Add Email Security to Your Claude Agent in 5 Minutes
Connect InboxWatch to Claude Desktop via MCP. One config file. No code to write. Your agent can analyze email headers for threats instantly.
What you will build
By the end of this tutorial, your Claude Desktop agent will be able to analyze any email header you paste into the conversation. It will call InboxWatch's threat analysis API, parse the response, and explain the results in plain language.
This uses the Model Context Protocol (MCP), an open standard that lets AI agents call external tools. InboxWatch publishes an MCP-compatible endpoint, so Claude can discover and call it without any custom code.
Step 1: Open your Claude Desktop config
Find your Claude Desktop configuration file. The location depends on your operating system:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json - Linux:
~/.config/Claude/claude_desktop_config.json
If the file does not exist, create it. If it already exists and has other MCP servers configured, you will add InboxWatch alongside them.
Step 2: Add the InboxWatch MCP server
Add the following to your claude_desktop_config.json:
{
"mcpServers": {
"inboxwatch": {
"url": "https://inboxwatch.ai/api/mcp"
}
}
}That is the entire configuration. The /api/mcp endpoint is the discovery URL. When Claude connects, it fetches the tool list, input schemas, and descriptions automatically.
If you have an API key and want higher rate limits (100 requests per minute instead of 10), add it as a header:
{
"mcpServers": {
"inboxwatch": {
"url": "https://inboxwatch.ai/api/mcp",
"headers": {
"Authorization": "Bearer iw_live_your_api_key_here"
}
}
}
}Step 3: Restart Claude Desktop
Close and reopen Claude Desktop. The MCP server list should now include "inboxwatch" with the available tools. You can verify this by checking the MCP tools icon in the conversation toolbar.
Step 4: Try it out
Paste an email header into Claude and ask it to analyze the email. Here are some example prompts that work well:
"Analyze this email header for threats:
From: IT Department <it-support@yourcompany-reset.com>
Reply-To: helpdesk@gmail.com
Subject: Your password expires in 24 hours
Authentication-Results: spf=fail; dkim=none; dmarc=fail"
"Is this email safe? From: invoice@quickbooks-billing.com
Subject: Invoice #4921 attached - payment due today"
"Check the authentication on this:
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of noreply@github.com) smtp.mailfrom=noreply@github.com;
dkim=pass header.d=github.com;
dmarc=pass (p=REJECT) header.from=github.com"Claude will extract the relevant fields from the headers you paste, call theinboxwatch_analyze_headers tool, and return a structured analysis with the threat score, authentication status, and any indicators found.
What Claude sees
When Claude calls the tool, it sends a JSON payload and receives a response like this:
{
"threatScore": 72,
"threatLevel": "high",
"verdict": "HIGH RISK: 1 critical, 1 high threat indicator(s) detected.",
"authentication": {
"spf": "fail",
"dkim": "none",
"dmarc": "fail",
"summary": "All authentication checks failed"
},
"indicators": [
{
"type": "domain_spoofing",
"severity": "critical",
"description": "From domain resembles recipient domain with added suffix",
"evidence": "yourcompany-reset.com vs yourcompany.com"
},
{
"type": "reply_to_mismatch",
"severity": "high",
"description": "Reply-To uses free email provider while From claims organizational domain",
"evidence": "From: yourcompany-reset.com, Reply-To: gmail.com"
}
]
}Claude interprets this response and explains it in conversational language, highlighting the key risks and recommending actions.
Go further: scan your entire account
Header analysis is useful for individual emails, but the real power is scanning your entire Gmail or Microsoft 365 account. InboxWatch runs 100+ security checks across your mailbox configuration, including forwarding rules, delegates, OAuth apps, sign-in activity, and attack chain correlation.
To get started:
- Sign up at inboxwatch.ai/check (takes 60 seconds, no credit card for your first 15 scans)
- Connect your Gmail or Microsoft 365 account via OAuth
- Your first scan runs automatically and checks everything: forwarding rules, filters, delegates, OAuth apps, sign-in patterns, inbound threats, spoofing, and more
- After your 15 free scans, each additional scan is billed at $0.10 through Stripe
Once your account is connected, InboxWatch monitors it continuously (every 30 minutes) and alerts you when something changes. New forwarding rule? You get notified. Suspicious sign-in from a new country? Immediate alert. OAuth app granted access you did not approve? Flagged.
API access
The header analysis endpoint requires an API key. Sign up at inboxwatch.ai/check, then create a key in Settings. 15 free scans included, then $0.10/scan via Stripe. Rate limit: 1,000 requests per minute.
Next steps
Start with the free header analysis to see InboxWatch in action. Then connect your account at inboxwatch.ai/check for the full 100+ security check scan. Your first 15 scans are free. After that, pay $0.10 per scan with volume discounts at higher usage.
For programmatic access from Python, Node.js, or any HTTP client, see our API reference post.
Scan your entire inbox for threats
Header analysis checks one email. A full scan checks everything: forwarding rules, delegates, OAuth apps, sign-in activity, and 100+ security checks. 15 free scans, then $0.10 each.
Start Free Scan15 free scans. No credit card to start. $0.10/scan after.
Written by Nicholas Papadam, founder of InboxWatch. Senior Analyst with 6+ years in enterprise security operations.