How Much Email Access Does Your AI Agent Actually Need?
Most AI agents are granted full inbox access because it's the path of least resistance. Here's a practical breakdown of what each use case actually requires.
When developers connect an AI agent to an email account, the default behavior is to grant full access. It is the path of least resistance: one credential, one connection, the agent can do everything. This is understandable during early development when you are trying to get things working. It becomes a problem when that setup makes it to production.
The practical question — how much access does this agent actually need? — is rarely asked. This post works through the most common AI email use cases and maps them to the minimum required permission set.
A Permission Map for Common Use Cases
1. Inbox Summarizer
An agent that reads emails and generates summaries needs exactly one permission: mail:read
plus folder:read to navigate folder structure. It does not need to send, delete,
move, or update flags.
[[rules]] name = "Summarizer: read-only" action = "allow" operations = ["read" ] [[rules]] name = "Deny everything else" action = "deny"
2. Support Ticket Agent
An agent that reads incoming support emails, classifies them, and marks them as processed needs read access plus the ability to update flags (to mark as read or add labels). It does not need to send responses — those should go through a separate, deliberately scoped channel.
# Support agent: reads INBOX and Support folder, # can update flags, cannot send or delete. [imap] listen_addr = "127.0.0.1:1993" upstream_addr = "imap.company.com:993" [smtp] listen_addr = "127.0.0.1:1587" upstream_addr = "smtp.company.com:587" [[rules]] name = "Read support emails" folders = ["INBOX", "Support/**"] action = "allow" operations = ["mail:read", "folder:read"] [[rules]] name = "Flag as processed" folders = ["INBOX", "Support/**"] action = "allow" operations = ["mail:update"] [[rules]] name = "Deny everything else" action = "deny"
3. Email Drafter
An agent that composes draft replies needs read access to the thread context plus the ability
to create drafts. In IMAP terms, creating a draft is an APPEND command to the
Drafts folder — which falls under mail:copy in Mailgator's operation model.
It does not need to send; the human reviews and sends manually.
[[rules]] name = "Read all folders" action = "allow" operations = ["read"] [[rules]] name = "Create drafts" folders = ["Drafts"] action = "allow" operations = ["mail:copy"] [[rules]] name = "Deny send and everything else" action = "deny"
4. Newsletter Unsubscriber
An agent that identifies and unsubscribes from newsletters needs to read the inbox and delete or move identified newsletter emails. It should be scoped to specific folders or senders — it absolutely should not have access to your full inbox with delete permissions.
[[rules]] name = "Read newsletters" folders = ["INBOX", "Newsletters/**"] action = "allow" operations = ["read"] [[rules]] name = "Move newsletters to archive" folders = ["INBOX", "Newsletters/**"] action = "allow" operations = ["mail:move"] [[rules]] name = "Deny delete, send, and everything else" action = "deny"
5. Full Automation Agent
An agent that needs to read, respond, organize, and clean up email requires the broadest permissions. Even here, you can add meaningful constraints: restrict sends to specific recipient domains, require approval for external sends, or scope folder operations to specific directories.
[[rules]] name = "Full read access" action = "allow" operations = ["read"] [[rules]] name = "Send to internal team only" to = "*@company.com" action = "allow" operations = ["mail:send"] [[rules]] name = "Write and organize" action = "allow" operations = ["write", "move"] [[rules]] name = "Deny delete and external sends" action = "deny"
The Principle Behind the Principle
AWS documented least-privilege access for agentic AI systems in their Well-Architected Generative AI Lens: "Agents should have the minimum access necessary to accomplish their tasks. Least privilege does not mean making the agent weak — it means giving the agent exactly enough power to complete the approved task, for the approved time, in the approved context."
Email agents are no different from any other system accessing privileged resources. The fact that the interface is natural language does not change the security model. You would not give a read-only reporting tool write access to your database because it was easier to set up. The same logic applies here.
The Privilege Creep Pattern
One dynamic worth naming: permission scope tends to expand over time, not contract. An agent starts with full access during development. When it ships, no one narrows the scope because the agent is working correctly. Three months later, the original developer has moved on and no one knows why the agent has deletion rights.
Encoding permissions in a configuration file that lives in version control — rather than as API token settings in a web UI — makes scope explicit and auditable. When someone asks "why does this agent have delete access?", the answer is in the config, not in someone's memory.
Practical Starting Point
If you are unsure what permissions your agent needs, start from the most restrictive baseline: read-only access to a single folder. Add permissions only when a specific capability fails and you have confirmed the agent genuinely needs it. You will often find the scope ends up much narrower than you expected.
Sources: AWS Well-Architected — Least Privilege for Agentic Workflows, OWASP AI Agent Security Cheat Sheet, Hatchworks — AI Agent Security Checklist
// want to try mailgator?
Give your AI agents exactly the access they need. No more.
An IMAP/SMTP proxy with per-operation permission rules. Self-hosted, no email data leaves your infrastructure.
See plans