v1.0 — Launch
The first numbered release of mailbot. Everything below is part of the v1.0 baseline; future releases will list changes relative to this entry.
Released
April 2026.
Baseline surface
Account and authentication
- One-step register:
POST /v1/auth/register - API keys with
mb_prefix, argon2-hashed at rest - API key create, list, delete
Inboxes
- Sandbox inbox provisioning on signup (
{username}--{accountShortId}@mailbot.id) - Custom-domain inbox creation after domain verification
- Inbox lifecycle: created → active → disabled (soft delete)
- Per-inbox daily send limits
Domains
- Custom domain registration
- DNS records (SPF, DKIM, DMARC) published by mailbot
- Verify endpoint runs live DNS lookup
- Compliance check returns per-record state
- Readiness score 0–100 across DNS, bounce, volume, and tracking signals
Messages
- Send:
POST /v1/messages/send - Reply:
POST /v1/messages/:id/reply - Forward:
POST /v1/messages/:id/forward - List, get, search
- Per-message engagement (delivered, opened with count, clicked with count, bounced)
- Labels per message and per inbox
Threads
- Threading by
In-Reply-To,References, then 7-day subject match - Header preservation on outbound replies
- List threads, get thread with full message history
Webhooks
- Per-inbox webhook destinations
- Event types:
message.sent,message.delivered,message.opened,message.clicked,message.bounced,message.received,message.parsed - HMAC-SHA256 signature on every delivery (
X-mailbot-Signature) - At-least-once delivery
- Exponential backoff retry: 6 attempts over 6 hours
- 90-day event retention for replay
Replay
- Per-event replay:
POST /v1/events/:eventId/replay - Optional
target_urloverride - Audit-logged
Engagement and usage
- Per-inbox engagement stats
- Per-message engagement timeline
- Account-level usage and daily usage endpoints
- SSE realtime stream for inbox and account-level events
SDKs
- Node.js:
@yopiesuryadi/mailbot-sdk@0.1.0-beta.2 - Python:
mailbot-sdk==0.1.0b2
MCP server
mailbot-mcpexposes inbox, message, thread, compliance, and engagement tools- Compatible with Claude Desktop, Claude Code, Cursor, and other MCP clients
Audit
- Audit log captures auth events, inbox lifecycle, domain lifecycle, message actions, replay actions, and webhook configuration changes
Dashboard
- Inbox console with 4-pane layout
- Per-message engagement badges and timeline
- Search, filter chips, command palette (
Cmd+K) - Keyboard shortcuts for navigation and inspection
- Dark/light theme
Infrastructure
- API and SMTP on Railway
- PostgreSQL 16 (primary store)
- Redis (queue)
- Cloudflare Email Routing + Worker for inbound relay
- Mailtarget Layang as upstream MTA (Sender Score 99)
Limits
| Tier | Inboxes | Processed emails / month | Custom domains |
|---|---|---|---|
| Sandbox | 5 | 5,000 | 0 |
| Builder ($29/mo) | 25 | 25,000 | 3 |
| Growth ($149/mo) | 100 | 150,000 | 20 |
| Enterprise | Custom | Custom | Unlimited |
Annual billing: 20% off. Billing metric: processed emails (sent + received).
Sandbox inbox per-inbox limit: 250/day with 25/min burst guard.
Breaking change policy
From v1.0 onward, breaking changes follow these rules:
- No silent breaks. Removed fields, renamed endpoints, or changed semantics ship in a numbered release with a dedicated entry in this changelog.
- Deprecation window. A deprecated field or endpoint is marked in docs and continues to work for at least one minor version cycle before removal.
- Webhook payload schemas are append-only within a major version. New fields can appear; existing fields will not be removed without a major version bump.
- Auth and signature schemes do not change without a major version bump.
Future entries will be added above this one in reverse chronological order.