Skip to content

feat(email): Add secure reply routing with HMAC signatures #27980

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
agents-git-bot wants to merge 2 commits into
base: production
Choose a base branch
from
Open

feat(email): Add secure reply routing with HMAC signatures #27980

agents-git-bot wants to merge 2 commits into from

Conversation

@agents-git-bot
Copy link
Contributor

@agents-git-bot agents-git-bot bot commented Jan 29, 2026
edited
Loading

Summary

Sync documentation for PR #811 from cloudflare/agents repository.

This PR introduces secure email reply routing for Agents, preventing unauthorized routing of emails to arbitrary agent instances through header spoofing.

Changes

Security

  • createHeaderBasedEmailResolver now throws an error - it trusted attacker-controlled headers for routing
  • New createSecureReplyEmailResolver verifies HMAC-SHA256 signatures before routing replies
  • Signatures include timestamps and expire after a configurable period (default: 30 days)

New APIs

  • createSecureReplyEmailResolver - Secure resolver with signature verification
  • signAgentHeaders - Manual header signing for external email services
  • replyToEmail signing - Automatic header signing for outbound emails
  • onNoRoute callback - Callback for handling unroutable emails

Options & Callbacks

  • maxAge option - Configure signature expiration (default: 30 days)
  • onInvalidSignature - Debug callback with failure reasons
  • onNoRoute - Handle emails that don't match any routing rule

Cleanup

  • Removed unused EmailSendOptions type

Files Changed

File Changes
src/content/docs/agents/guides/email-routing.mdx New comprehensive email routing guide
src/content/docs/agents/concepts/agent-class.mdx Simplified example and added cross-reference

Breaking Changes

  1. createHeaderBasedEmailResolver removed - Now throws an error with migration guidance
  2. EmailSendOptions removed - Was unused

Migration

// Before (INSECURE - trusted attacker-controlled headers):
const resolver = createHeaderBasedEmailResolver();

// After - For inbound mail:
const resolver = createAddressBasedEmailResolver("MyAgent");

// After - For reply flows:
const resolver = createSecureReplyEmailResolver(env.EMAIL_SECRET);

How It Works

  1. Outbound: replyToEmail() signs headers with HMAC-SHA256 + timestamp
  2. Inbound: createSecureReplyEmailResolver verifies signature and checks expiration
  3. Enforcement: If routed via secure resolver, replyToEmail() requires a secret (or explicit null)

Source

@github-actions github-actions bot added product:agents Build and deploy AI-powered Agents on Cloudflare that can act autonomously. size/m labels Jan 29, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 29, 2026

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern Owners
/src/content/docs/agents/ @irvinebroque, @rita3ko, @elithrar, @thomasgauvin, @threepointone, @whoiskatrin, @cloudflare/pcx-technical-writing, @cloudflare/ai-agents

@github-actions @claude
feat(agents): Add secure email reply routing documentation
8f9546f 
Sync documentation for PR #811 from cloudflare/agents repository.

This PR introduces secure email reply routing with HMAC-SHA256 signed headers:

**New Features:**
- createSecureReplyEmailResolver - verifies HMAC-SHA256 signatures before routing
- signAgentHeaders - manually sign agent routing headers
- replyToEmail secret parameter - automatically signs outbound email headers
- onNoRoute callback - handle emails that don't match any routing rule

**Breaking Changes:**
- createHeaderBasedEmailResolver removed (security vulnerability - trusted attacker-controlled headers)
- EmailSendOptions type removed (unused)

**Documentation Changes:**
- Added comprehensive email-routing.mdx guide in /agents/guides/
- Updated agent-class.mdx to simplify email example and add cross-reference

Source PR: cloudflare/agents#811

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@agents-git-bot agents-git-bot bot changed the title feat(email): Add signature expiration and routing callbacks feat(email): Add secure reply routing with HMAC signatures Jan 29, 2026
@github-actions @claude
Add secure email reply routing documentation
e20de29 
Synced from cloudflare/agents PR #811

- Add comprehensive email routing guide with secure reply flows
- Document HMAC-SHA256 signature verification
- Add resolver comparison and usage patterns
- Update agent-class.mdx to reference detailed guide
- Include API reference for all email routing functions

Breaking changes documented:
- createHeaderBasedEmailResolver removed
- EmailSendOptions type removed

New features documented:
- createSecureReplyEmailResolver with signature verification
- signAgentHeaders for manual header signing
- Automatic header signing in replyToEmail
- onInvalidSignature callback for debugging
- onNoRoute callback for unroutable emails

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@irvinebroque irvinebroque Awaiting requested review from irvinebroque irvinebroque is a code owner

@rita3ko rita3ko Awaiting requested review from rita3ko rita3ko is a code owner

@elithrar elithrar Awaiting requested review from elithrar elithrar is a code owner

@thomasgauvin thomasgauvin Awaiting requested review from thomasgauvin thomasgauvin is a code owner

@threepointone threepointone Awaiting requested review from threepointone threepointone is a code owner

@whoiskatrin whoiskatrin Awaiting requested review from whoiskatrin whoiskatrin is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@elithrar elithrar

@threepointone threepointone

@irvinebroque irvinebroque

@rita3ko rita3ko

@whoiskatrin whoiskatrin

@thomasgauvin thomasgauvin

Labels

product:agents Build and deploy AI-powered Agents on Cloudflare that can act autonomously. size/m

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@elithrar @threepointone @irvinebroque @rita3ko @whoiskatrin @thomasgauvin