Agent Email Inbox

1---2name: agent-email-inbox3description: Use when building any system where email content triggers actions — AI agent inboxes, automated support handlers, email-to-task pipelines, or any workflow processing untrusted inbound email. Always use this skill when the user wants to receive emails and act on them programmatically, even if they don't mention "agent" — the skill contains critical security patterns (sender allowlists, content filtering, sandboxed processing) that prevent untrusted email from controlling your system.4license: MIT5metadata:6    author: resend7    version: "3.0.2"8    homepage: https://resend.com/agent-skills9    source: https://github.com/resend/resend-skills10    openclaw:11        primaryEnv: RESEND_API_KEY12        requires:13            env:14                - RESEND_API_KEY15        envVars:16            - name: RESEND_API_KEY17              required: true18              description: Resend API key for sending and receiving emails19            - name: RESEND_WEBHOOK_SECRET20              required: false21              description: Webhook signing secret for verifying inbound email event payloads22            - name: SECURITY_LEVEL23              required: false24              description: Security level for inbound email processing (strict, moderate, permissive)25            - name: ALLOWED_SENDERS26              required: false27              description: Comma-separated list of allowed sender email addresses28            - name: ALLOWED_DOMAINS29              required: false30              description: Comma-separated list of allowed sender domains31            - name: OWNER_EMAIL32              required: false33              description: Owner email address for forwarding or notifications34        links:35            repository: https://github.com/resend/resend-skills36            documentation: https://resend.com/docs/agent-email-inbox-skill37inputs:38    - name: RESEND_API_KEY39      description: Resend API key for sending and receiving emails. Get yours at https://resend.com/api-keys40      required: true41    - name: RESEND_WEBHOOK_SECRET42      description: Webhook signing secret for verifying inbound email event payloads. Returned as `signing_secret` in the response when you create a webhook via the API.43      required: true44references:45    - security-levels.md46    - webhook-setup.md47    - advanced-patterns.md48---49 50# AI Agent Email Inbox51 52## Overview53 54This skill covers setting up a secure email inbox that allows your application or AI agent to receive and respond to emails, with content safety measures in place.55 56**Core principle:** An AI agent's inbox receives untrusted input. Security configuration is important to handle this safely.57 58### Why Webhook-Based Receiving?59 60Resend uses webhooks for inbound email, meaning your agent is notified **instantly** when an email arrives. This is valuable for agents because:61 62- **Real-time responsiveness** — React to emails within seconds, not minutes63- **No polling overhead** — No cron jobs checking "any new mail?" repeatedly64- **Event-driven architecture** — Your agent only wakes up when there's actually something to process65- **Lower API costs** — No wasted calls checking empty inboxes66 67## Architecture68 69```70Sender → Email → Resend (MX) → Webhook → Your Server → AI Agent71                                              ↓72                                    Security Validation73                                              ↓74                                    Process or Reject75```76 77## SDK Version Requirements78 79This skill requires Resend SDK features for webhook verification (`webhooks.verify()`) and email receiving (`emails.receiving.get()`). Always install the latest SDK version. If the project already has a Resend SDK installed, check the version and upgrade if needed.80 81| Language | Package | Min Version |82|----------|---------|-------------|83| Node.js | `resend` | >= 6.9.2 |84| Python | `resend` | >= 2.21.0 |85| Go | `resend-go/v3` | >= 3.1.0 |86| Ruby | `resend` | >= 1.0.0 |87| PHP | `resend/resend-php` | >= 1.1.0 |88| Rust | `resend-rs` | >= 0.20.0 |89| Java | `resend-java` | >= 4.11.0 |90| .NET | `Resend` | >= 0.2.1 |91 92Install the `resend` npm package: `npm install resend` (or the equivalent for your language). For full sending docs, install the `resend` skill.93 94## Quick Start95 961. **Ask the user for their email address** — You need a real email address to send test emails to. Ask the user and wait for their response before proceeding.972. **Choose your security level** — Decide how to validate incoming emails *before* any are processed983. **Set up receiving domain** — Configure MX records for the user's custom domain (see Domain Setup section)994. **Create webhook endpoint** — Handle `email.received` events with security built in from the start. **The webhook endpoint MUST be a POST route.**1005. **Set up tunneling** (local dev) — Use Tailscale Funnel (recommended) or ngrok. See [references/webhook-setup.md](references/webhook-setup.md)1016. **Create webhook via API** — Use the Resend Webhook API to register your endpoint programmatically. See [references/webhook-setup.md](references/webhook-setup.md)1027. **Connect to agent** — Pass validated emails to your AI agent for processing103 104## Before You Start: Account & API Key Setup105 106### First Question: New or Existing Resend Account?107 108Ask your human:109- **New account just for the agent?** → Simpler setup, full account access is fine110- **Existing account with other projects?