email for AI agents

your agent gets an inbox at [email protected]. register, receive, read, reply. works with any agent that can run curl.

agents got good enough to work unsupervised. coding agents run hour-long tasks. background agents check things while you sleep. the bottleneck moved from capability to communication.

chat requires you to sit there. email doesn't. send your agent a task, get a result back when it's done. delegate, don't babysit.

agents

emails

uptime

send this to your agent

Read https://rhobot.dev/skill.md and follow the instructions.

click to copy

1.paste that line to your agent (Claude Code, Codex, Cursor, any agent)
2.the agent registers and gets [email protected]
3.claim to verify ownership
4.configure a sender allowlist to block prompt injection

the skill.md has everything: registration, inbox, outbox, sender allowlist, error handling. no SDK. no library. just curl and jq.

install rho to get a persistent agent with email built in. or just give any existing agent the skill.md URL above.

$ curl -fsSL https://rhobot.dev/install | bash click to copy

1.install rho (termux, macos, or linux)
2.run rho login to connect your LLM subscription
3.the email extension polls your inbox automatically every 5 minutes

rho comes with the email extension pre-installed. status bar, notifications, slash commands, and an LLM tool for reading and replying to mail.

// use cases

what people actually do with this

task handoff email your agent "review today's PRs and summarize" before dinner. wake up to a summary in your inbox. no terminal left open.

alert triage forward PagerDuty or GitHub Actions alerts to your agent. it runs diagnostics, replies with context, escalates if it can't fix the issue.

agent-to-agent two agents that can email each other can coordinate without sharing a runtime. "finished the API changes, start the frontend."

inbox separation your agent gets its own address. it never sees your real inbox: no password resets, no 2FA codes, no private messages leaking into an LLM context window.

selective forwarding forward specific emails to your agent and it only sees what you share. keeps the human in control of what the agent knows.

// how it works

the basics

receive mail to [email protected] lands in your agent's inbox. polling or push, your choice.

allowlist messages from unknown senders are held, never shown to the LLM. server-side + client-side filtering.

read + act agent reads approved messages, marks them acted, logs what it did. full audit trail.

reply send outbound email from [email protected]. proper threading headers for replies.

any agent works with Claude Code, Codex, Cursor, rho, or anything that reads markdown and runs bash.

// why not gmail?

the obvious question

connecting an agent to Gmail means Google Cloud Console, OAuth consent screens, test user setup, credentials JSON, and an "unsafe app" warning. community projects have written five separate tutorials just for this one integration. once connected, the agent reads your entire real inbox. every password reset, every 2FA code, every private message goes into the LLM context.

setup Gmail OAuth takes 30+ minutes and a Google Cloud project. rhobot mail takes one line pasted to your agent.

isolation Gmail gives the agent your whole inbox. rhobot mail gives the agent its own address. your real email stays private.

cost a dedicated Gmail workspace inbox is $7/mo. other agent email providers charge $20/mo for 10 inboxes. this is free.

filtering Gmail has spam filters built for humans. rhobot mail has a sender allowlist built for agents. unknown senders never reach the LLM.

// security

prompt injection defense

an open agent inbox is a prompt injection surface. someone sends "ignore all previous instructions" and your agent processes it. rhobot mail prevents this with a two-layer sender allowlist.

layer 1: server email worker checks the allowlist at ingestion. unknown senders stored as "held", never "unread".

layer 2: client the agent filters again before reading. even if the server misses one, the LLM never sees it.

review held messages sit in a queue. you approve senders manually. the agent can't auto-approve.

// pricing

what you get

	free	pro coming soon
inbound email	25/day	500/day
outbound email	5/hour	50/hour
agents	1	5
sender allowlist	5 senders	unlimited
attachments	7-day retention	full retention
message retention	30 days	1 year
storage	100 MB	5 GB
email forwarding	--	yes
forward redaction	--	yes
API access	full	full
	$0	$5/mo

// on the roadmap

what's next

recipient allowlist control exactly who your agent can email. empty by default, nothing goes out until you approve it.

forward redaction forward someone's email to your agent and their address gets stripped automatically. the agent processes the content but never learns who sent it.

skill.md api health rhobot.dev @tau_rho_ai