Skip to main content
Glama
deenesjakoruzh
multimail-dev

MultiMail

by multimail-dev
OverviewSchemaRelated ServersScoreDiscussions
JavaScript
Remote

@multimail/mcp-server

Your agent doesn't have email yet because nobody trusts it with email yet. MultiMail fixes that. A real email address with a trust ladder from read-only to fully autonomous, cryptographic identity on every message, and per-recipient sending controls.

Quick start

{
  "mcpServers": {
    "multimail": {
      "type": "url",
      "url": "https://mcp.multimail.dev/mcp"
    }
  }
}

Remote server. No install. Authenticates via OAuth on first connect.

Works with Claude.ai, Claude Desktop, Claude Code, Cursor, Windsurf, Copilot (VS Code), ChatGPT Desktop, and any MCP client that supports remote servers.

Alternative: local stdio server

{
  "mcpServers": {
    "multimail": {
      "command": "npx",
      "args": ["-y", "@multimail/mcp-server"],
      "env": {
        "MULTIMAIL_API_KEY": "mm_live_...",
        "MULTIMAIL_MAILBOX_ID": "01KJ1NHN8J..."
      }
    }
  }
}

Get a key at multimail.dev. Or run without one to create an account interactively.

Config file locations

Client

Config file

Claude Code

~/.claude/.mcp.json

Claude Desktop

claude_desktop_config.json

Cursor

.cursor/mcp.json in your project

Windsurf

~/.codeium/windsurf/mcp_config.json

Copilot (VS Code)

.vscode/mcp.json in your project

OpenCode

mcp.json in your project

ChatGPT Desktop

Settings > MCP Servers

Related MCP server: MCP Email Server

Trust ladder

Every mailbox has an oversight mode. Start restrictive, graduate as the agent earns trust.

Mode

Behavior

read_only

Agent reads email. All sends blocked.

gated_all

Every action requires human approval.

gated_send

Outbound held for approval. Inbound immediate. (default)

monitored

Agent sends freely. Copies go to oversight address.

autonomous

Full send/receive. No gates.

Agents request upgrades via the API. The operator approves with a one-time code. Downgrades need no approval. The agent can always restrict itself.

The gated approval flow is formally verified in Lean 4. No email reaches delivery without passing through operator approval, for every possible code path.

Per-recipient allowlist

In gated_send mode, allowlisted recipients bypass the approval queue. Add exact addresses (vendor@example.com) or domain wildcards (*@example.com). Every addition requires operator email approval. The agent cannot self-approve allowlist changes.

The practical middle ground: routine correspondence with known contacts goes immediately, new recipients still require oversight.

Cryptographic identity

Every outbound email carries a signed X-MultiMail-Identity header (ECDSA P-256). The payload includes operator name, oversight mode, capabilities, and verification status. Recipients verify against the public key at GET /.well-known/multimail-signing-key.

A separate X-MultiMail-Reputation header links to privacy-preserving reputation data: bounce rates, complaint rates, account age. No raw addresses exposed.

Without verified identity, recipients cannot distinguish your agent from a spammer. With it, they can verify the operator, the oversight level, and the sending history before reading a word.

Agent self-registration (auth.md)

Agents can register themselves without a browser. The protocol uses verified-email identity assertion, following the auth.md convention inspired by WorkOS AuthKit:

POST /agent/auth -> claim_token + OTP sent to operator email
POST /agent/auth/claim/complete -> API key + tenant_id + granted scopes

Discovery follows RFC 9728:

  • GET /.well-known/oauth-protected-resource (resource metadata)

  • GET /.well-known/oauth-authorization-server (authorization metadata with agent_auth extension)

  • GET /auth.md (human/agent-readable registration guide)

The WWW-Authenticate header on 401 responses points agents to these endpoints automatically. An agent that hits a 401 can follow the link, read the registration protocol, and onboard itself.

Content scanning

Every outbound email is scanned before delivery. Emails enter pending_scan status, then transition to delivery or pending_send_approval (in gated modes). Inbound emails go through the same pipeline. Phishing, malware, and prompt injection patterns are flagged before reaching the agent's inbox.

How it works

  • Email bodies are markdown in, formatted HTML out. Inbound HTML arrives as clean markdown (15x fewer tokens than raw MIME).

  • Threading is automatic. Reply to an email and headers are set correctly.

  • Sends return pending_scan while scanned. Gated mailboxes then transition to pending_send_approval for human review. Do not retry.

  • Every outbound email carries a cryptographically signed X-MultiMail-Identity header.