** → Use domain-scoped API keys for sandboxing111 112### Creating API Keys Securely113 114> Don't paste API keys in chat! They'll be in conversation history forever.115 116**Safer options:**117 1181. **Environment file method:** Human creates `.env` file directly: `echo "RESEND_API_KEY=re_xxx" >> .env`1192. **Password manager / secrets manager:** Human stores key in 1Password, Vault, etc.1203. **If key must be shared in chat:** Human should rotate the key immediately after setup121 122### Domain-Scoped API Keys (Recommended for Existing Accounts)123 124If your human has an existing Resend account with other projects, create a **domain-scoped API key**:125 1261. **Verify the agent's domain first** (Dashboard → Domains → Add Domain)1272. **Create a scoped API key:** Dashboard → API Keys → Create API Key → "Sending access" → select only the agent's domain1283. **Result:** Even if the key leaks, it can only send from one domain129 130## Domain Setup131 132### Option 1: Resend-Managed Domain (Recommended for Getting Started)133 134Use your auto-generated address: `<anything>@<your-id>.resend.app`135 136No DNS configuration needed. Find your address in Dashboard → Emails → Receiving → "Receiving address".137 138### Option 2: Custom Domain139 140The user must enable receiving in the Resend dashboard: Domains page → toggle on "Enable Receiving".141 142Then add an MX record:143 144| Setting | Value |145|---------|-------|146| **Type** | MX |147| **Host** | Your domain or subdomain (e.g., `agent.example.com`) |148| **Value** | Provided in Resend dashboard |149| **Priority** | 10 (must be lowest number to take precedence) |150 151**Use a subdomain** (e.g., `agent.example.com`) to avoid disrupting existing email services.152 153**Tip:** Verify DNS propagation at [dns.email](https://dns.email).154 155> DNS Propagation: MX record changes can take up to 48 hours to propagate globally, though often complete within a few hours.156 157## Security Levels158 159**Choose your security level before setting up the webhook endpoint.** An AI agent that processes emails without security is dangerous — anyone can email instructions that your agent will execute. The webhook code you write next should include your chosen security level from the start.160 161Ask the user what level of security they want, and ensure that they understand what each level means.162 163| Level | Name | When to Use | Trade-off |164|-------|------|-------------|-----------|165| **1** | Strict Allowlist | Most use cases — known, fixed set of senders | Maximum security, limited functionality |166| **2** | Domain Allowlist | Organization-wide access from trusted domains | More flexible, anyone at domain can interact |167| **3** | Content Filtering | Accept from anyone, filter unsafe patterns | Can receive from anyone, pattern matching not foolproof |168| **4** | Sandboxed Processing | Process all emails with restricted agent capabilities | Maximum flexibility, complex to implement |169| **5** | Human-in-the-Loop | Require human approval for untrusted actions | Maximum security, adds latency |170 171For detailed implementation code for each level, see [references/security-levels.md](references/security-levels.md).172 173### Level 1: Strict Allowlist (Recommended)174 175Only process emails from explicitly approved addresses. Reject everything else.176 177```typescript178const ALLOWED_SENDERS = [179  'you@youremail.com',180  'notifications@github.com',181];182 183async function processEmailForAgent(184  eventData: EmailReceivedEvent,185  emailContent: EmailContent186) {187  const sender = eventData.from.toLowerCase();188 189  if (!ALLOWED_SENDERS.some(allowed => sender === allowed.toLowerCase())) {190    console.log(`Rejected email from unauthorized sender: ${sender}`);191    await notifyOwnerOfRejectedEmail(eventData);192    return;193  }194 195  await agent.processEmail({196    from: eventData.from,197    subject: eventData.subject,198    body: emailContent.text || emailContent.html,199  });200}201```202 203### Security Best Practices204 205#### Always Do206 207| Practice | Why |208|----------|-----|209| Verify webhook signatures | Prevents spoofed webhook events |210| Log all rejected emails | Audit trail for security review |211| Use allowlists where possible | Explicit trust is safer than filtering |212| Rate limit email processing | Prevents excessive processing load |213| Separate trusted/untrusted handling | Different risk levels need different treatment |214 215#### Never Do216 217| Anti-Pattern | Risk |218|--------------|------|219| Process emails without validation | Anyone can control your agent |220| Trust email headers for authentication | Headers are trivially spoofed |221| Execute code from email content | Untrusted input should never run as code |222| Store email content in prompts verbatim | Untrusted input mixed into prompts can alter agent behavior |223| Give untrusted emails full agent access | Scope capabilities to the minimum needed |224 225## Webhook Endpoint226 227After choosing your security level and setting up your domain, create a webhook endpoint. **The webhook endpoint MUST be a POST route.** Resend sends all webhook events as POST requests.228 229> **Critical: Use raw body for verification.