Why Molted
How Molted's policy engine protects your agent from sending the wrong email - and why prompt-level guardrails are not enough.
Every AI agent that sends email will eventually send the wrong one. The question is what stops it.
Most email infrastructure treats agent-sent email identically to human-sent email. There is no policy layer, no decision trace, and no way to enforce rules at the infrastructure level. When something goes wrong, you find out from a bounce notification or an angry reply.
Molted is different. Every send passes through a policy engine that evaluates 14 rules before anything leaves the server.
The problem with prompt-level guardrails
In February 2026, an AI agent operating on a live Gmail inbox bulk-deleted hundreds of emails. The agent had safety instructions - "never delete emails without confirmation" - but those instructions were plain text in its system prompt. During a long session, context compaction dropped the safety instructions to fit newer messages into the context window. The guardrail disappeared, and the agent acted on its remaining instructions.
This is not a hypothetical edge case. It is the natural failure mode of prompt-level safety. Instructions that exist only as text are subject to:
- Context compaction - long-running agents routinely compress or drop older context
- Prompt injection - inbound emails can contain instructions that override system prompts
- Model updates - behavior changes across model versions can alter instruction adherence
- Multi-agent handoffs - safety context may not transfer between agents in a pipeline
Infrastructure-layer enforcement catches what prompt-layer guardrails miss because the rules execute in application code, outside the model's context window.
What the policy engine evaluates
Every call to POST /v1/agent/send (or its simulation endpoint) runs through these checks, in order:
| # | Rule | What it catches |
|---|---|---|
| 1 | Tenant paused | Sending from a suspended account |
| 2 | Mailbox paused | Sending from a mailbox with reputation issues |
| 3 | Template not approved | Unapproved templates (autonomy levels L1/L2) |
| 4 | Template lint failed | Templates that fail content safety checks |
| 5 | Suppressed | Recipients on suppression lists (bounces, complaints, legal) |
| 6 | Disengaged | Recipients who stopped opening emails |
| 7 | Active opportunity | Contacts with open sales deals (prevents marketing noise) |
| 8 | Duplicate | Same dedupe key already sent |
| 9 | Cooldown | Same recipient + template within the cooldown window |
| 10 | Monthly budget exceeded | Tenant hit monthly send cap |
| 11 | Daily budget exceeded | Tenant hit daily send cap |
| 12 | Risk budget exceeded | Daily injection-risk score too high |
| 13 | Negative signal budget | Too many bounces or complaints in 24 hours |
| 14 | Rate limited | Request rate exceeds per-second limits |
The engine returns the first blocking rule. If none trigger, the send proceeds. Every evaluation produces a decision trace with the full context snapshot, so you can audit exactly why any send was allowed or blocked.
How Molted compares
The table below compares architectural approaches to agent email safety. It reflects publicly available documentation as of March 2026.
| Capability | Molted | Typical agent email provider |
|---|---|---|
| Send-time policy evaluation | 14 rules, evaluated on every send | None |
| Decision traces | Full context snapshot per evaluation | None |
| Autonomy levels | L1 (full approval), L2 (first-contact), L3 (auto) | None |
| Suppression enforcement | Global, tenant, and campaign scopes | Basic unsubscribe |
| Engagement-based blocking | Auto-blocks disengaged recipients | None |
| Active opportunity protection | Blocks marketing to open deals | None |
| Duplicate detection | Dedupe key matching | None |
| Cooldown windows | Configurable per-template cooldowns | None |
| Risk budgets | Daily injection-risk scoring | None |
| Negative signal budgets | Auto-pauses on bounce/complaint spikes | None |
| Multi-agent coordination | Leases, heartbeats, consensus voting | None |
| Consent/GDPR tracking | Jurisdiction-aware consent bases | None |
These are not optional add-ons. They are evaluated on every single send, whether the agent requests it or not.
Simulate it yourself
The policy engine is not a black box. You can dry-run any send against it and see exactly which rules would fire.
Try the policy engine
Enter an email address to simulate a send against the live policy engine. No email is actually sent.
Or call the endpoint directly:
curl -X POST https://api.molted.email/v1/agent/simulate-send \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tenantId": "your-tenant-id",
"recipientEmail": "test@example.com",
"templateId": "campaign-march",
"dedupeKey": "march-test"
}'{
"wouldAllow": false,
"reason": "cooldown",
"cooldownExpiresAt": "2026-03-01T12:10:00Z",
"simulation": true,
"policyContext": {
"hasDuplicate": false,
"isCooldownHit": true,
"isSuppressed": false,
"isDisengaged": false,
"hasActiveOpportunity": false,
"isTenantPaused": false,
"templateApproved": true,
"templateLintPassed": true
}
}The policyContext object shows the state of every check, so you can see exactly what passed and what blocked. See Policy Simulation for the full API reference.
Architecture, not promises
Molted's approach is architectural. The policy engine runs in application code on the server, not in a prompt. It cannot be overridden by the model, bypassed by context compaction, or injected away by a malicious inbound email.
When your agent sends email through Molted:
- Rules are enforced - every send hits the policy engine, regardless of what the agent requested
- Decisions are traced - every evaluation produces an auditable record
- Autonomy is configurable - you choose how much independence the agent gets
- Reputation is protected - negative signals auto-pause sending before deliverability degrades
The OWASP Top 10 for Agentic Applications (2026) lists inadequate scope limitation as a critical risk. The World Economic Forum's March 2026 report on AI agent governance recommends infrastructure-level controls. Molted implements both.
Get started
- Quickstart - send your first policy-checked email in five minutes
- Policy Simulation - dry-run sends against the engine
- Autonomy Levels - configure agent independence
- Approval Queues - human-in-the-loop review for sensitive sends