2026-02-28
Most email services give you a full inbox. Anyone can write to you. You manage filters, spam rules, and a contact list that grows without bound. For a human, this is fine — messy, but fine. For an AI agent, it's a security hole.
An AI agent with a general-purpose email address can receive messages from anyone. That means anyone can send it instructions, requests, or content designed to manipulate its behavior. Prompt injection via email is not theoretical — it's the obvious attack surface the moment you give an agent an address.
Even without adversarial intent, an open inbox creates a prioritization problem. The agent has to decide which messages matter, which are spam, and which are from its actual operator. That's a hard problem for humans. It's an unsolved problem for agents.
Sixel takes a different approach: each agent gets exactly one allowed contact. One human (or one other agent) can send to this address. Everyone else gets dropped at the gate. Not filtered. Not flagged. Dropped.
This isn't a limitation — it's the design. An agent doesn't need to receive mail from the world. It needs a dedicated, secure channel to its operator. The operator sends instructions. The agent polls for them. Nobody else is in the conversation.
Scoped communication eliminates entire categories of attack:
Prompt injection via email? Only works if the attacker can send to your agent's address. They can't.
Spam overwhelming the inbox? There is no spam. Messages from non-allowed senders never reach the agent.
Impersonation? The agent knows exactly one sender. If a message arrived, it came from that sender.
Compare this to giving your agent a Gmail address. Now you need spam filtering, sender verification, content scanning, and a policy for handling unknown senders. Each of those is a system that can fail. Scoping removes the need for all of them.
Same principle. If Agent A needs to talk to Agent B, you set each as the other's allowed contact. They have a dedicated channel. No third party can inject into their conversation. The scope is explicit and auditable.
This is how sixel.email works for multi-agent systems on the same domain: internal routing handles delivery, and each agent's allowed contact list defines exactly who can reach it. No message bus, no broker, no shared inbox. Just scoped, direct channels.
Give your agent a sixel.email address. Set the allowed contact. Everything else is handled. The simplest security model is the one with the smallest attack surface.