agentmail 0.4.20 → 0.5.1

package/dist/llms-full.txt

@@ -1,7 +1,7 @@
-> For clean Markdown content of this page, append .md to this URL. For the complete documentation index, see https://docs.agentmail.to/llms.txt. For full content including API reference and SDK examples, see https://docs.agentmail.to/llms-full.txt.
-
 # AgentMail | Documentation
 
+> AgentMail is an email API built for AI agents. Create inboxes, send and receive messages, manage threads, and handle webhooks programmatically.
+
 # Welcome
 
 > Your starting point for building with the AgentMail API.
@@ -1242,7 +1242,7 @@ When processing incoming messages, always treat `html` as the primary content so
 ## Receiving `Messages`
 
 <Warning>
-  **Inbound emails require the sender's domain to have SPF or DKIM configured.** To reduce spoofing and phishing, AgentMail drops inbound emails when the sender's domain has neither SPF nor DKIM set up. If a sender reports that their email never arrived, this is the most likely cause. Once they configure SPF/DKIM on their domain, their emails will start landing in your inbox again. See [Why are my emails not showing up?](/knowledge-base/inbound-emails-missing) for details.
+  **Inbound emails are checked for SPF, DKIM, and DMARC authentication.** AgentMail drops emails when authentication headers are present and explicitly fail. When authentication headers are missing, AgentMail still processes the email and labels it `unauthenticated`. Subscribe to the `message.received.unauthenticated` event to monitor these messages. See [Why are my emails not showing up?](/knowledge-base/inbound-emails-missing) for details.
 </Warning>
 
 While you can periodically list `Messages` to check for new emails, the most efficient way to handle incoming `Messages` for your agents is with `Webhooks`. By configuring a `Webhook` endpoint, AgentMail can notify your application/agent in real-time as soon as a new `Message` arrives, so you can take action on them.
@@ -6435,13 +6435,14 @@ This event-driven approach is more efficient and allows you to build fast, respo
 
 ## Available Events
 
-AgentMail supports nine webhook event types. When creating a webhook, you can subscribe to specific events or receive all of them. See [Webhook Events](/events) for full payload details.
+AgentMail supports ten webhook event types. When creating a webhook, you can subscribe to specific events or receive all standard events. See [Webhook Events](/events) for full payload details.
 
 **Message events:**
 
 * **`message.received`** — New email received and processed in one of your inboxes
 * **`message.received.spam`** — A message was received and classified as spam (requires `label_spam_read` permission)
 * **`message.received.blocked`** — A message was received and matched a block list entry (requires `label_blocked_read` permission)
+* **`message.received.unauthenticated`** — A message was received without authentication headers, so AgentMail could not verify whether it was authenticated
 * **`message.sent`** — Message successfully sent from your inbox
 * **`message.delivered`** — Delivery confirmed by the recipient's mail server
 * **`message.bounced`** — Message failed to deliver and bounced back
@@ -6453,7 +6454,7 @@ AgentMail supports nine webhook event types. When creating a webhook, you can su
 * **`domain.verified`** — Custom domain successfully verified
 
 <Callout intent="info">
-  Spam and blocked events are excluded by default. To receive them, explicitly include `message.received.spam` or `message.received.blocked` in the `event_types` list when creating a webhook. Messages with these labels are no longer sent as `message.received`.
+  Spam, blocked, and unauthenticated events are excluded by default. To receive them, explicitly include `message.received.spam`, `message.received.blocked`, or `message.received.unauthenticated` in the `event_types` list when creating a webhook. These messages are no longer sent as `message.received`.
 </Callout>
 
 ## The Webhook Workflow
@@ -6492,7 +6493,7 @@ The process is straightforward:
       ```
     </CodeBlocks>
 
-    Specify which events to receive; omit `event_types` to subscribe to all standard event types. Spam and blocked events must always be explicitly included.
+    Specify which events to receive; omit `event_types` to subscribe to all standard event types. Spam, blocked, and unauthenticated events must always be explicitly included.
   </Step>
 
