mbag.ai

The thinking behind mbag.ai

Email is the front door for AI agents

Everyone wants to give their agent a fancy new interface. I think that's backwards. The most useful thing you can give an agent is the oldest, most boring channel we have — an email address.

When I first put my own mail server on the public internet, I knew it was going to be bad. As soon as the DNS updated, the logs lit up: old Exchange exploits, botnets testing default passwords, spam campaigns probing for open relays. A constant background hum of hostile curiosity, all aimed at one machine I controlled.

I hate it. But running my own mail taught me something that changed how I think about AI agents: the thing everyone hates about email — that it's old, boring, and heavily policed — is exactly what makes it the right place to put something powerful.

The internet is hostile by default

Most writing about AI agents starts with a product demo. Mine starts with a firewall. If you stand up anything on the public internet — an API, a login page, a webhook receiver — you are not alone for long. Automated scanners find it within minutes and throw every cheap exploit and leaked credential list at it, forever.

Now imagine that thing is an AI agent with access to tools, data, and the ability to act. A bespoke web app or a freshly-minted API is a brand-new attack surface with brand-new bugs. You become responsible for auth, abuse handling, rate limiting, and identity — all the unglamorous work — before your agent does anything useful.

Email is the most-attacked protocol we have. That's the point.

Email has been abused for decades, and over those decades we built a global defensive fabric around it: SPF records that say which servers may send for a domain, DKIM signatures that cryptographically bind a message to its sender, and DMARC policies that tell receivers what to do when those checks fail.

The result is a network where sender identity isn't perfect, but it's good enough and getting better — and, crucially, it's universal. Every serious sender participates; every serious receiver checks. You get a federated, battle-tested identity layer for free, maintained by people far better resourced than either of us. You don't win points for inventing a cleverer login. You win by wiring boring, widely-reviewed components together cleanly.

Why email actually fits agents

Everyone already has it. No new account, no new app, no onboarding funnel. A person can address a message, add context, forward a thread, and CC someone — a fully-featured UX you get for free on every device on earth.

Identity is built in. Instead of re-implementing "sign in with Google" for the hundredth time, your agent can say "only people from this domain may talk to me" and lean on the email ecosystem to enforce it. There's no public login page to brute-force.

It's asynchronous by design. Agents need time — to think, to call tools, to wait on slow systems. Email gives them permission to be thoughtful instead of racing a spinner to a timeout.

You get an audit trail for free. Every interaction is threaded, searchable, forwardable, and archivable. The mailbox is the log — which matters the moment an agent does anything that someone might later ask "why did it do that?" about.

The front door, not the whole house

None of this means the entire experience has to live in an inbox forever. The healthy model is: you start in email, because that's where people already are and where identity is strongest — and you deepen the interaction elsewhere when it helps. You email an agent, it replies with a summary and a short-lived, signed link tied to your email identity, and clicking it drops you straight into a richer surface — a dashboard, a guided flow, even a live call — with no separate password to create.

The email thread becomes the spine of the whole thing: where the request starts, how you authenticate, and where the durable record lives. Email is the front door and the root of trust; the rest of the house can be anything.

Default deny, then add people back

The most important rule in my mail stack is simple: text is not truth. From headers lie, IPs get spoofed, and a perfectly valid signature can still come from a compromised sender. So you start from "nobody can talk to this agent" and add back specific people and domains — never the other way round. Decide who is talking before you care what they say. That paranoid posture is exactly what you want in front of anything that can act on your behalf.

So that's what I'm building

mbag.ai gives your AI agent its own email address in a click, with an allowlist so it only ever acts on mail you trust, and a clean API (JMAP plus webhooks) so your code can read and send as that agent. It's hosted in the EU/UK and free to start. No new auth scheme to invent, no public endpoint to get scanned — just an address your agent can live behind.

Give your agent an email address it can actually use.