Agentic Email
The ability of an AI agent to compose, send, organize, and manage email autonomously on behalf of a user, operating within the user's account permissions without requiring manual review of each outbound message.
What It Is
Agentic email is what happens when your AI assistant stops drafting messages for you to send and starts sending them itself. The distinction is not subtle. A tool that writes email and puts it in your outbox is a drafting aid. A tool that composes, addresses, and transmits email from your account, on your behalf, with no manual send step in between, is an agent acting in the world.
Anthropic brought this capability to Claude in July 2026 when it updated the Microsoft 365 connector to include write tools across all plan tiers, including the Free plan. Claude can now draft and send email from a user’s Microsoft account, create and delete calendar events, and create or update files in OneDrive and SharePoint. Per-user limits apply to sends, recipients, and write operations. Emails Claude sends carry an attribution header identifying them as agent-initiated, so recipients know the message came from an AI acting for the user rather than from the user directly.
The phrase “agentic email” captures the moment when the ai-agent model crossed from productivity assistance into account action. Before this, AI email tools were sophisticated autocomplete. After this, they are delegated communication.
How It Actually Works
The underlying mechanism relies on tool-use: the AI model is given structured access to the Microsoft Graph API through a connector, which exposes individual tools for each write operation (send mail, create event, update file). When a user asks Claude to send a follow-up to a contact after a meeting, Claude constructs the message, resolves the recipient’s email address from the user’s contacts if available, and calls the sendMail tool with the composed message as the payload. The call goes to Microsoft’s servers under the user’s authenticated session. The email arrives in the recipient’s inbox with the user’s address in the From field.
The attribution header is added automatically by the connector layer, not by Claude. It identifies the message as agent-initiated so recipients and compliance systems can distinguish agent-sent messages from user-sent ones. This matters for regulated industries where message provenance is a compliance requirement.
The permission model is worth understanding. Claude operates within the user’s existing Microsoft 365 permissions. If the user’s account cannot send external email, Claude cannot send external email. If the account has send-on-behalf permissions for a shared mailbox, Claude inherits those too. The agent does not elevate permissions; it operates within whatever the authenticated user is already authorized to do.
Why It Matters Right Now
The timing of this capability coincides with the broader shift from AI as a conversational interface to AI as an operational participant. Every major AI platform is extending write access into accounts: code repositories, project management tools, CRMs, and now email. Email is the most consequential step because of its external reach. When an AI writes a document, the error stays local until you send it. When an AI sends an email, the error is already in someone else’s inbox.
The business case is real. Knowledge workers spend a significant share of their time on email that is procedurally predictable: follow-up messages, scheduling requests, status updates, acknowledgment replies. These are not creative communication tasks; they are administrative ones. If an AI agent can handle them reliably, the time savings compound across a team. The productivity argument is straightforward. The risk management argument is more complex.
The Cost and Tradeoff
The tradeoff is not primarily technical. It is about accountability and signal. Email carries implicit sender intent. When your name is in the From field, the recipient assumes a human made the judgment call to send the message, chose the words, and stands behind the content. An agent that sends email from your account blurs that assumption in ways that are not fully resolved by an attribution header.
Consider the failure cases. An AI agent tasked with following up on a client proposal might send a follow-up to the wrong contact, at the wrong stage of the sales cycle, with a tone that undercuts a relationship the human was managing carefully. The technical action succeeds: the email goes out. The operational result is a relationship problem. The attribution header tells the recipient an agent sent it, but it does not undo the damage.
The model for managing this risk is not to disable agentic email but to constrain it: approve outbound messages in categories where errors carry high cost, automate freely in categories where errors are recoverable, and build review checkpoints into workflows rather than treating every send decision as equivalent.
How TWO Uses It
Scott’s Take: The operator move on agentic email is not “can I trust it” but “which sends can I afford to get wrong.” Classify your outbound by consequence before you delegate by category.
The practical frame at TWO is to treat agentic email the way you would treat a capable but new team member handling your outbox: you would not hand over account access with no structure. You would define a set of message types they can handle autonomously (internal status updates, scheduling confirmations, acknowledgment replies), a set that requires your review before sending (anything external with a new contact, anything involving money or commitment), and a clear escalation path for anything that does not fit the categories. That structure does not change because the team member is an AI. It becomes more important.
The specific use cases TWO has found most reliable for autonomous send: meeting follow-up summaries to existing contacts, scheduling coordination within an established relationship, and acknowledgment of inbound requests where the correct response is predictable. The cases we route through human review: introductions to new contacts, anything with pricing or timeline commitment, and any message where the tone needs calibration for a specific relationship history.
A Concrete Operator Scenario
You close a discovery call with a prospect on Monday afternoon. You have asked Claude to handle your follow-up workflow: compose a recap of the conversation, identify the agreed next steps, and send the follow-up within two hours of the call ending. You get off the call, close your laptop, and attend another meeting.
Claude composes the follow-up using your conversation notes from the CRM. It addresses the message to the primary contact from your calendar invite, pulls the next-step items from the notes you captured during the call, and sends the message from your email account within the two-hour window. The prospect replies the same evening to confirm the next meeting date.
The scenario that breaks this: you had a second participant on the call who is the real decision-maker but was not listed as the primary contact in the CRM. Claude sends the recap to the wrong person. The right person does not receive the follow-up. You do not notice for three days because Claude’s send log is not part of your daily review workflow. The technical execution was correct; the relationship outcome was not.
What to Watch Next
The signal that agentic email is maturing will be the emergence of email-specific agent identity systems: verified sender credentials that let recipients and their email clients distinguish agent-sent messages from human-sent messages without relying solely on an attribution header. Several efforts at mcp-layer identity verification are active as of mid-2026. When those standards stabilize, the accountability gap that currently makes agentic email risky in high-stakes contexts will narrow significantly, and the constraint model described above will loosen.
The second signal is compliance tooling. When enterprise email compliance tools – the kind used in financial services and healthcare to log, review, and retain messages – can tag and route agent-sent messages as a distinct category for legal hold and audit, agentic email will move from a productivity feature into a regulated workflow. That transition is underway but not complete.