  • Reputation data via X-MultiMail-Reputation header: bounce rates, complaint rates, account age. Privacy-preserving, updated daily.

Tools (50)

Tool

Description

Core email

send_email

Send email as markdown. Supports attachments, idempotency_key, scheduled delivery via send_at.

check_inbox

List emails with filters: status, sender, subject, date range, direction, attachments, pagination.

read_email

Full email content. Trusted metadata and untrusted body returned as separate content blocks.

reply_email

Reply in-thread. Threading headers set automatically.

get_thread

All emails in a conversation thread with participants and metadata.

download_attachment

Download attachment as base64 with content type.

cancel_message

Cancel a pending or scheduled email.

edit_scheduled_email

Edit scheduled email before it sends.

wait_for_email

Block until matching email arrives or timeout (max 120s).

get_tags

Get all tags on an email. Persistent key-value agent memory across sessions.

set_tags

Set tags on an email. Merges with existing tags.

delete_tag

Delete a specific tag key from an email.

Oversight

list_pending

Emails awaiting oversight decision (requires oversight scope).

decide_email

Approve or reject a pending email (requires oversight scope).

manage_upgrade

Request or apply oversight mode upgrade (action: request|apply).

Sending allowlist

list_allowlist

List sending allowlist entries.

add_allowlist_entry

Add a recipient to the sending allowlist. Operator approval required.

remove_allowlist_entry

Remove an allowlist entry.

Mailbox management

list_mailboxes

All mailboxes with ID, address, oversight mode, display name.

configure_mailbox

First-run setup: oversight mode, display name, CC/BCC, scheduling, signature.

update_mailbox

Update settings (display name, oversight mode, signature, webhooks).

create_mailbox

Create mailbox (admin scope + operator approval).

delete_mailbox

Permanently delete a mailbox (admin scope).

Account & billing

get_account

Account status, plan, quota, sending enabled, enforcement tier.

update_account

Update org name, oversight email, physical address.

delete_account

Permanently delete account and all data (admin scope).

get_usage

Quota and usage stats for the billing period.

upgrade_plan

Upgrade to paid plan (Builder $9/mo, Pro $29/mo, Scale $99/mo).

cancel_subscription

Cancel paid subscription, revert to starter at period end.

get_billing_portal

Stripe portal URL for self-service billing.

Signup (no API key needed)

request_challenge

ALTCHA proof-of-work challenge for account creation.

create_account

Create account with solved PoW challenge.

resend_confirmation

Resend activation email with new code.

activate_account

Activate account using confirmation code.

setup_multimail

Guided onboarding on the public /onboard endpoint.

API keys & audit

list_api_keys

List all API keys (admin scope).

create_api_key

Create API key with scopes (admin + operator approval). send+oversight rejected to prevent self-approval.

revoke_api_key

Revoke an API key (admin scope).

get_audit_log

Account audit log (admin scope).

Contacts & spam

search_contacts

Search contacts by name or email.

add_contact

Add a contact.

delete_contact

Delete a contact.

manage_spam_status

Report spam or clear spam status (action: report|clear).

list_spam

Spam-flagged and quarantined emails.

list_suppression

List suppressed recipients with pagination.

remove_suppression

Remove a recipient from the suppression list.

Webhooks

create_webhook

Create webhook for real-time email event notifications.

list_webhooks

List all webhooks.

delete_webhook

Delete a webhook.

Meta

report_issue

Report a bug, site problem, or feature request.

Example prompts

Find the most recent email from alice@example.com, summarize what she's asking,
then draft a reply saying I'll review this week. Don't send until I approve.
Check my inbox and summarize the last 5 unread emails.
For each: sender, subject, time, and whether it needs action today.
Review the pending approval queue. For each pending email: who it goes to,
the subject, risk factors, and whether to approve or reject.
Show my current sending allowlist. Then add *@acme.com so emails to Acme skip approval.

Environment variables

Variable

Required

Description

MULTIMAIL_API_KEY

For stdio mode

Your API key (mm_live_...). Not needed for remote server (uses OAuth).

MULTIMAIL_MAILBOX_ID

No

Default mailbox ID. If unset, pass mailbox_id per tool or call list_mailboxes.

MULTIMAIL_API_URL

No

API base URL. Defaults to https://api.multimail.dev.

Also available

Development

npm install
npm run dev   # Run with tsx
npm run build # Compile TypeScript
npm start     # Run compiled version

License

MIT

By using MultiMail you agree to the Terms of Service and Acceptable Use Policy.

Install Server
A
license - permissive license
A
quality
C
maintenance

How are these scores calculated?

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/multimail-dev/mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server