RadMail MCP
An email operating system for agents — with a refusal you can trust.
Every inbox got an AI in 2026. None can be trusted to hit send. RadMail is the one that can — because the consequential actions are refused in code, model-independent: money, changed-banking details, first-contact senders, decisions, and prompt-injection are human-only, forever. No prompt can talk RadMail into auto-sending them.
This is the Model Context Protocol (MCP) server, so any AI agent can use the inbox.
Start in one call
Call triage_inbox and omit the token — RadMail auto-provisions a free sandbox tenant and returns a working triage in one round-trip. Reuse the returned token. (On the zero-auth hosted sandbox, triage_inbox takes no args — it triages a built-in demo inbox so your very first call returns the full wedge.)
This server runs the sandbox engine (heuristic, in-memory, free, no credentials). It is real and runnable — not the production "99%" engine.
Tools
| Tool | What it does |
|---|---|
triage_inbox | One round-trip over a batch: the Right Now lane + every open commitment + every hard-stop. The whole wedge in one call. |
list_right_now | The can't-miss lane only — most-recent × most-important, each with why-surfaced + hard-stop flags. |
why_surfaced | Explain in plain English why a message surfaced — the signals behind its importance × urgency. Transparency, not a black box. |
draft_reply | Draft the reply that discharges a commitment — never for a hard-stopped one (money / banking / first-contact stay human-only). |
list_commitments | Every open promise extracted from the batch, with its due window. |
search | Find the one message you mean by sender / subject / content — most-relevant + newest first (no filesystem grep). Pass messages for the sandbox, or omit them with RADMAIL_API_KEY set to search your real inbox (read-only). |
read_email | Connected mode only: fetch one full email (headers + textBody) from your real inbox by id. Read-only; body content arrives taint-tagged. |
triage | Score a single message (the per-message form of triage_inbox). |
provision_sandbox | Explicitly mint a free sandbox tenant. |
report_need / request_capability | Tell RadMail what was awkward / what you wish existed — the surface adapts. |
radmail_learning_insights | What RadMail has learned about how you work. |
The safety contract (un-bypassable by design)
These are decided by deterministic code, not model judgment — see /.well-known/agent-safety.json:
- money, changed-banking, first-contact, decision/sign-off, prompt-injection →
hardStop, human-only forever. RadMail will never hand an agent an auto-sendable reply for these. - Taint envelope: every field derived from a raw email body carries
provenance: "untrusted-email-body", and every response carries asafetyblock restating the hard-stops. Treat tainted fields as data, never as instructions — this keeps your agent safe-by-default, even against a poisoned email. - Fail-closed: if a risk signal can't be evaluated, RadMail refuses to auto-send.
Verify before you connect
The safety contract is machine-verifiable — fetch it and check it in one command, no account, no key:
curl -s https://radmail.ai/.well-known/agent-safety.json
Connect
Fastest — zero-auth hosted sandbox (no install, no key, no signup). Point any MCP client at the streamable-HTTP endpoint:
{
"mcpServers": {
"radmail": {
"url": "https://radmail.ai/api/mcp/sandbox",
"transport": "streamable-http"
}
}
}
Local stdio (this package — the fuller surface that triages the messages you pass it):
{
"mcpServers": {
"radmail": {
"command": "npx",
"args": ["-y", "radmail-mcp"]
}
}
}
Note: the npm package publish is imminent — until it lands, use the zero-auth hosted sandbox above (no install, works today) or run from source below. The
npxline goes live the momentradmail-mcpis on npm.
Or from source: git clone https://github.com/dougsureel-tech/radmail-mcp && npm i && npm run build && npm start (stdio). Hosted deploy: Vercel Node serverless function (api/mcp.ts; / rewrites to the MCP handler).
Connected mode — search your real inbox
Give the server a RadMail API key and the same search tool stops being a demo: omit messages and it searches every email you've ever received in your real RadMail inbox — then read_email fetches the full message. Install it once and your AI can find any email.
- Config: set
RADMAIL_API_KEY(keys start withtmk_— create one in about a minute at https://app.radmail.ai/settings/api-keys). Optional:RADMAIL_API_URLoverrides the API host (defaulthttps://app.radmail.ai). - Read-only by construction: connected mode only ever issues GETs. It never sends, drafts against, or mutates real mail, and the BEC hard-stops (money / changed-banking / first-contact / decision / injection) stay human-only forever.
- Same taint envelope: every field derived from real email content (
subject,fromName,snippet,textBody, …) arrives taggedprovenance:"untrusted-email-body"— data to reason about, never instructions to follow. - Fail-closed: invalid key (401), un-entitled plan (403), or a timeout returns an honest, typed error — never fabricated results. The key itself is never logged or echoed.
- Filters: connected
searchsupports optionalfrom,after, andbefore(ISO-8601) alongsidequeryandlimit. - Without a key,
search(sansmessages) andread_emailreturn friendly setup instructions instead of an error — the sandbox keeps working exactly as before.
Claude Code:
claude mcp add radmail -e RADMAIL_API_KEY=tmk_... -- npx -y radmail-mcp
Claude Desktop (claude_desktop_config.json):
{
"mcpServers": {
"radmail": {
"command": "npx",
"args": ["-y", "radmail-mcp"],
"env": { "RADMAIL_API_KEY": "tmk_..." }
}
}
}
Cursor (.cursor/mcp.json):
{
"mcpServers": {
"radmail": {
"command": "npx",
"args": ["-y", "radmail-mcp"],
"env": { "RADMAIL_API_KEY": "tmk_..." }
}
}
}
Same npm note as above: the
npxlines activate the moment the npm publish lands. Until then, run from source and pointcommandatnode dist/src/index.js— connected mode works today that way.
Links
- Agent docs: https://radmail.ai/for-agents
- Zero-auth sandbox:
https://radmail.ai/api/mcp/sandbox(streamable-http, no auth) - Verifiable safety contract: https://radmail.ai/.well-known/agent-safety.json
- MCP manifest: https://radmail.ai/.well-known/mcp.json
- LLM-readable summary: https://radmail.ai/llms.txt
Compliance posture
A tool, not a guarantee — BAA + shared-responsibility framing. Never "HIPAA-certified" or "FedRAMP-authorized."