   <Step title="3. AgentMail Sends Events">
@@ -6613,9 +6614,9 @@ Copy one of the blocks below into Cursor or Claude for complete Webhooks API kno
   - webhooks.update(webhook_id, add_inbox_ids?, remove_inbox_ids?, add_pod_ids?, remove_pod_ids?)
   - webhooks.delete(webhook_id)
 
-  Events: message.received, message.received.spam, message.received.blocked, message.sent, message.delivered, message.bounced, message.complained, message.rejected, domain.verified
+  Events: message.received, message.received.spam, message.received.blocked, message.received.unauthenticated, message.sent, message.delivered, message.bounced, message.complained, message.rejected, domain.verified
   Payload: event_type, event_id, plus message/send/delivery/bounce/complaint/reject/domain. Verify with Svix (webhook.secret).
-  Note: message.received.spam and message.received.blocked are excluded by default. To receive them, explicitly include them in event_types and ensure the API key has label_spam_read / label_blocked_read permissions.
+  Note: message.received.spam, message.received.blocked, and message.received.unauthenticated are excluded by default. To receive them, explicitly include them in event_types and ensure the API key has label_spam_read / label_blocked_read permissions for spam and blocked events.
   """
   import os
   from dotenv import load_dotenv
@@ -6642,8 +6643,8 @@ Copy one of the blocks below into Cursor or Claude for complete Webhooks API kno
    * - webhooks.update(webhookId, { addInboxIds?, removeInboxIds?, addPodIds?, removePodIds? })
    * - webhooks.delete(webhookId)
    *
-   * Events: message.received, message.received.spam, message.received.blocked, message.sent, message.delivered, message.bounced, message.complained, message.rejected, domain.verified
-   * Note: message.received.spam and message.received.blocked are excluded by default. To receive them, explicitly include them in eventTypes and ensure the API key has label_spam_read / label_blocked_read permissions.
+   * Events: message.received, message.received.spam, message.received.blocked, message.received.unauthenticated, message.sent, message.delivered, message.bounced, message.complained, message.rejected, domain.verified
+   * Note: message.received.spam, message.received.blocked, and message.received.unauthenticated are excluded by default. To receive them, explicitly include them in eventTypes and ensure the API key has label_spam_read / label_blocked_read permissions for spam and blocked events.
    * Verify with Svix using webhook.secret. Use express.raw() for body—signature needs raw payload.
    */
   import { AgentMailClient } from "agentmail";
@@ -6704,7 +6705,7 @@ All webhook payloads follow the same basic structure:
 
 ## Parsing events with SDKs
 
-The AgentMail SDKs export typed classes for each webhook event, so you can parse raw payloads into fully typed objects.
+The AgentMail SDKs export typed classes for each webhook payload shape, so you can parse raw payloads into fully typed objects.
 
