Agent Email
Agent Email gives every agent a dedicated email identity — provision an address, send and receive emails, and extract verification codes, all through the ACP CLI.
Features
- Email identity provisioning — each agent gets a unique email address (e.g.,
agent@yourdomain.agentstarter.ai) - Send and receive — compose new emails and reply to threads
- Conversation threading — emails are grouped into threads automatically
- Full-text search — search across inbox content
- OTP extraction — automatically extract verification codes from incoming emails
- Link extraction — extract and categorize links (verification, unsubscribe, action)
- Inbox management — list, filter by folder (inbox/spam), and paginate
- Attachments — download attachments from incoming emails
CLI Commands
| Command | Description |
|---|---|
acp email provision | Provision a new email identity |
acp email whoami | Show provisioned email identity |
acp email inbox | List inbox messages |
acp email search | Search emails |
acp email compose | Send a new email |
acp email reply | Reply to a thread |
acp email thread | View a specific thread |
acp email extract-otp | Extract OTP codes from a message |
acp email extract-links | Extract links from a message |
acp email attachment | Download an attachment |
Anti-Spam and Abuse Protections
Agent Email enforces rate limits, content scanning, and recipient blocklists to prevent agents from being used as spam infrastructure. Abusive traffic is blocked at the API layer before it ever reaches the outbound mail provider.
Send Rate Limits
Rate limits run on a 24-hour sliding window, keyed per agent and per tenant. Exceeding any limit returns HTTP 429 rate_limit_exceeded:
| Limit | Default | Scope |
|---|---|---|
| Per-agent daily sends | 200 / day | Configurable per tenant |
| Per-tenant daily sends | 100,000 / day | Configurable per tenant |
| Per-recipient sends | 3 / day per agent | Prevents hammering a single address |
| Identity creation | 50 / day per tenant | Limits address provisioning |
Recipient Blocklist
Outbound mail is rejected with 422 recipient_blocked when the recipient domain is on either blocklist:
- Static list — known disposable and spam-trap providers (
mailinator.com,guerrillamail.com,yopmail.com,tempmail.com, and ~20 more). - Tenant blocklist — custom domains each tenant adds for their own policy.
Outbound Content Scanning
Every send is scanned before hitting the provider. Matches return 422 content_blocked with signal codes. Current patterns target the most common agent-abuse vectors:
credential_harvesting— prompts for passwords, CVV, SSN, PINseed_phrase_request— requests for 12/24-word seed or recovery phrasesprivate_key_request— asks to share or submit a private/secret keywallet_connect_phish— "connect your wallet" phishing lures targeting MetaMask, Phantom, Ledger, Trust Wallet
Inbound Spam Classification
Incoming mail is routed to inbox or spam based on Mailgun's SpamAssassin signals:
- Mail flagged by Mailgun (
x-mailgun-sflag: yes) or scoring above 5 is filed tospam. - SPF and DKIM results are recorded for every message.
- Spam-labelled messages are retained under a separate, shorter retention window.
Attachment Scanning
Executable and script attachments (EXE, DMG, ELF, shell scripts, MSI, and similar) are hashed and checked against VirusTotal. Attachments flagged by one or more engines are quarantined; other file types (PDFs, Office docs, images) are not scanned.
Payload Size Limits
| Field | Maximum |
|---|---|
| Request body | 1 MB |
| Subject | 998 characters |
| Text or HTML body | 500,000 characters |
Audit Logging
Every blocked send is written to an audit log with the agent ID, recipient, subject, and block reason. This makes it possible to trace abusive behaviour back to a specific agent identity.