Start With A Separate Gmail Account, Not Your Main Inbox
The cleanest setup is boring: create a dedicated Gmail account for AI-agent activity. Not your personal account. Not the account with bank alerts, tax PDFs, medical portals, family arguments, job offers, and that one receipt from 2017 you still somehow need.
Use a name that makes the purpose obvious, like [email protected] or [email protected]. If this is for work, use whatever account policy your company already has instead of improvising a shadow IT mailbox in the corner. Improvisation is how audits become meetings.
The point is separation. An AI agent may need email for account confirmations, login codes, receipt collection, scheduled-task results, support tickets, or screenshots. That does not mean it needs your entire identity. A separate account gives you a kill switch: revoke access, rotate passwords, archive the mailbox, or delete the experiment without untangling your real life.
This is the same basic discipline covered in AI agents need smaller jobs: scope the job before granting tools. Email is not one tool. Email is identity, recovery, search history, contacts, files, calendar invites, and a memory palace of bad decisions.
Use Gmail Aliases For Routing, Not Security
Gmail supports plus-style aliases. If your account is [email protected], mail sent to [email protected], [email protected], or [email protected] can arrive in the same inbox. Google’s own Gmail help describes using aliases like this to sort messages with filters, and it also notes that Gmail can send mail from other addresses you own. See Google’s guidance on aliases here: https://support.google.com/mail/answer/22370.
Use aliases as routing tags, not as secret addresses. They are useful because they let you create simple lanes:
- [email protected] for verification codes and account signups.
- [email protected] for calendar confirmations and task reports.
- [email protected] for visual logs.
- [email protected] for receipts, but only if the agent truly needs purchase confirmations.
- [email protected] for vendor tickets and replies.
Do not confuse this with access control. If someone can read the inbox, they can read every alias that lands there. Aliases organize mail. They do not create separate mailboxes, separate passwords, or separate blast doors.
Also, dots are not a separate identity in personal Gmail addresses. Google says dots do not matter in Gmail usernames, so [email protected] and [email protected] route to the same account. That is handy, but it is not a permission system. It is mostly a trivia question with consequences.
Create Labels That Behave Like Folders
Gmail does not really use folders the way old desktop email clients did. It uses labels. A single message can have multiple labels, and deleting the message removes it from the inbox and every label attached to it. Google’s Gmail help says labels are different from folders and explains how to create them here: https://support.google.com/mail/answer/118708.
For an AI-agent inbox, create labels before the agent starts touching anything. A good starter set:
- Agent/Login for sign-in links, verification codes, and account confirmations.
- Agent/Scheduled Tasks for daily or weekly task output.
- Agent/Screenshots for screenshots and visual proof.
- Agent/Receipts for purchases or subscription notices.
- Agent/Errors for failed logins, bounced mail, blocked attachments, and vendor complaints.
- Agent/Needs Human Review for anything the agent must not resolve alone.
Then create Gmail filters. Filter messages sent to [email protected] into Agent/Login. Filter [email protected] into Agent/Screenshots. Filter known vendors into their own labels if needed. Gmail filters can automatically apply labels, archive, delete, star, or forward messages, according to Google’s filter help: https://support.google.com/mail/answer/6579.
The practical rule: every automated email should land somewhere predictable. If the inbox becomes a junk drawer, the AI agent will eventually treat a password reset, a calendar update, and a marketing coupon as morally equivalent. That is funny until it is not.
Permissions: Never Hand Over The Main Password
The safest pattern is OAuth or “Sign in with Google” where the app requests specific access and you can later review or revoke it. Google’s account help says third-party apps can request access to Google services such as Gmail, Drive, Calendar, Photos, and Contacts, and that you should review what information and permissions are requested before granting access: https://support.google.com/accounts/answer/14012355.
Do not paste the Gmail password into an AI agent, browser automation script, random extension, or “temporary” tool. Temporary tools have a majestic way of becoming permanent. If an app only supports username-and-password login, that is a warning, not a charming retro feature.
If an older app absolutely requires an app password, Google says app passwords are 16-digit passcodes for less secure apps or devices and require 2-Step Verification. Google also says app passwords are not recommended in most cases and suggests using Sign in with Google when available: https://support.google.com/accounts/answer/185833. If you use one anyway, name it clearly, store it like a secret, and revoke it when the experiment ends.
