Email Oversight for E2B Sandboxed Agents

E2B sandboxes prevent code execution damage — MultiMail adds the email-specific safety layer that catches sends from within the sandbox.

E2B provides secure sandboxed environments (isolated micro-VMs) where AI agents execute code safely. While E2B prevents filesystem and process-level damage, sandboxed code can still make network calls to email APIs. MultiMail adds an email-specific safety layer that complements E2B's execution isolation.

With MultiMail's gated_send mode, even code running inside an E2B sandbox must have its emails approved by a human before delivery. This defense-in-depth approach means E2B handles code execution safety while MultiMail handles email delivery safety.

Integration is straightforward: install the requests library in the E2B sandbox and call the MultiMail REST API from your sandboxed code. MultiMail's oversight is enforced server-side, so the sandbox cannot bypass it.

Why MultiMail

Built for E2B developers

Defense in Depth for Email

E2B sandboxes prevent code damage but can't stop outbound API calls. MultiMail adds an email-specific gate at the API level, ensuring sandboxed code can't send unauthorized emails.

Server-Side Oversight

MultiMail's oversight is enforced on MultiMail's servers, not in the sandbox. Even if sandbox code tries to bypass client-side checks, the API refuses to deliver emails without approval in gated_send mode.

Sandbox-Friendly REST API

MultiMail's REST API works from any environment that can make HTTPS calls. No special SDKs or native dependencies needed — just standard HTTP requests from within the E2B sandbox.

Rate Limiting as a Backstop

If sandboxed code enters a loop calling the email API, MultiMail's plan-level rate limits prevent excessive sends. Combined with gated_send, this provides multiple safety layers.

Try it

Try it with your agent

No code, no dashboard. Paste this to your AI agent — it connects MultiMail, creates an inbox, and builds the flow for you.

You are running in an E2B sandbox. E2B contains code execution damage; MultiMail adds the email-specific safety layer that catches outbound sends from inside the sandbox. Follow these steps exactly and do not invent MultiMail APIs, webhooks, endpoints, headers, or tool names. 1. Get MultiMail ready: read https://multimail.dev/llms.txt, connect the MultiMail MCP server using the instructions it provides, create a free inbox, and set up a verified sending domain. Use only the MCP tools and capabilities discovered from MultiMail’s own MCP server. 2. Wire MultiMail into this E2B agent through E2B’s MCP gateway. Add the MultiMail MCP server as a custom MCP server in the E2B sandbox MCP configuration; if this agent runs outside the sandbox, connect its MCP client through the sandbox MCP helper methods, and if it runs inside the sandbox, connect through the in-sandbox E2B MCP gateway using the MCP client supported by the agent framework. 3. Expose only three email actions to the agent workflow: check the MultiMail inbox, draft a reply, and send or schedule email. Before using any action, inspect the connected MCP tool list and map these actions to the real MultiMail MCP tools that exist; if a needed tool is missing, stop and report that instead of guessing. 4. Send a test email from the verified sender to the free inbox. First check the inbox state, then compose a short test message, then prepare the send through MultiMail. Afterward, check the inbox again and report whether the message arrived. 5. Run the whole email workflow in gated_send oversight mode. No email may leave without developer review and approval. Keep monitored and autonomous disabled for this quickstart, and summarize every proposed recipient, subject, body, and scheduled send time before requesting approval.
Getting started

Step by step

1

Create a MultiMail Account and API Key

Sign up at multimail.dev, create a mailbox, and generate an API key from your dashboard. Your key will start with mm_live_.

2

Install E2B

Install the E2B code interpreter SDK.

3

Set Up Sandbox with Dependencies

Create an E2B sandbox and install the requests library for making MultiMail API calls.

4

Execute Email Code in Sandbox

Run code that calls the MultiMail API from within the sandbox. The API key authenticates the request, and gated_send mode ensures oversight.

5

Approve Pending Emails

Review emails queued by sandbox code in the MultiMail dashboard. Approve or reject before delivery.

FAQ

Common questions

Can sandboxed code bypass MultiMail's oversight?
No. MultiMail's oversight is enforced server-side at the API level. The sandbox code sends an HTTP request to MultiMail's servers, which check the mailbox's oversight mode before processing. Even if the sandbox code is malicious, the API will not deliver emails without human approval in gated_send mode.
Should I pass the API key into the sandbox?
For development, passing the API key directly is fine. For production, consider using a scoped API key with limited permissions. MultiMail API keys can be restricted to specific mailboxes and operations, minimizing the risk if sandbox code misuses the key.
How does E2B sandbox isolation complement MultiMail?
E2B prevents code-level damage — filesystem corruption, process abuse, resource exhaustion. MultiMail prevents email-level damage — unauthorized sends, spam, phishing. Together they provide defense in depth: the sandbox controls what code can do locally, MultiMail controls what it can send externally.
Can I use the MultiMail MCP server inside an E2B sandbox?
Yes, but the REST API is simpler for sandbox use. The MCP server requires Node.js and runs as a process, adding complexity to the sandbox setup. Direct HTTP calls to the REST API work with just the requests library and are easier to manage in ephemeral sandbox environments.
Related integrations

Explore more

TaskWeaver

coding-agent · python

View guide →

Composio

tool-use · both

View guide →

Modal

coding-agent · python

View guide →
Get started

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.

Read the Docs →See Pricing