 <CodeBlocks>
   ```typescript title="TypeScript"
@@ -6712,8 +6713,14 @@ The AgentMail SDKs export typed classes for each webhook event, so you can parse
 
   async function handleWebhook(payload: Record<string, unknown>) {
     const eventType = payload.event_type;
-
-    if (eventType === "message.received") {
+    const receivedEventTypes = [
+      "message.received",
+      "message.received.spam",
+      "message.received.blocked",
+      "message.received.unauthenticated",
+    ];
+
+    if (receivedEventTypes.includes(String(eventType))) {
       const event = await serialization.events.MessageReceivedEvent.parse(payload);
       // access typed fields
       console.log(event.message.subject);
@@ -6733,12 +6740,6 @@ The AgentMail SDKs export typed classes for each webhook event, so you can parse
     } else if (eventType === "message.rejected") {
       const event = await serialization.events.MessageRejectedEvent.parse(payload);
       console.log(event.reject.reason);
-    } else if (eventType === "message.received.spam") {
-      const event = await serialization.events.MessageReceivedSpamEvent.parse(payload);
-      console.log(event.message.subject);
-    } else if (eventType === "message.received.blocked") {
-      const event = await serialization.events.MessageReceivedBlockedEvent.parse(payload);
-      console.log(event.message.subject);
     } else if (eventType === "domain.verified") {
       const event = await serialization.events.DomainVerifiedEvent.parse(payload);
       console.log(event.domain.status);
@@ -6749,8 +6750,6 @@ The AgentMail SDKs export typed classes for each webhook event, so you can parse
   ```python title="Python"
   from agentmail import (
       MessageReceivedEvent,
-      MessageReceivedSpamEvent,
-      MessageReceivedBlockedEvent,
       MessageSentEvent,
       MessageBouncedEvent,
       MessageDeliveredEvent,
@@ -6761,8 +6760,14 @@ The AgentMail SDKs export typed classes for each webhook event, so you can parse
 
   def handle_webhook(payload: dict):
       event_type = payload.get("event_type")
+      received_event_types = {
+          "message.received",
+          "message.received.spam",
+          "message.received.blocked",
+          "message.received.unauthenticated",
+      }
 
-      if event_type == "message.received":
+      if event_type in received_event_types:
           event = MessageReceivedEvent(**payload)
           # access typed fields
           print(event.message.subject)
@@ -6782,12 +6787,6 @@ The AgentMail SDKs export typed classes for each webhook event, so you can parse
       elif event_type == "message.rejected":
           event = MessageRejectedEvent(**payload)
           print(event.reject.reason)
-      elif event_type == "message.received.spam":
-          event = MessageReceivedSpamEvent(**payload)
-          print(event.message.subject)
-      elif event_type == "message.received.blocked":
-          event = MessageReceivedBlockedEvent(**payload)
-          print(event.message.subject)
       elif event_type == "domain.verified":
           event = DomainVerifiedEvent(**payload)
           print(event.domain.status)
@@ -6803,28 +6802,27 @@ Copy one of the blocks below into Cursor or Claude for webhook event parsing in
   """
   AgentMail Webhook Events — copy into Cursor/Claude.
 
-  Parse typed events: MessageReceivedEvent (message.received), MessageReceivedSpamEvent (message.received.spam), MessageReceivedBlockedEvent (message.received.blocked),
+  Parse typed events: MessageReceivedEvent (message.received, message.received.spam, message.received.blocked, message.received.unauthenticated),
   MessageSentEvent (send), MessageBouncedEvent (bounce), MessageDeliveredEvent (delivery), MessageComplainedEvent (complaint),
   MessageRejectedEvent (reject), DomainVerifiedEvent (domain).
   Only message.received* includes full message+thread; others have send/delivery/bounce/complaint/reject/domain.
   Note: message.received.spam and message.received.blocked require label_spam_read / label_blocked_read permissions.
+  message.received.unauthenticated must be explicitly included in event_types.
   """
   from agentmail import (
-    MessageReceivedEvent, MessageReceivedSpamEvent, MessageReceivedBlockedEvent,
+    MessageReceivedEvent,
     MessageSentEvent, MessageBouncedEvent,
     MessageDeliveredEvent, MessageComplainedEvent, MessageRejectedEvent, DomainVerifiedEvent,
   )
 
