// Real-inbox search · read-only, taint-marked, fail-closed

Your agent can search your real email now.

Mint an API key, set RADMAIL_API_KEYon the radmail-mcp package, and your agent's search tool searches your REAL ingested inbox — ranked most-relevant + newest first, with sender and date filters and a why-matched on every hit — while read_email fetches the full message. Read-only by construction. Nothing sends, nothing mutates.

Connected mode is read-only and fail-closed (an API error returns a typed failure and zero fabricated results), and every real-mail field is taint-marked untrusted-email-body so an agent treats it as data, never instructions. The permanent BEC hard-stop is untouched: money, changed banking, first contact, decisions, and suspected injection stay human-only, forever.

Try it first, then connect.

Try instantly — zero-auth hosted sandbox

Point any MCP client at https://radmail.ai/api/mcp/sandbox — no account, no key, no card. The same search tool runs over a built-in demo inbox so you can watch how it ranks, filters, and explains before anything touches your mail.

Connect your real inbox — API key + connected mode

Mint a key at app.radmail.ai/settings/api-keys, set RADMAIL_API_KEY, and search + read_email work over the mail RadMail has ingested for your org. Read-only, fail-closed, taint-marked.

Three steps, one of them is a restart.

radmail :: connect your real inbox (read-only)
  • 1. Mint an API keyAt app.radmail.ai/settings/api-keys — keys start with tmk_ and carry read scope. About a minute.
  • 2. Set RADMAIL_API_KEYOn the radmail-mcp MCP server (Claude Code, Claude Desktop, Cursor — exact configs below) and restart it.
  • 3. Search your real mailsearch finds any email you've ever received — ranked, sender + date filterable, why-matched on every hit — and read_email fetches the full message by id. Read-only, always.
exact configsconnected · read-only
claude mcp add radmail -e RADMAIL_API_KEY=tmk_... -- npx -y radmail-mcp
{
  "mcpServers": {
    "radmail": {
      "command": "npx",
      "args": ["-y", "radmail-mcp"],
      "env": { "RADMAIL_API_KEY": "tmk_..." }
    }
  }
}
{
  "mcpServers": {
    "radmail": {
      "command": "npx",
      "args": ["-y", "radmail-mcp"],
      "env": { "RADMAIL_API_KEY": "tmk_..." }
    }
  }
}
`npx -y radmail-mcp` installs the package straight from npm (live as of July 2026, listed on the official MCP registry as ai.radmail/radmail-mcp). Prefer no install at all? The zero-auth hosted sandbox above works right now.

Or call the API directly.

The MCP tools ride a plain HTTP endpoint you can use from anything: https://app.radmail.ai/api/v1/search — Bearer API key auth (read scope), q required, limit/offset paging, from as a sender-substring filter, after/before as ISO date bounds. Hits are ranked and come back as metadata plus an approximately 160-character snippet and a matchedIn field (from, subject, or body) — so you know where and why each one matched.

curl -s "https://app.radmail.ai/api/v1/search?q=invoice&from=acme&after=2026-06-01T00:00:00Z" \
  -H "Authorization: Bearer tmk_..."

Read-only is the feature.

An inbox is exactly the surface business-email compromise attacks, so the real-inbox door opens one way: out. Your agent can find and read anything — it cannot send, delete, or change a thing, because those code paths do not exist in connected mode. And the content it reads arrives quarantined: every real-mail field is marked untrusted-email-body, so a malicious email that tries to give your agent orders is data in a jar, not a command. The hard-stop stays exactly what it has always been — money, changed banking, first contact, decisions, and suspected injection are human-only, forever.

Common questions.

How does an AI agent search my real email with RadMail?

Through connected mode: mint an API key at https://app.radmail.ai/settings/api-keys (keys start with tmk_), set it as the RADMAIL_API_KEY environment variable on the radmail-mcp MCP server, and restart. The search tool then searches your REAL ingested inbox — ranked most-relevant + newest first, filterable by sender (from) and date (after/before), with a why-matched on every hit — and read_email fetches one full message by id.

tl;dr Mint a key → RADMAIL_API_KEY on radmail-mcp → search + read_email over your real inbox.

Can connected mode send, delete, or change my email?

No. Connected mode is read-only by construction — it searches and reads, and there is no code path that sends, drafts against, or mutates real mail. RadMail's permanent BEC hard-stop is untouched: money, changed banking details, first contact with a new party, decisions, and suspected prompt injection stay human-only, forever.

tl;dr Read-only by construction. The BEC hard-stop is untouched: the dangerous actions stay human-only forever.

How does RadMail protect an agent from prompt injection hiding in my email?

Every field derived from real mail — subjects, snippets, bodies, sender names — comes back taint-marked with the provenance marker untrusted-email-body, and every response carries a standing safety block telling the agent to treat that content as data, never as instructions. An email that says 'the wire instructions changed' is quarantined data, not a command — and the hard-stop means there is no tool it could trigger anyway.

tl;dr All real-mail content is taint-marked untrusted-email-body — data, never instructions.

What happens if the API key is wrong or the search API is down?

Connected mode fails closed: any API error returns a typed, honest failure with zero fabricated results — the agent is told exactly what failed and that nothing was invented. It never falls back to made-up hits, and without a key the package simply behaves like the zero-auth sandbox.

tl;dr Fail-closed: a typed error and zero fabricated results, never invented hits.

Can I try RadMail's search without connecting my real inbox?

Yes — two zero-commitment ways. The hosted sandbox MCP server at https://radmail.ai/api/mcp/sandbox needs no key at all and runs the same search tool over a built-in demo inbox, and the radmail-mcp package without a key does the same over messages you pass it. Connect the real inbox only when you have seen how it behaves.

tl;dr Zero-auth sandbox first: same search tool, demo inbox, no key, no account.

Is there a plain HTTP API for searching my RadMail inbox, without MCP?

Yes. GET https://app.radmail.ai/api/v1/search is the product search API: Bearer API key auth (read scope), q as the required query, limit/offset paging, from as a sender-substring filter, and after/before as ISO date bounds. It returns ranked metadata hits with an approximately 160-character snippet and a matchedIn field telling you whether the hit was in from, subject, or body. The MCP tools ride this same API.

tl;dr GET app.radmail.ai/api/v1/search — Bearer key, q/limit/offset/from/after/before, ranked hits + snippet + matchedIn.

Do I need to install anything to use connected mode today?

The connected tools live in the radmail-mcp package. Its npm publish is pending, so npx -y radmail-mcp resolves once it lands; today the package runs from source (github.com/dougsureel-tech/radmail-mcp), and the zero-auth hosted sandbox works instantly with no install at all. RadMail overall is pre-release; this capability is live, not a preview.

tl;dr npm publish pending — run from source today, or use the zero-auth hosted sandbox with no install.

Give your agent a memory of your mail. One key, read-only, and every email you've ever received becomes searchable from the tools you already use.

› Mint an API key
radmail@inbox:~$ search --inbox=real --mode=read-only --taint=untrusted-email-body