Email webhooks are a public ingestion surface. Agent systems should treat every inbound email event as untrusted until the webhook, payload, sender identity, attachments, and requested action pass validation.
last updated 2026-05-074 sections
section 01
Threat model
Inbound email can carry spoofed sender identity, malicious attachments, prompt injection, forged reply history, oversized payloads, and replayed webhook events. The webhook handler should verify the provider event before any model receives the content.
risk
control
failure if skipped
Spoofed webhook
Verify signature or shared secret.
Anyone with the URL can enqueue agent work.
Replay attack
Store event ID and reject duplicates outside the time window.
Old messages can be processed again.
Prompt injection
Strip quoted text and isolate untrusted instructions.
Inbound content can override system policy.
Unsafe attachment
Enforce type and size limits, scan, or require review.
Malware or poisoned content enters the workflow.
Wrong identity
Resolve sender, reply-to, domain, and account separately.
Agent acts for the wrong user or workspace.
section 02
Webhook validation checklist
Validation should happen before enqueueing. If the provider cannot sign events, put the webhook behind an allowlist, shared secret, or proxy that adds a verifiable boundary.
okVerify signature, timestamp, and payload body exactly as received.
okReject stale timestamps and duplicate provider event IDs.
okRequire a provider message ID, recipient mailbox, sender, subject, and body field.
okStore raw payload with retention limits for debugging.
okNormalize HTML and text separately before extraction.
okRoute failed validation to a dead-letter queue, not to the agent.
section 03
Before model input
The safest pattern is parse, normalize, extract, validate, then pass a narrow structured object to the model or workflow. Raw MIME should be available for audit, not the default model input.
okRemove tracking pixels, remote images, and invisible text.
okSeparate latest reply from quoted history.
okTreat links and attachments as references until scanned or fetched safely.
okExtract intent and entities into a schema.
okRequire human review for low confidence, money movement, new recipients, or permission changes.
section 04
Outbound approval
Inbound security is incomplete if the outbound path is automatic for every request. Agent email systems should require approval for first-time recipients, external domains, billing changes, legal language, and any response that includes generated claims about the product.