Review connected apps on a schedule. Once a week at first, then monthly if the setup is stable. Remove anything the agent no longer needs. If a tool asked for Gmail read/write access just to send one notification email, that tool is either lazy, greedy, or both.
Gmail delegation is another option, but it is not a tidy folder-level permission model. Google says a Gmail delegate can read, send, and delete email in the account, while a delegate cannot change the account password. Google also says personal Gmail accounts can add up to 10 delegates. That may be useful for a human assistant. For an AI agent, it is usually too broad unless the whole mailbox exists only for that agent.
Scheduling Tasks Without Letting The Calendar Become A Trap Door
If the AI agent needs to schedule tasks, use a dedicated calendar or a narrowly scoped calendar connection. Do not give calendar access just because the agent needs to send a daily status email. Email and calendar are separate capabilities, and the setup should keep them that way.
A practical pattern looks like this:
- Create a calendar named AI Agent Tasks.
- Put only agent-related events on that calendar.
- Use clear event titles, such as Run weekly vendor check or Send Friday screenshot report.
- Require the agent to email a completion note to [email protected].
- Route those notes to the Agent/Scheduled Tasks label.
If the agent can create or modify calendar events, require human confirmation for anything involving external guests, payment deadlines, legal deadlines, client meetings, travel, medical appointments, or account recovery. In other words, all the items that create actual trouble when mishandled. Letting an AI agent reschedule a dentist appointment is one thing. Letting it move a contract deadline because it inferred “probably flexible” is how grown adults develop eye twitches.
For repeating work, prefer scheduled reports over silent action. A good report says what the agent did, what it changed, what failed, what needs review, and where the evidence is. If screenshots are included, they should be attached or linked in a predictable way.
Screenshots Are Useful Logs, But They Leak Everything
Screenshots are excellent receipts. They show what the AI agent saw, what button it clicked, what confirmation page appeared, and whether the task actually finished. They also capture names, email addresses, browser tabs, account balances, customer data, API keys, recovery codes, and embarrassing bookmarks. Screenshots are evidence with a privacy problem.
Set rules before screenshots start flowing:
- Capture only the active window when possible, not the full desktop.
- Blur or crop passwords, tokens, recovery codes, personal data, and payment details.
- Send screenshots to [email protected].
- Apply the Agent/Screenshots label automatically.
- Use filenames with timestamps and task names, not vague names like final-final-2.png.
- Delete old screenshots on a retention schedule if they contain sensitive information.
Gmail also has attachment limits and blocked file rules. Google says personal Gmail accounts have a 25 MB attachment limit, and larger files may be handled through Google Drive links: https://support.google.com/mail/answer/6584. Google also blocks certain file types that may spread malware, including executable files and some archived content: https://support.google.com/mail/answer/6590.
For screenshots, PNG or JPG is usually fine. Do not let the agent zip a pile of screenshots with scripts, logs, and mystery binaries unless there is a specific reason. Email is a good notification layer. It is not a forensic storage system, no matter how many labels you lovingly create.
The Limits You Should Write Down
The setup only works if the agent has written limits. Put them in a short operating note and keep it in the inbox, a shared doc, or the agent’s project folder. The note should say exactly what the agent may do and what requires human approval.
Use limits like these:
- Login: The agent may receive verification emails for approved services only.
- Password resets: The agent may not initiate or complete password resets without approval.
- Purchases: The agent may not buy, upgrade, renew, or cancel services unless specifically instructed.
- Calendar: The agent may create internal task reminders but may not invite external guests without review.
- Email sending: The agent may send templated status reports, not freeform promises to customers or vendors.
- Screenshots: The agent must avoid capturing secrets and must label every screenshot task.
- Escalation: Anything involving money, legal terms, account recovery, personal data, or a failed login loop goes to Agent/Needs Human Review.
The goal is not to make Gmail magical. Gmail is just the inbox, alias router, label system, and evidence trail. The real safety comes from making the AI agent’s job small, visible, and reversible.
If the agent needs more than that, pause before adding permissions. More access is not automation maturity. Sometimes it is just a bigger broom for knocking things off higher shelves.