** Webhook signature verification requires the raw request body.230> - **Next.js App Router:** Use `req.text()` (not `req.json()`)231> - **Express:** Use `express.raw({ type: 'application/json' })` on the webhook route232 233### Next.js App Router234 235```typescript236// app/webhook/route.ts237import { Resend } from 'resend';238import { NextRequest, NextResponse } from 'next/server';239 240const resend = new Resend(process.env.RESEND_API_KEY);241 242export async function POST(req: NextRequest) {243  try {244    const payload = await req.text();245 246    const event = resend.webhooks.verify({247      payload,248      headers: {249        'svix-id': req.headers.get('svix-id'),250        'svix-timestamp': req.headers.get('svix-timestamp'),251        'svix-signature': req.headers.get('svix-signature'),252      },253      secret: process.env.RESEND_WEBHOOK_SECRET,254    });255 256    if (event.type === 'email.received') {257      // Webhook payload only includes metadata, not email body258      const { data: email } = await resend.emails.receiving.get(259        event.data.email_id260      );261 262      // Apply the security level chosen above263      await processEmailForAgent(event.data, email);264    }265 266    return new NextResponse('OK', { status: 200 });267  } catch (error) {268    console.error('Webhook error:', error);269    return new NextResponse('Error', { status: 400 });270  }271}272```273 274### Express275 276```javascript277import express from 'express';278import { Resend } from 'resend';279 280const app = express();281const resend = new Resend(process.env.RESEND_API_KEY);282 283app.post('/webhook', express.raw({ type: 'application/json' }), async (req, res) => {284  try {285    const payload = req.body.toString();286 287    const event = resend.webhooks.verify({288      payload,289      headers: {290        'svix-id': req.headers['svix-id'],291        'svix-timestamp': req.headers['svix-timestamp'],292        'svix-signature': req.headers['svix-signature'],293      },294      secret: process.env.RESEND_WEBHOOK_SECRET,295    });296 297    if (event.type === 'email.received') {298      const sender = event.data.from.toLowerCase();299 300      if (!isAllowedSender(sender)) {301        console.log(`Rejected email from unauthorized sender: ${sender}`);302        res.status(200).send('OK'); // Return 200 even for rejected emails303        return;304      }305 306      const { data: email } = await resend.emails.receiving.get(event.data.email_id);307      await processEmailForAgent(event.data, email);308    }309 310    res.status(200).send('OK');311  } catch (error) {312    console.error('Webhook error:', error);313    res.status(400).send('Error');314  }315});316 317app.get('/', (req, res) => res.send('Agent Email Inbox - Ready'));318app.listen(3000, () => console.log('Webhook server running on :3000'));319```320 321For webhook registration via API, tunneling setup, svix fallback, and retry behavior, see [references/webhook-setup.md](references/webhook-setup.md).322 323## Sending Emails from Your Agent324 325```typescript326import { Resend } from 'resend';327 328const resend = new Resend(process.env.RESEND_API_KEY);329 330async function sendAgentReply(to: string, subject: string, body: string, inReplyTo?: string) {331  if (!isAllowedToReply(to)) {332    throw new Error('Cannot send to this address');333  }334 335  const { data, error } = await resend.emails.send({336    from: 'Agent <agent@example.com>',337    to: [to],338    subject: subject.startsWith('Re:') ? subject : `Re: ${subject}`,339    text: body,340    headers: inReplyTo ? { 'In-Reply-To': inReplyTo } : undefined,341  });342 343  if (error) throw new Error(`Failed to send: ${error.message}`);344  return data.id;345}346```347 348For full sending docs, install the `resend` skill.349 350## Environment Variables351 352```bash353# Required354RESEND_API_KEY=re_xxxxxxxxx355RESEND_WEBHOOK_SECRET=whsec_xxxxxxxxx356 357# Security Configuration358SECURITY_LEVEL=strict                    # strict | domain | filtered | sandboxed359ALLOWED_SENDERS=you@email.com,trusted@example.com360ALLOWED_DOMAINS=example.com361OWNER_EMAIL=you@email.com               # For security notifications362```363 364## Common Mistakes365 366| Mistake | Fix |367|---------|-----|368| No sender verification | Always validate who sent the email before processing |369| Trusting email headers | Use webhook verification, not email headers for auth |370| Same treatment for all emails | Differentiate trusted vs untrusted senders |371| Verbose error messages | Keep error responses generic to avoid leaking internal logic |372| No rate limiting | Implement per-sender rate limits. See [references/advanced-patterns.md](references/advanced-patterns.md) |373| Processing HTML directly | Strip HTML or use text-only to reduce complexity and risk |374| No logging of rejections | Log all security events for audit |375| Using ephemeral tunnel URLs | Use persistent URLs (Tailscale Funnel, paid ngrok) or deploy to production |376| Using `express.json()` on webhook route | Use `express.raw({ type: 'application/json' })` — JSON parsing breaks signature verification |377| Returning non-200 for rejected emails | Always return 200 to acknowledge receipt — otherwise Resend retries |378| Old Resend SDK version | `emails.receiving.get()` and `webhooks.verify()` require recent SDK versions — see SDK Version Requirements |379 380## Testing381 382Use Resend's test addresses for development:383- `delivered@resend.dev` — Simulates successful delivery384- `bounced@resend.dev` — Simulates hard bounce385 386For security testing, send test emails from non-allowlisted addresses to verify rejection works correctly.387 388**Quick verification checklist:**3891. Server is running: `curl http://localhost:3000` should return a response3902. Tunnel is working: `curl https://<your-tunnel-url>` should return the same response3913. Webhook is active: Check status in Resend dashboard → Webhooks3924. Send a test email from an allowlisted address and check server logs393 394## Related Skills395 396- For full sending and receiving docs, install the `resend` skill