Email MCP Server: Secure AI Agent Access to Gmail and Outlook
Connect Claude, ChatGPT, and Cursor to Gmail and Outlook through PortEden's remote MCP server. 8 tools, OAuth, and a data firewall that controls every search, send, and delete.
Free tier · No credit card required
What is the Email MCP server?
The email MCP server lets AI agents read, search, and send email through the Model Context Protocol. Connect a client like Claude, ChatGPT, or Cursor to one remote endpoint at https://mcp.porteden.com/email and the agent works across Gmail and Outlook at once, including Microsoft 365 mailboxes, with no per-provider setup.
PortEden's server exposes 8 email tools, from search and thread reads to send, reply, forward, and delete. What makes it different from a generic Gmail or Outlook MCP is the data firewall in front of those tools: PortEden inspects every tool-call request, applies your access policy, and redacts sensitive content in the response before the agent ever sees it.
The result is secure email access for AI agents. You decide whether a client can only read or can also send, block individual contacts and domains, redact PII from message bodies, and review every call in an audit log. OAuth handles authentication, so there is no static key to leak.
All 8 Email MCP tools
Every tool can be allowed or denied per client. Access levels are enforced at the firewall on each call.
| Tool | Access | What it does |
|---|---|---|
email_search | read | Search emails across all connected providers (Gmail and Outlook). |
email_get | read | Get a single email by its provider-prefixed ID. |
email_get_thread | read | Get every message in an email thread. |
email_send | write | Send a new email. |
email_reply | write | Reply to an existing email. |
email_forward | write | Forward an email to new recipients. |
email_modify | write | Mark an email read or unread, or add and remove labels. |
email_delete | delete | Move an email to Trash. |
Connect Email to Claude, ChatGPT, Cursor, and more
Point any MCP-compatible client at the remote URL and sign in to PortEden once with OAuth.
# Claude Web or Desktop, then Settings, Connectors, Add custom connectorhttps://mcp.porteden.com/email # Authenticate to PortEden once with OAuth. Claude can now call the# email tools under the access policy you set.Available on Claude Pro, Team, and Enterprise. The same flow works for Claude Cowork.
The security-first Email MCP
PortEden is the data firewall for AI.
Granular access control
Decide exactly what each AI client can do with email. Keep an agent read-only, allow drafting but require confirmation before send, or block whole domains, so an over-eager agent cannot email the wrong person.
- Read-only by default: deny email_send, email_reply, email_forward, and email_delete for a triage agent.
- Per-contact and per-domain rules: block messages to or from specific senders or external domains.
- Confirm-before-send on outbound actions so nothing leaves the mailbox without a check.
Data redaction
PortEden runs a redaction pass on every tool response before it leaves the firewall. Sensitive values in message bodies and headers are replaced with stable placeholders, so the agent can summarize a thread without the raw content entering the model's context.
- Strip PII, PAN (card numbers), and other email addresses from message bodies before the agent sees them.
- Mask sender and recipient addresses while keeping the subject and summary readable.
- Round-trip replies are de-redacted server-side, so a reply aimed at a placeholder reaches the real recipient.
Audit trail
Every email tool call is recorded: which client, which user, which tool, the arguments passed, the policy decision, and the redacted response. Export it or stream it to your SIEM for review.
- See exactly which threads an agent read and which messages it sent, with timestamps.
- Reconstruct any tool call: the request, the rule that fired, and the response returned.
- Stream to Splunk, Datadog, or S3 for retention and review.
RBAC and policy groups
Bind each MCP connection to a user or role with a scoped, revocable token. Group policies by team so a new hire inherits the right mailbox access on day one, and revocation is instant and server-side.
- Issue per-user tokens scoped to the verbs and mailboxes that role needs.
- Apply one policy group across a team instead of editing rules client by client.
- Revoke a token server-side the moment a contract ends, with no Google or Microsoft account round-trip.
Set up the secure Email MCP in minutes
Add the connector
In your AI client, add a custom connector or HTTP MCP server pointing at https://mcp.porteden.com/email.
Authenticate with OAuth
Sign in to PortEden once and connect Gmail or Outlook. The client never holds your provider refresh token.
Set your email policy
Choose read-only or read-write, block contacts or domains, and turn on redaction for message bodies.
Verify in the audit log
Run a prompt, then watch the tool calls land in your PortEden audit log with the rule that fired on each one.
Email MCP FAQ
What is the email MCP server?
How do I connect Claude to Gmail using MCP?
Does the email MCP server work with Outlook too?
Is the email MCP server secure?
Can I give an AI agent read-only email access?
Does redaction stop the agent from summarizing my email?
What email tools does the MCP server expose?
Which AI clients work with the email MCP server?
Does it cost anything to use the email MCP server?
Keep Exploring
Connect Email to AI, without leaking the underlying data.
Five-minute setup over OAuth. The free tier covers 1,000 tool calls per month.