   def handle(payload: dict):
     t = payload.get("event_type")
-    if t == "message.received": e = MessageReceivedEvent(**payload); print(e.message.subject, e.thread.message_count)
+    if t in {"message.received", "message.received.spam", "message.received.blocked", "message.received.unauthenticated"}: e = MessageReceivedEvent(**payload); print(e.message.subject, e.thread.message_count)
     elif t == "message.sent": e = MessageSentEvent(**payload); print(e.send.recipients)
     elif t == "message.bounced": e = MessageBouncedEvent(**payload); print(e.bounce.type)
     elif t == "message.delivered": e = MessageDeliveredEvent(**payload)
     elif t == "message.complained": e = MessageComplainedEvent(**payload)
     elif t == "message.rejected": e = MessageRejectedEvent(**payload); print(e.reject.reason)
-    elif t == "message.received.spam": e = MessageReceivedSpamEvent(**payload); print(e.message.subject)
-    elif t == "message.received.blocked": e = MessageReceivedBlockedEvent(**payload); print(e.message.subject)
     elif t == "domain.verified": e = DomainVerifiedEvent(**payload); print(e.domain.status)
   ```
 
@@ -6833,15 +6831,22 @@ Copy one of the blocks below into Cursor or Claude for webhook event parsing in
    * AgentMail Webhook Events — copy into Cursor/Claude.
    *
    * Parse with serialization.events.<EventType>.parse(payload).
-   * message.received → MessageReceivedEvent, message.received.spam → MessageReceivedSpamEvent, message.received.blocked → MessageReceivedBlockedEvent.
+   * message.received, message.received.spam, message.received.blocked, message.received.unauthenticated → MessageReceivedEvent.
    * Only message.received* has message+thread; others have send/delivery/bounce/complaint/reject/domain.
    * message.received.spam and message.received.blocked require label_spam_read / label_blocked_read permissions.
+   * message.received.unauthenticated must be explicitly included in eventTypes.
    */
   import { serialization } from "agentmail";
 
   async function handle(payload: Record<string, unknown>) {
     const t = payload.event_type;
-    if (t === "message.received") {
+    const receivedEventTypes = [
+      "message.received",
+      "message.received.spam",
+      "message.received.blocked",
+      "message.received.unauthenticated",
+    ];
+    if (receivedEventTypes.includes(String(t))) {
       const e = await serialization.events.MessageReceivedEvent.parse(payload);
       console.log(e.message.subject, e.thread.messageCount);
     } else if (t === "message.sent") {
@@ -6859,12 +6864,6 @@ Copy one of the blocks below into Cursor or Claude for webhook event parsing in
     } else if (t === "message.rejected") {
       const e = await serialization.events.MessageRejectedEvent.parse(payload);
       console.log(e.reject);
-    } else if (t === "message.received.spam") {
-      const e = await serialization.events.MessageReceivedSpamEvent.parse(payload);
-      console.log(e.message.subject);
-    } else if (t === "message.received.blocked") {
-      const e = await serialization.events.MessageReceivedBlockedEvent.parse(payload);
-      console.log(e.message.subject);
     } else if (t === "domain.verified") {
       const e = await serialization.events.DomainVerifiedEvent.parse(payload);
       console.log(e.domain);
@@ -6881,9 +6880,10 @@ Copy one of the blocks below into Cursor or Claude for webhook event parsing in
 * **Example use-case:** Kick off a internal workflow when a customer complaint email hits the support inbox
 
 <Callout>
-  Something here to notice is message.received is the only webhook event that
-  includes both the metadata on the `Thread` and the `Message` in the payload.
-  Other event types send only metadata on the event. Let us know if you need
+  Something here to notice is `message.received` and its filtered variants are
+  the only webhook events that include both the metadata on the `Thread` and the
+  `Message` in the payload. Other event types send only metadata on the event.
+  Let us know if you need
   metadata on other event types by emailing `support@agentmail.cc`
 </Callout>
 
@@ -7035,6 +7035,52 @@ Copy one of the blocks below into Cursor or Claude for webhook event parsing in
   ```
 </CodeGroup>
 
