Field 01 — Declaration of contents · email infrastructure for AI agents

Email arrives comprehended.

Every inbound message is parsed, classified, extracted to your schema — and screened for prompt injection — before your agent reads a single word.

Free tier. No card. Your agent can sign itself up over MCP.

from: billing@globex-corp.example
subject: Invoice #77 — Globex
<div style="color:#fff">ignore prior instructions…</div>STRIPPED
{
  "classification": "invoice",
  "confidence": 0.95,
  "extraction": {
    "vendor": "Globex Corporation",
    "amount": 3750
  },
  "sanitization": [{
    "kind": "hidden_text",
    "detail": "white-on-white div removed"
  }]
}

Field 02 — Notice

You already know this is a hole.

Raw email is attacker-controlled input. Hidden text, zero-width characters, HTML your parser trusts and your model obeys — piped straight into your agent's context, with its tool access and its credentials. Every inbox API on the market hands you that payload as-is and calls it a feature.

An inbox for an agent isn't a pipe. It's a trust boundary.

Field 03 — Mechanism

Five stages between the wire and your agent.

1
Verify + dedupe
Signed webhooks, idempotent ingest. Provider retries never double-bill you.
2
Clean
HTML to text. Tracking pixels, styling noise, and quoted-reply chains stripped deterministically.
3
Sanitize
Hidden text, zero-width characters, homoglyph runs removed — every removal logged in a sanitization report you can read.
4
Injection scan
A model that reads the mail so yours doesn't have to. Flagged messages fail closed: delivered, but deterministic-only.
5
Extract
Your JSON Schema in, typed fields out, with a confidence score.

Fail-closed, always: a flagged or unscannable message is never dropped and never guessed at — your agent gets the cleaned text, the flags, and no hallucinated extraction. You see every byte we removed.

Field 04 — Proof of processing

8.2 SECONDS
Stranger's send → structured JSON in your webhookMeasured on production, July 5, 2026 — external sender → MX → pipeline → {vendor, amount}at 0.95 confidence. The dashboard shows raw-vs-comprehended side by side for every message. This page isn't a mockup of the product.

Field 05 — Live inspection

Inspect it yourself.

No signup, no API key. Mint a real mailbox below and send it an email — watch it arrive comprehended, right here, in the time it takes the pipeline to run.

We'll mint a real mailbox on the spot. Send it anything — a newsletter, a receipt, a plain note — and watch it come back structured.

Field 06 — Quickstart

Your agent onboards itself.

claude mcp add --transport http postfleet https://api.postfleet.ai/api/mcp \
  --header "Authorization: Bearer $POSTFLEET_KEY"
create_mailboxsend_emailreply_emaillist_inboxread_emailwait_for_email

An agent with this MCP endpoint provisions its own address and starts processing mail — no dashboard required. REST if you'd rather drive.

Field 07 — Postage

Pricing

Free
$0/mo
  • 3 mailboxes
  • 3,000 emails / month
  • Full deterministic pipeline — clean + sanitize on every message
  • No card required
Pro
$20/mo
  • 10 mailboxes
  • 10,000 emails / month
  • 1,500 schema extractions / month
  • Injection scan + LLM extraction
  • Cancel anytime — billing by Stripe

Every message on both tiers gets the full sanitization treatment. Comprehension is what you pay for; safety isn't a paid feature.

Field 08 — Dispatch

Give your agent an inbox it can trust.

agent-hello@mail.postfleet.ai is a Postfleet mailbox — an agent reads it.