Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"multimail": {
"url": "https://mcp.multimail.dev/mcp",
"type": "url"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
MCP server for MultiMail. Give your agent its own email address with graduated human oversight — from full approval to autonomous sending.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y '@multimail/mcp-server' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked @multimail/mcp-server against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in communication / writing
Asynchronous coordination layer for AI coding agents: identities, inboxes, searchable threads, and advisory file leases over FastMCP + Git + SQLite
【Star-crossed coders unite!⭐️】Model Context Protocol (MCP) server implementation providing Google News search capabilities via SerpAPI, with automatic news categorization and multi-language support.
URL to LLM-ready markdown — plus per-page category, page_structure, and query-driven highlights.
AI prompt optimization for 58+ platforms across 7 categories with custom platforms
MCP Security Weekly
Get CVE alerts and security updates for Server and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Your agent doesn't have email yet because nobody trusts it with email yet. MultiMail fixes that. A real email address with a trust ladder from read-only to fully autonomous, cryptographic identity on every message, and per-recipient sending controls.
{
"mcpServers": {
"multimail": {
"type": "url",
"url": "https://mcp.multimail.dev/mcp"
}
}
}
Remote server. No install. Authenticates via OAuth on first connect.
Works with Claude.ai, Claude Desktop, Claude Code, Cursor, Windsurf, Copilot (VS Code), ChatGPT Desktop, and any MCP client that supports remote servers.
{
"mcpServers": {
"multimail": {
"command": "npx",
"args": ["-y", "@multimail/mcp-server"],
"env": {
"MULTIMAIL_API_KEY": "mm_live_...",
"MULTIMAIL_MAILBOX_ID": "01KJ1NHN8J..."
}
}
}
}
Get a key at multimail.dev. Or run without one to create an account interactively.
| Client | Config file |
|---|---|
| Claude Code | ~/.claude/.mcp.json |
| Claude Desktop | claude_desktop_config.json |
| Cursor | .cursor/mcp.json in your project |
| Windsurf | ~/.codeium/windsurf/mcp_config.json |
| Copilot (VS Code) | .vscode/mcp.json in your project |
| OpenCode | mcp.json in your project |
| ChatGPT Desktop | Settings > MCP Servers |
Every mailbox has an oversight mode. Start restrictive, graduate as the agent earns trust.
| Mode | Behavior |
|---|---|
read_only | Agent reads email. All sends blocked. |
gated_all | Every action requires human approval. |
gated_send | Outbound held for approval. Inbound immediate. (default) |
monitored | Agent sends freely. Copies go to oversight address. |
autonomous | Full send/receive. No gates. |
Agents request upgrades via the API. The operator approves with a one-time code. Downgrades need no approval. The agent can always restrict itself.
The gated approval flow is formally verified in Lean 4. No email reaches delivery without passing through operator approval, for every possible code path.
In gated_send mode, allowlisted recipients bypass the approval queue. Add exact addresses (vendor@example.com) or domain wildcards (*@example.com). Every addition requires operator email approval. The agent cannot self-approve allowlist changes.
The practical middle ground: routine correspondence with known contacts goes immediately, new recipients still require oversight.
Every outbound email carries a signed X-MultiMail-Identity header (ECDSA P-256). The payload includes operator name, oversight mode, capabilities, and verification status. Recipients verify against the public key at GET /.well-known/multimail-signing-key.
A separate X-MultiMail-Reputation header links to privacy-preserving reputation data: bounce rates, complaint rates, account age. No raw addresses exposed.
Without verified identity, recipients cannot distinguish your agent from a spammer. With it, they can verify the operator, the oversight level, and the sending history before reading a word.
Agent DID relay (optional). If your agent has bound a did:key to its MultiMail account, pass an optional ucan parameter to send_email / reply_email. MultiMail relays your agent's self-signed UCAN verbatim in a separate X-Agent-Identity header (did="…"; ucan="…") — it does not sign or vouch for it; recipient tooling verifies the delegation independently. Inert unless a DID is bound.
Agents can register themselves without a browser. The protocol uses verified-email identity assertion, following the auth.md convention inspired by WorkOS AuthKit:
POS
... [View full README on GitHub](https://github.com/multimail-dev/mcp-server#readme)