Security

Safety contract for outbound email

Last updated: May 26, 2026

Waydock connects AI agents to your inbox. The single biggest risk that creates is an agent sending mail it shouldn't, whether because of prompt injection hidden in an incoming email, a misconfigured automation, or a stolen API key. This page documents, in plain language, every gate we put in front of an outbound send. Nothing here is aspirational. It's how the product behaves today, enforced server-side, on every send path.

Six rules every outbound email obeys

  1. We never send to an unlisted address. You maintain an explicit allowlist of recipients in Settings, Outbound email allowlist. If a recipient isn't on the list, the send fails closed with a structured error. There is no AI override, no “trusted sender” bypass, no exception for replies to senders you've emailed before.
  2. A new recipient has a 60-second cooldown. The moment you add an address to the allowlist, sends to it are blocked for one minute. That window exists so that if a prompt injection somehow convinces an agent to add an address and immediately send to it, you have time to see the addition land in your real-time alert webhook and revoke before any mail leaves.
  3. The send caps are fixed by the server, not by you.500 sends per rolling 24h across all recipients. 5 sends per rolling 24h to any single address. These limits are constants in our code, not user-tunable settings. A stolen session can't loosen them, because there's no knob to turn.
  4. Replies can only land in their own thread.When an agent replies to a message, the recipient list is restricted to the intersection of (the original thread's participants) and (your allowlist). An agent can't use “reply” as cover to email someone the thread doesn't already include.
  5. One kill switch turns everything off. Flip Allow outbound sending off in settings and no mail leaves your account from any path: morning brief cron, AI agent, automation, anything. The toggle is checked at the moment of send, not at the time the agent was authorized, so it kills in-flight intent too.
  6. Subject and body are scrubbed of invisible characters.Zero-width spaces, bidi-override marks, and the U+E0000 tag block (the steganographic channel sometimes used to hide instructions inside readable text) are stripped from every send before it reaches the provider. This prevents an LLM from emitting, or pasting in from a poisoned source email, hidden content that humans wouldn't see.

One chokepoint, every path

The cron that sends your morning brief, the MCP tool an AI agent uses to send on your behalf, and any future automation we ship all route through the same single function. That function applies the six rules above in order, then writes a log row beforecalling Gmail or Microsoft Graph. The write-ahead matters: two concurrent sends can't both pass the 24h-cap check at count 499 and both succeed at count 501. Either both see the pre-reserved row and one is refused, or one fails and frees the slot.

Scopes that protect against over-grant

Waydock connects to your mailbox using narrow OAuth scopes. We never request broad “modify mail” permissions. To send, we ask for gmail.send or Mail.Send specifically, and only when you click the upgrade prompt in our app.

For automation, you issue MCP API keys with a chosen scope set. Outbound send is wildcard-proof: a key cannot send unless its scope list contains the literal string write:mail.send. Picking the “Full access” preset deliberately does not grant send. You opt into send as a separate checkbox, on top of any preset, and only when your allowlist and kill switch are already configured.

You can revoke any key with one click. You can revoke our access to your mailbox entirely from your Google or Microsoft account at any time.

Real-time visibility

Every outbound API call Waydock makes on your behalf (sending mail, creating a draft, updating a calendar event) is captured by our outbound audit layer. You can wire that stream to a webhook in Settings, Webhooks: Slack, Discord, Telegram, or a raw HTTPS endpoint. Every send fires the webhook within seconds, so you see what your account did before the recipient sees the email.

Each send also writes to a durable in-app log that records the recipient, the provider, the source (cron, MCP tool name, user action), and a hash of the subject. We hash subjects rather than store them so the audit surface doesn't leak content if it's ever queried by support tooling.

HTML sends are an explicit per-recipient opt-in

By default, mail Waydock sends is plain text. To enable HTML for a recipient, you tick “Allow HTML” on that recipient's allowlist row. The HTML body is then run through a strict sanitizer that strips scripts, iframes, event handlers, and any URL scheme other than http, https, mailto, or tel. Even with HTML enabled, no markup can execute in the recipient's inbox.

What we don't do

  • We don't route your mail content through AI gateways or third-party inference proxies. AI calls go direct to the model provider. Fewer hops over your data.
  • We don't send on behalf of a paused or revoked account. If you disconnect Gmail or Outlook, in-flight sends fail with capability_disabled.
  • We don't silently retry failed sends. A failed send still consumes one cap slot, which acts as a brake on prompt-injection storms.
  • We don't accept a CC, BCC, or attachment from an agent today. The send surface is intentionally narrow: a recipient list, a subject, and a body.

If something looks wrong

If you ever see a send you didn't expect, the fastest response is the kill switch in Settings, Outbound email allowlist. Flipping it off stops every future send within seconds, with no need to revoke individual keys or disconnect accounts. Then, on a cooler head, you can use the activity log to see which key or tool triggered the send and revoke it specifically.

We also welcome reports of security issues. Email security via the contact form and we'll respond within one business day.

A note on what we can't promise

No security model is perfect. We're honest about the things outside our control: a recipient's mail server can still leak, an attacker who steals your browser session can still operate the app as you, and a provider-side compromise (Google, Microsoft) would put your mailbox at risk regardless of what we do. What we can promise is that on the surface area we own, the contract above is enforced in code, with tests, and changes to it leave an audit trail.