Auditing What Your Email Agent Actually Did

Debugging a misbehaving email agent at 2am is a special kind of miserable. Your application logs say the LLM "decided to follow up." Cool — with whom? Saying what? Did the message actually go out, or did it bounce? Agent frameworks log intentions; what you need during an incident is a record of actions. For email agents there's a piece of good news hiding in plain sight: the mailbox itself is that record.

Every action leaves a message behind

An Agent Account (currently in beta) is a real hosted mailbox with six system folders — inbox, sent, drafts, trash, junk, and archive. The sent folder is the part security reviewers should care about: every outbound message the agent produces is stored there as a real message object, timestamped, addressed, and fetchable through the same Messages API you already use.

This holds across every path into the mailbox. As the mailboxes guide notes, anything sent over IMAP/SMTP appears in the API, and anything sent via the API appears in the Sent folder in a mail client. There's no separation between protocol traffic and API traffic — so there's no side door an agent (or an attacker holding its credentials) can send through without leaving a copy.

One more property matters for audit integrity: sends are stamped with the grant's own address. An Agent Account can't spoof other identities, so a message in sales-agent@'s sent folder was sent as that agent, full stop.