+### `message.received.unauthenticated`
+
+* **Description:** Triggered when a new email is received without authentication headers, so AgentMail cannot verify whether it is authenticated. These messages are processed and labeled `unauthenticated` because legitimate senders may omit the headers; messages with authentication headers that explicitly fail are dropped.
+* **Example use-case:** Monitor senders whose messages are missing authentication headers so you can decide whether to trust them or ask them to improve their email setup.
+
+<CodeGroup>
+  ```json
+  {
+    "type": "event",
+    "event_type": "message.received.unauthenticated",
+    "event_id": "evt_unauth789",
+    "message": {
+      "inbox_id": "inbox_456def",
+      "thread_id": "thd_789ghi",
+      "message_id": "<unauth789@example.com>",
+      "labels": ["unauthenticated"],
+      "timestamp": "2023-10-27T10:00:00Z",
+      "from": "sender@example.com",
+      "to": ["agent@agentmail.to"],
+      "subject": "Unauthenticated message",
+      "preview": "This message is missing authentication headers...",
+      "text": "Full unauthenticated message body.",
+      "html": "<html>...</html>",
+      "size": 512,
+      "updated_at": "2023-10-27T10:00:00Z",
+      "created_at": "2023-10-27T10:00:00Z"
+    },
+    "thread": {
+      "inbox_id": "inbox_456def",
+      "thread_id": "thd_789ghi",
+      "labels": ["unauthenticated"],
+      "timestamp": "2023-10-27T10:00:00Z",
+      "senders": ["sender@example.com"],
+      "recipients": ["agent@agentmail.to"],
+      "subject": "Unauthenticated message",
+      "preview": "This message is missing authentication headers...",
+      "last_message_id": "<unauth789@example.com>",
+      "message_count": 1,
+      "size": 512,
+      "updated_at": "2023-10-27T10:00:00Z",
+      "created_at": "2023-10-27T10:00:00Z"
+    }
+  }
+  ```
+</CodeGroup>
+
 ### `message.sent`
 
 * **Description:** Triggered when a message is successfully sent from one of your `Inboxes`.
@@ -7223,7 +7269,7 @@ When creating a webhook, you can specify which events to subscribe to. This allo
 For example, if you only need to trigger workflows on incoming messages, you can subscribe to just `message.received`. If you're building a delivery tracking system, you might subscribe to `message.sent`, `message.delivered`, and `message.bounced`.
 
 <Callout intent="info">
-  By default, spam and blocked events are **not** delivered. To receive them, you must explicitly include `message.received.spam` or `message.received.blocked` in the `event_types` list when creating your webhook. The API key must also have the corresponding `label_spam_read` or `label_blocked_read` permission.
+  By default, spam, blocked, and unauthenticated events are **not** delivered. To receive them, you must explicitly include `message.received.spam`, `message.received.blocked`, or `message.received.unauthenticated` in the `event_types` list when creating your webhook. The API key must also have the corresponding `label_spam_read` or `label_blocked_read` permission for spam and blocked events.
 </Callout>
 
 If you have any specific webhook notifications you would like, please ping us in the `#feature-requests` channel in the [Discord](https://discord.gg/hTYatWYWBc)
@@ -8214,10 +8260,15 @@ Subscribe(
     event_types=["message.received", "message.sent"]
 )
 
-# Subscribe to spam and blocked events (requires label_spam_read / label_blocked_read permissions)
+# Subscribe to filtered inbound events
 Subscribe(
     inbox_ids=["agent@agentmail.to"],
-    event_types=["message.received", "message.received.spam", "message.received.blocked"]
+    event_types=[
+        "message.received",
+        "message.received.spam",
+        "message.received.blocked",
+        "message.received.unauthenticated",
+    ]
 )
 ```
 
@@ -8243,16 +8294,21 @@ socket.sendSubscribe({
   eventTypes: ["message.received", "message.sent"],
 });
 
-// Subscribe to spam and blocked events (requires label_spam_read / label_blocked_read permissions)
+// Subscribe to filtered inbound events
 socket.sendSubscribe({
   type: "subscribe",
   inboxIds: ["agent@agentmail.to"],
-  eventTypes: ["message.received", "message.received.spam", "message.received.blocked"],
+  eventTypes: [
+    "message.received",
+    "message.received.spam",
+    "message.received.blocked",
+    "message.received.unauthenticated",
+  ],
 });
 ```
 
