Secure Email CLI Unified Protection
Most teams use more than one email provider. The Secure Email CLI gives you a single set of rules that govern AI agent access across Gmail, Outlook, and Exchange. Write your policy once and enforce it everywhere.
How PortEden Protects You
Six layers of security between AI and your data.
Write Once, Enforce Everywhere
Define email security rules in a single config file, and the CLI translates them into the correct enforcement logic for Gmail, Outlook, and Exchange.
Provider-Agnostic Action Limits
Set agents to read-only or draft-only across all email providers with one flag instead of configuring limits separately in each admin console.
Consistent Visibility Controls
Agents see the same filtered view regardless of which provider holds the email: headers only, redacted bodies, or full content.
Cross-Provider Contact Rules
Block agents from accessing emails involving specific people or domains, with the rule enforced across Gmail, Outlook, and Exchange simultaneously.
Label/folder mapping across providers and one audit log
The hard part of multi-provider email is that Gmail uses labels (many-to-many tags), Outlook uses folders (strict hierarchy), and Exchange on-prem speaks WellKnownFolderName enums. A rule like "agent can read INBOX but not HR" has to translate cleanly to all three. The Email CLI uses a provider-agnostic naming scheme that resolves at request time:
# ~/.porteden/email.yaml
defaults:
mode: read
body_max_kb: 32
strip_headers:
- "X-Original-Sender"
- "Received"
- "Authentication-Results"
agents:
summarizer:
container_allowlist:
- "@inbox" # → Gmail INBOX, Outlook "Inbox", Exchange Inbox
- "@inbox/Clients/*" # → Gmail "Clients/*" label, Outlook subfolders
container_denylist:
- "@hr" # → Gmail "HR" label, Outlook "HR" folder
- "@legal" # ditto
- "@drafts" # → Gmail DRAFT, Outlook "Drafts" folder
per_provider:
gmail:
# gmail-specific: labels are tags, not folders
treat_labels_as_folders: true
outlook:
use_delta_query: true
exchange_onprem:
impersonation_user: "PORTEDEN-SVC"The @inbox aliases
@inbox, @sent, @drafts,@trash, @spam, and @archive are well-known aliases that resolve to the right container per provider. Custom labels/folders use literal names. Wildcards (@inbox/Clients/*) work across providers because the CLI walks Gmail labels by prefix and Outlook folders by recursion.
One audit log, three providers
$ porteden audit tail --agent summarizer
2026-05-15 16:14:02 gmail/INBOX/clients-acme msg=193f7c.. read ok
2026-05-15 16:14:03 outlook/Inbox/Customers msg=AAMkA... read ok
2026-05-15 16:14:04 gmail/HR msg=193f7d.. read denied (deny:@hr)
2026-05-15 16:14:05 exchange/Inbox msg=00000000:... read okOne log file, one timestamp format, one schema. When a compliance officer asks "what did the summarizer touch last Tuesday", the answer is porteden audit grep --since 'last tuesday' — not a three-way join across Google Workspace audit logs, Microsoft Compliance Center, and Exchange transport logs.
Get Started in 3 Steps
Install and Connect Providers
Install the PortEden CLI and connect each email provider with its respective OAuth flow through provider-specific connect commands.
Define Unified Rules
Write your security policy in a single config file covering visibility, action limits, and contact rules for all providers.
Deploy and Monitor
Push your config to all environments so AI agents route through PortEden with unified audit logging across every provider.
Without vs. With PortEden
Without PortEden
- Three separate admin consoles with three different permission models
- Security policies maintained independently for each email provider
- Policy drift between Gmail, Outlook, and Exchange goes undetected
- Audit logs scattered across Google Workspace, Microsoft 365, and Exchange
With PortEden
- One config file governs all email providers from a single CLI
- Rules defined once and enforced consistently across Gmail, Outlook, and Exchange
- Policy changes propagate to all providers simultaneously
- Unified audit log captures every email request across every provider