mcpemails
Sign inGet started free
SecurityPrivacyEmail

Why 'Email Never Stored' Matters When Connecting AI to Your Inbox

Email never stored means MCP Emails fetches your mail live and discards it, keeping only an encrypted token. See why that beats tools that copy your whole inbox.

Asgeir Albretsen
Asgeir Albretsen
Founder & Engineer, MCPEmails
·6 min read
Email fetched live and discarded versus a second copy stored in a vendor database

When you connect an AI agent to your inbox, the single most important question is where your email ends up. With MCP Emails the answer is: nowhere. Every tool call fetches your mail live from Gmail, Microsoft Graph, or your IMAP server, hands it to the agent, and throws it away. The only thing we keep is an encrypted token so the next call can happen.

That sounds like a small implementation detail. It isn't. It's the difference between handing an agent a key to your house and handing it a photocopy of everything in your house, kept forever in someone else's filing cabinet. A lot of "AI email" tools quietly do the second thing. This post is about why that matters and how the architecture actually differs.

Two ways to give an agent your email

There are really only two designs, and most products fall cleanly into one camp.

Copy-everything (sync-and-store). The tool connects to your mailbox once, then pulls your messages into its own database — often continuously. Your inbox gets mirrored into their infrastructure so it can be indexed, embedded into a vector store, fed to a model, or served back fast. The agent reads from their copy, not your provider.

Live-fetch (never-stored). The tool holds only a credential. When the agent needs a message, the server calls your provider in real time, returns the result, and discards the body. Nothing about the content is retained. This is how MCP Emails works.

The copy-everything model is popular because it's easy to build and makes search feel instant. But it changes what you're actually agreeing to when you click "Connect." You're not granting access. You're authorizing a duplicate.

What a "synced" inbox actually accumulates

Once a tool copies your mail, four things follow whether the vendor advertises them or not.

A second copy of your mail you don't control

Your real inbox lives at Google or Microsoft or Fastmail, behind their security teams and their breach history. A synced tool creates a second, full-fidelity copy somewhere else — a startup's Postgres instance, an S3 bucket, a search index. Every password reset link, legal thread, medical result, and two-factor backup code you've ever received now exists in a place you didn't vet and can't audit.

A bigger breach surface

This is the part people underrate. If the vendor's database leaks, the attacker doesn't get your credentials — they get your mail, already decrypted and indexed, ready to read. No need to log into your account. The most damaging part of an email breach is the email itself, and a copy-everything tool has helpfully assembled it in one place. You inherit their security posture on top of your provider's.

Retention you have to think about

Where does the copy go when you disconnect? In a well-run sync tool, deletion is a background job that should run. In a sloppy one, your messages sit in backups and embeddings long after you've left. With a live-fetch design there's nothing to delete, because nothing was kept. Revoking access in the dashboard is the whole story.

Training and "product improvement" risk

A stored corpus of real email is irresistible. It's tempting to use it to improve search ranking, fine-tune a model, or train a classifier. Even with good intentions, once your mail is sitting in a database, the question "could this be used for something I didn't sign up for?" is permanently open. If the data was never stored, the question never comes up.

How live-fetch actually works

Here's the path a single email_read call (action read) takes through MCP Emails:

agent  →  MCP server  →  isolated Edge Function
                              ↓ decrypt token (in memory)
                         your provider (Gmail / Graph / IMAP)
                              ↓ message body
agent  ←  parsed result  ←  Edge Function
                         (body discarded, nothing written)

The credential is the only thing at rest, and it's encrypted with AES-256-GCM. Decryption happens only inside an isolated Edge Function at call time, and the encryption key is an environment secret stored separately from the database — so a database dump alone is useless. The message itself never touches durable storage. It's parsed, returned to your agent, and gone.

Sending works the same way and adds one more guarantee: outbound mail goes through your provider — the Gmail API, Microsoft Graph, or your own SMTP. We never relay from our own domain, so your deliverability and domain reputation stay entirely yours. There's no shared sending pool to land you in someone else's spam reputation.

If you want the deeper mechanics of the credential model — OAuth tokens versus app passwords and why both stay encrypted — I wrote that up in OAuth vs. API keys for AI email access.

The honest trade-off

Never-stored isn't free. There's a real cost, and I'd rather name it than pretend it away.

Because we don't hold a local index, search runs against your provider's search every time. You get provider-native search — Gmail operators, Outlook KQL, IMAP text search — which is powerful, but it's their latency and their query semantics, not a custom index tuned by us. And there's no push: we can't notify your agent the instant mail arrives because we're not watching a synced copy. To react to new mail, your agent polls (for example, email_read with action list and unread_only: true on a schedule).

For most people that's an easy trade. Slightly slower search and a polling loop, in exchange for never creating a second copy of your most sensitive data. I'll take that.

What to ask any AI email tool

Before you connect anything to your inbox, ask the vendor four direct questions. The answers tell you which camp they're in.

  • Do you store my email content, or fetch it live per request? "Fetch live, discard immediately" is the answer you want.
  • What exactly is persisted? It should be a single encrypted credential, nothing about message content.
  • Is the credential encrypted at rest, and where does the key live? Separate from the database is the right answer.
  • Does sending go through my provider or yours? Yours protects your domain reputation; theirs pools it with strangers.

If a tool can't answer these crisply, that's information too. This is the same lens I'd apply to the broader safety question in Is it safe to give an AI agent access to your email? — the architecture underneath the marketing is what actually determines your risk.

Where this fits

The never-stored model is one piece of a larger decision: how to wire an agent to a real inbox without doing something you'll regret. The complete 2026 guide to giving your AI agent email access covers the whole picture, and if you're weighing running your own server, hosted vs. self-hosted Gmail MCP gets into who holds the encryption key in each case.

You don't have to choose between giving your agent useful inbox access and keeping your mail out of a third party's database. With live-fetch you get both. Connect an inbox and you can revoke it in one click — and there's nothing left behind when you do.

Asgeir Albretsen
Written by
Asgeir Albretsen

Asgeir builds MCPEmails — the bridge that lets AI agents read, search, and send real email over the Model Context Protocol. He writes about agents, email infrastructure, and developer experience.

@mcpemails
← Back to all posts

Give your agent an inbox

Connect Gmail, Fastmail, or any IMAP account to your AI agent in minutes.

Get started freeRead the docs