploy a per-user serverless instance at https://email.n24q02m.com: each JWT sub
gets its own Container Durable Object, and all credentials AND Outlook OAuth tokens are
AES-256-GCM encrypted into Workers KV (one subs/<sub>/config blob per user) so they
survive scale-to-zero / container recreate with no re-auth. The JWT signing key is
derived deterministically from CREDENTIAL_SECRET (EdDSA), so the user's identity is
stable across recreate. Required secrets: CREDENTIAL_SECRET (per-sub vault + EdDSA),
MCP_RELAY_PASSWORD (form gate), MCP_DCR_SERVER_SECRET (intentional multi-user
deploy). See wrangler.jsonc.
Keying Outlook tokens by JWT
sub(in the per-sub KV blob) resolves the former email-keyedtokens.jsonambiguity (CLAUDE.md Known Bug #4): two users' Outlook accounts can no longer collide.
Caveat:
localhostIMAP accounts (email:pass:localhost:1993) are valid for local / VM deployments but CANNOT work on Cloudflare — there is no co-located IMAP proxy inside the container. Use a publicly-reachable IMAP host on CF.
Outlook OAuth Device Code (HTTP mode)
In HTTP mode, Outlook/Hotmail/Live accounts use OAuth2 device-code automatically. On first use:
The server prints a device code and a Microsoft login URL
Open the URL in a browser and enter the code
Sign in and authorize the app
Tokens are persisted per JWT sub — in the encrypted Cloudflare KV credential blob (
subs/<sub>/config) on the serverless deploy, or in~/.better-email-mcp/tokens.jsonfor single-user / stdio
OAuth uses the bundled public Azure client (d56f8c71-9f7c-43f4-9934-be29cb6e77b0, Thunderbird-pattern) -- no user-side Azure registration needed.
In stdio mode, Outlook accounts use an App Password instead (Outlook Account Settings → Security → Advanced security options → App passwords).
Configuration
Variable | Required | Default | Description |
| Yes (stdio) | - | Email credentials, |
| Alternative (stdio, single-account) | - | Email address. Used with |
| Alternative (stdio, single-account) | - | App password (Gmail/Yahoo/iCloud) or Outlook App Password; used with |
| No (http) | - | Server's public URL for relay / OAuth redirect links |
| No |
| Server port (http mode); set explicitly (e.g. |
| No | - | Bind address (http mode) |
| No (http) | - | Set to |
| No |
| Override the bundled Azure AD public client for self-hosted Outlook OAuth2 |
| No | - | Workaround when Microsoft device-code response omits the email field |
Multiple Accounts
EMAIL_CREDENTIALS=user1@gmail.com:pass1,user2@outlook.com:pass2,user3@yahoo.com:pass3Custom IMAP Host
# Custom hostname (default port 993, implicit TLS)
EMAIL_CREDENTIALS=user@custom.com:password:imap.custom.com
# Custom hostname with a custom port
EMAIL_CREDENTIALS=user@custom.com:password:imap.custom.com:1993
# Local IMAP proxy -- "localhost" is accepted as a host, even without a dot
EMAIL_CREDENTIALS=user@custom.com:password:localhost:1993Each account can use its own host and port. A non-993 port is treated as plaintext/STARTTLS -- the usual shape for a local IMAP proxy (for example email-oauth2-proxy).
Search Query Language
Query | Description |
| Unread emails |
| Starred emails |
| Emails after date |
| Emails from sender |
| Emails matching subject |
| Compound filter |
Supported Providers
Provider | Auth | Save-to-Sent |
Gmail | App Password | Auto (skipped) |
Yahoo | App Password | Auto (skipped) |
iCloud/Me.com | App-Specific Password | Auto (skipped) |
Outlook/Hotmail/Live | OAuth2 (Device Code) | IMAP APPEND |
Zoho | App Password | IMAP APPEND |
ProtonMail | ProtonMail Bridge | IMAP APPEND |
Custom | Via | IMAP APPEND |
Security
Credential sanitization -- Passwords never leaked in error messages
App Passwords -- Uses app-specific passwords, not regular passwords
Token storage -- Outlook OAuth tokens saved with 600 permissions
IMAP validation -- Search queries validated before execution
Build from Source
git clone https://github.com/n24q02m/better-email-mcp.git
cd better-email-mcp
bun install
bun run devDeploy to Cloudflare
Run your own multi-user better-email instance serverless on Cloudflare (Containers + KV).
Each JWT sub gets its own Container Durable Object, and every user's email credentials and
Outlook OAuth tokens are AES-256-GCM encrypted into a single Workers KV blob per user, so they
survive scale-to-zero / container recreate with no re-auth.
Prerequisites: a Cloudflare account on the Workers Paid plan — required for Containers (the Cloudflare free tier does not include Containers) — and the wrangler CLI.
git clone https://github.com/n24q02m/better-email-mcp && cd better-email-mcpwrangler loginCreate the KV namespace (better-email is KV-only -- no D1 / Vectorize):
wrangler kv namespace create better-email-kvPaste the returned id into
<better-email-kv-namespace-id>inwrangler.jsonc.Push the container image to your Cloudflare managed registry (CF Containers cannot pull from external registries directly), then set
<YOUR_ACCOUNT_ID>inwrangler.jsonc:docker pull ghcr.io/n24q02m/better-email-mcp:beta docker tag ghcr.io/n24q02m/better-email-mcp:beta better-email-mcp:beta wrangler containers push better-email-mcp:beta # prints registry.cloudflare.com/<ACCOUNT_ID>/better-email-mcp:betaPoint
wrangler.jsoncat your own domain: set<YOUR_PUBLIC_URL>(e.g.https://email.example.com) and<YOUR_WORKER_DOMAIN>(e.g.email.example.com).Set the deploy secrets:
wrangler secret put CREDENTIAL_SECRET # per-sub vault key + deterministic EdDSA signing (required) wrangler secret put MCP_RELAY_PASSWORD # gate for the /authorize setup form wrangler secret put MCP_DCR_SERVER_SECRET # proof of an intentional multi-user deployOptional Outlook overrides -- only to replace the bundled public Azure device-code client (default needs no user-side Azure app):
wrangler secret put OUTLOOK_CLIENT_IDandwrangler secret put OUTLOOK_EMAIL.wrangler deploy, then open<YOUR_PUBLIC_URL>/authorizeand complete the browser relay form.
End-users supply their own email credentials -- an App Password via the paste form, or the
bundled Outlook device-code sign-in -- through that relay form; there is no server-side
EMAIL_CREDENTIALS. Storage maps to Cloudflare via MCP_STORAGE_BACKEND=cf-kv (already set in
wrangler.jsonc); see Cloudflare serverless mode (KV-only)
for the encryption and trust details.
Trust Model
This plugin implements TC-NearZK (in-memory, ephemeral). See the mcp-core trust model for full classification.
Mode | Storage | Encryption | Who can read your data? |
HTTP remote (hosted) | In-memory | In-process only | Server process (cleared on restart) |
HTTP self-host | Same as hosted | Same | Only you (admin = user) |
stdio | platformdirs | AES-GCM, machine-bound key | Only your OS user (file perm 0600) |
License
MIT -- See LICENSE.
Maintenance
Tools
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/n24q02m/better-email-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server