AI Agent Email Inbox

Overview

This skill covers setting up a secure email inbox that allows your application or AI agent to receive and respond to emails, with content safety measures in place.

Core principle: An AI agent's inbox receives untrusted input. Security configuration is important to handle this safely.

Why Webhook-Based Receiving?

Resend uses webhooks for inbound email, meaning your agent is notified instantly when an email arrives. This is valuable for agents because:

• Real-time responsiveness — React to emails within seconds, not minutes
• No polling overhead — No cron jobs checking "any new mail?" repeatedly
• Event-driven architecture — Your agent only wakes up when there's actually something to process
• Lower API costs — No wasted calls checking empty inboxes

Architecture

Sender → Email → Resend (MX) → Webhook → Your Server → AI Agent
                                              ↓
                                    Security Validation
                                              ↓
                                    Process or Reject

SDK Version Requirements

This skill requires Resend SDK features for webhook verification (webhooks.verify()) and email receiving (emails.receiving.get()). Always install the latest SDK version. If the project already has a Resend SDK installed, check the version and upgrade if needed.

Language	Package	Min Version
Node.js	resend	>= 6.9.2
Python	resend	>= 2.21.0
Go	resend-go/v3	>= 3.1.0
Ruby	resend	>= 1.0.0
PHP	resend/resend-php	>= 1.1.0
Rust	resend-rs	>= 0.20.0
Java	resend-java	>= 4.11.0
.NET	Resend	>= 0.2.1

Install the resend npm package: npm install resend (or the equivalent for your language). For full sending docs, install the resend skill.

Quick Start

1. Ask the user for their email address — You need a real email address to send test emails to. Ask the user and wait for their response before proceeding.
2. Choose your security level — Decide how to validate incoming emails before any are processed
3. Set up receiving domain — Configure MX records for the user's custom domain (see Domain Setup section)
4. Create webhook endpoint — Handle email.received events with security built in from the start. The webhook endpoint MUST be a POST route.
5. Set up tunneling (local dev) — Use Tailscale Funnel (recommended) or ngrok. See references/webhook-setup.md
6. Create webhook via API — Use the Resend Webhook API to register your endpoint programmatically. See references/webhook-setup.md
7. Connect to agent — Pass validated emails to your AI agent for processing

Before You Start: Account & API Key Setup

First Question: New or Existing Resend Account?

Ask your human:

• New account just for the agent? → Simpler setup, full account access is fine
• Existing account with other projects? → Use domain-scoped API keys for sandboxing

Creating API Keys Securely

Don't paste API keys in chat! They'll be in conversation history forever.

Safer options:

1. Environment file method: Human creates .env file directly: echo "RESEND_API_KEY=re_xxx" >> .env
2. Password manager / secrets manager: Human stores key in 1Password, Vault, etc.
3. If key must be shared in chat: Human should rotate the key immediately after setup

Domain-Scoped API Keys (Recommended for Existing Accounts)

If your human has an existing Resend account with other projects, create a domain-scoped API key:

1. Verify the agent's domain first (Dashboard → Domains → Add Domain)
2. Create a scoped API key: Dashboard → API Keys → Create API Key → "Sending access" → select only the agent's domain
3. Result: Even if the key leaks, it can only send from one domain

Domain Setup

Option 1: Resend-Managed Domain (Recommended for Getting Started)

Use your auto-generated address: <anything>@<your-id>.resend.app

No DNS configuration needed. Find your address in Dashboard → Emails → Receiving → "Receiving address".

Option 2: Custom Domain

The user must enable receiving in the Resend dashboard: Domains page → toggle on "Enable Receiving".

Then add an MX record:

Setting	Value
Type	MX
Host	Your domain or subdomain (e.g., agent.yourdomain.com)
Value	Provided in Resend dashboard
Priority	10 (must be lowest number to take precedence)

Use a subdomain (e.g., agent.yourdomain.com) to avoid disrupting existing email services.

Tip: Verify DNS propagation at dns.email.

DNS Propagation: MX record changes can take up to 48 hours to propagate globally, though often complete within a few hours.

Security Levels

Choose your security level before setting up the webhook endpoint. An AI agent that processes emails without security is dangerous — anyone can email instructions that your agent will execute. The webhook code you write next should include your chosen security level from the start.

Ask the user what level of security they want, and ensure that they understand what each level means.

