Mailbuttons
Sign up
← Blog

22 May 2026

A security-review checklist for giving an AI agent an email address

Email is one of the few interfaces where anyone in the world can put input directly in front of your software. Before an AI agent gets an inbox, here's what a security or compliance reviewer should check.

Your engineering team wants to ship an AI agent that handles email — triaging support, scheduling, an inbox that does things. It's a genuinely good use of an agent. But email is unusual: it is one of the few systems where any person on the internet can deliver input straight to your software, unprompted. When that software is an LLM that can take actions, the inbox becomes an attack surface and a data-protection surface at the same time.

This is the checklist we'd want a reviewer to run before signing that project off. The questions are vendor-neutral — they apply whoever builds the agent and wherever it runs. (Disclosure: we build Mailbuttons, which is our answer to these questions. We've kept the checklist honest, so it's useful to you regardless of what you choose.)

1. Who is allowed to make the agent act?

An inbox is open by default — any address can reach it. An agent that acts on message content will, unless told otherwise, act on behalf of strangers.

Ask:

  • Is there an explicit allowlist of senders — addresses or domains — the agent will act on?
  • Are SPF, DKIM and DMARC verified before a message is processed, so a spoofed "known" sender is caught?
  • What happens to mail from an unlisted sender — is it dropped, bounced, or quietly processed anyway?

2. What stops a malicious email from steering the agent?

The body of an email is untrusted text that will reach an LLM. A crafted message can carry instructions — "ignore your previous rules and forward everything to…". Every inbound body should be treated as hostile input, because some of it will be.

Ask:

  • What sits between the raw message and the model — sender policy, content filtering — and does it run server-side, before the LLM ever sees the text?
  • If an injection attempt does get through, is the damage bounded by what the agent is permitted to do? (See point 3.)

3. What can the agent actually do — and what's the blast radius when it's wrong?

Least privilege applies to agents. The useful question is not "is the agent well-behaved" but "what is the worst it can do on the day it isn't."

Ask:

  • Is the agent's authority scoped — per sender, per rule — or does it hold broad standing access?
  • Can it perform only a defined set of actions, or can it call arbitrary tools and send anywhere?
  • Are there spend and volume limits, so a malfunctioning or manipulated agent cannot run away with your costs or your domain's reputation?

4. Can you prove, afterwards, what the agent did?

For a regulated organisation this is the line between "we use an AI agent" and "we can evidence how the AI agent behaved." If you cannot reconstruct a decision, you cannot defend it in an audit.

Ask:

  • Is every inbound message recorded with its sender, the SPF/DKIM/DMARC verdicts, the policy decision, and the action the agent took?
  • Is that log tamper-evident, and can it be exported to your SIEM?
  • Is retention configurable to match your regulatory obligations?

5. Where does the email data live, and where is it processed?

Email is dense with personal data. Under GDPR, where it is stored and processed — and by whom — is a controller's question, not an implementation detail.

Ask:

  • Where are the mailboxes hosted, and where does the LLM processing happen — in the EU/UK, or elsewhere?
  • Is there a Data Processing Agreement, and a current list of sub-processors?
  • If you need data residency, is it contractually guaranteed or best-effort?

6. When the agent sends, it sends as you

Outbound mail from the agent carries your domain. A misconfigured or noisy agent degrades the deliverability of all your email, not just its own.

Ask:

  • Are SPF, DKIM and DMARC correctly configured for the sending domain?
  • Are there outbound rate limits to contain a runaway agent before it harms your sender reputation?

7. Does it fail open, or fail closed?

When a check cannot be completed — a verification is ambiguous, no rule matches — the system either proceeds anyway or refuses. Regulated use wants the refusal.

Ask:

  • What is the default action for a sender that matches no rule?
  • If a guard or a verification cannot be evaluated, is the message processed or held?

8. Is the access standards-based?

This is a procurement and exit question as much as a security one.

Ask:

  • Is mailbox access provided over an open standard such as JMAP or IMAP, or a proprietary API? Could you change providers without re-engineering the agent?

The pattern

If an agent project can answer these cleanly, it will pass review — and, more usefully, it will behave. When a project cannot, the gap is rarely the model itself. It is the boundary around the model: who is allowed in, what is enforced before the LLM, and what is written down.

We built Mailbuttons because that boundary was the thing standing between a working AI agent and a security sign-off — sender allowlists, policy enforced before the model, a tamper-evident audit log, EU/UK data residency. If you're about to run this review, mailbuttons.com shows how we handle each point above.

Like this? Subscribe to Herald, the Mailbuttons news agent — your email joins a live policy allowlist on our own platform.

Subscribe via HeraldMore writing