Level	Name	When to Use	Trade-off
1	Strict Allowlist	Most use cases — known, fixed set of senders	Maximum security, limited functionality
2	Domain Allowlist	Organization-wide access from trusted domains	More flexible, anyone at domain can interact
3	Content Filtering	Accept from anyone, filter unsafe patterns	Can receive from anyone, pattern matching not foolproof
4	Sandboxed Processing	Process all emails with restricted agent capabilities	Maximum flexibility, complex to implement
5	Human-in-the-Loop	Require human approval for untrusted actions	Maximum security, adds latency

For detailed implementation code for each level, see references/security-levels.md.

Level 1: Strict Allowlist (Recommended)

Only process emails from explicitly approved addresses. Reject everything else.

const ALLOWED_SENDERS = [
  '[email protected]',
  '[email protected]',
];

async function processEmailForAgent(
  eventData: EmailReceivedEvent,
  emailContent: EmailContent
) {
  const sender = eventData.from.toLowerCase();

  if (!ALLOWED_SENDERS.some(allowed => sender === allowed.toLowerCase())) {
    console.log(`Rejected email from unauthorized sender: ${sender}`);
    await notifyOwnerOfRejectedEmail(eventData);
    return;
  }

  await agent.processEmail({
    from: eventData.from,
    subject: eventData.subject,
    body: emailContent.text || emailContent.html,
  });
}

Security Best Practices

Always Do

Practice	Why
Verify webhook signatures	Prevents spoofed webhook events
Log all rejected emails	Audit trail for security review
Use allowlists where possible	Explicit trust is safer than filtering
Rate limit email processing	Prevents excessive processing load
Separate trusted/untrusted handling	Different risk levels need different treatment

Never Do

Anti-Pattern	Risk
Process emails without validation	Anyone can control your agent
Trust email headers for authentication	Headers are trivially spoofed
Execute code from email content	Untrusted input should never run as code
Store email content in prompts verbatim	Untrusted input mixed into prompts can alter agent behavior
Give untrusted emails full agent access	Scope capabilities to the minimum needed

Webhook Endpoint

After choosing your security level and setting up your domain, create a webhook endpoint. The webhook endpoint MUST be a POST route. Resend sends all webhook events as POST requests.

Critical: Use raw body for verification. Webhook signature verification requires the raw request body.

• Next.js App Router: Use req.text() (not req.json())
• Express: Use express.raw({ type: 'application/json' }) on the webhook route

Next.js App Router

// app/webhook/route.ts
import { Resend } from 'resend';
import { NextRequest, NextResponse } from 'next/server';

const resend = new Resend(process.env.RESEND_API_KEY);

export async function POST(req: NextRequest) {
  try {
    const payload = await req.text();

    const event = resend.webhooks.verify({
      payload,
      headers: {
        'svix-id': req.headers.get('svix-id'),
        'svix-timestamp': req.headers.get('svix-timestamp'),
        'svix-signature': req.headers.get('svix-signature'),
      },
      secret: process.env.RESEND_WEBHOOK_SECRET,
    });

    if (event.type === 'email.received') {
      // Webhook payload only includes metadata, not email body
      const { data: email } = await resend.emails.receiving.get(
        event.data.email_id
      );

      // Apply the security level chosen above
      await processEmailForAgent(event.data, email);
    }

    return new NextResponse('OK', { status: 200 });
  } catch (error) {
    console.error('Webhook error:', error);
    return new NextResponse('Error', { status: 400 });
  }
}

Express

import express from 'express';
how to use agent-email-inbox
CursorClaude CodeClineCodexWindsurfGooseGitHub CopilotVS CodeGemini CLIKiloOpencodeKimi CLIRoo ClineAiderContinueZedBolt.newLovablev0Replit AgentSweepSmol DeveloperDevinCavemanAmpAntigravity
How to use agent-email-inbox on Cursor
AI-first code editor with Composer
1
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
›Cursor installed and configured on your development machine
›Node.js version 16.0+ with npm package manager (verify with node --version)
›Active project directory or workspace where you want to add agent-email-inbox
2
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
$npx skills add https://github.com/resend/resend-skills --skill agent-email-inboxcopy
The skills CLI fetches agent-email-inbox from GitHub repository resend/resend-skills and configures it for Cursor.
3
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
◆ Which agents do you want to install to?
│
│ ── Universal (.agents/skills) ── always included ────
│   • Amp
│   • Antigravity
│   • Cline
│   • Codex
│ ●Cursor(selected)
│   • Cursor
│   • Windsurf
4
Verify installation
Confirm successful installation by checking the skill directory location:
.cursor/skills/agent-email-inbox
Reload or restart Cursor to activate agent-email-inbox. Access the skill through slash commands (e.g., /agent-email-inbox) or your agent's skill management interface.
⚠
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
Additional Resources
›View source code on GitHub›Skills CLI documentation›Learn more about Cursor›What are agent skills?