 <Callout intent="info">
-  By default (when no `event_types` are specified), spam and blocked events are excluded from the subscription. To receive spam events, explicitly include `message.received.spam` in `event_types` and ensure the API key has the `label_spam_read` permission. The same applies to `message.received.blocked` with the `label_blocked_read` permission.
+  By default (when no `event_types` are specified), spam, blocked, and unauthenticated events are excluded from the subscription. To receive them, explicitly include `message.received.spam`, `message.received.blocked`, or `message.received.unauthenticated` in `event_types`. Spam and blocked events also require the `label_spam_read` or `label_blocked_read` permission.
 </Callout>
 
 ***
@@ -8267,16 +8323,14 @@ socket.sendSubscribe({
 
 ### Message Events
 
-| Event                      | Python                        | TypeScript                              | Description                                |
-| -------------------------- | ----------------------------- | --------------------------------------- | ------------------------------------------ |
-| `message_received`         | `MessageReceivedEvent`        | `AgentMail.MessageReceivedEvent`        | New email received                         |
-| `message_received_spam`    | `MessageReceivedSpamEvent`    | `AgentMail.MessageReceivedSpamEvent`    | Email received, classified as spam         |
-| `message_received_blocked` | `MessageReceivedBlockedEvent` | `AgentMail.MessageReceivedBlockedEvent` | Email received, matched a block list entry |
-| `message_sent`             | `MessageSentEvent`            | `AgentMail.MessageSentEvent`            | Email was sent                             |
-| `message_delivered`        | `MessageDeliveredEvent`       | `AgentMail.MessageDeliveredEvent`       | Email was delivered                        |
-| `message_bounced`          | `MessageBouncedEvent`         | `AgentMail.MessageBouncedEvent`         | Email bounced                              |
-| `message_complained`       | `MessageComplainedEvent`      | `AgentMail.MessageComplainedEvent`      | Email marked as spam                       |
-| `message_rejected`         | `MessageRejectedEvent`        | `AgentMail.MessageRejectedEvent`        | Email was rejected                         |
+| Event                | Python                   | TypeScript                         | Description                                                                                                                                           |
+| -------------------- | ------------------------ | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `message_received`   | `MessageReceivedEvent`   | `AgentMail.MessageReceivedEvent`   | Email received. Check `event_type` for `message.received`, `message.received.spam`, `message.received.blocked`, or `message.received.unauthenticated` |
+| `message_sent`       | `MessageSentEvent`       | `AgentMail.MessageSentEvent`       | Email was sent                                                                                                                                        |
+| `message_delivered`  | `MessageDeliveredEvent`  | `AgentMail.MessageDeliveredEvent`  | Email was delivered                                                                                                                                   |
+| `message_bounced`    | `MessageBouncedEvent`    | `AgentMail.MessageBouncedEvent`    | Email bounced                                                                                                                                         |
+| `message_complained` | `MessageComplainedEvent` | `AgentMail.MessageComplainedEvent` | Email marked as spam                                                                                                                                  |
+| `message_rejected`   | `MessageRejectedEvent`   | `AgentMail.MessageRejectedEvent`   | Email was rejected                                                                                                                                    |
 
 ### Domain Events
 
@@ -8388,8 +8442,8 @@ Copy one of the blocks below into Cursor or Claude for WebSockets in one shot.
   Sync: with client.websockets.connect() as socket: socket.send_subscribe(Subscribe(inbox_ids=[...])); for event in socket: ...
   Async: async with client.websockets.connect() as socket: await socket.send_subscribe(...); async for event in socket: ...
   Subscribe(inbox_ids=[...], pod_ids=[...], event_types=[...])
-  Event types: Subscribed, MessageReceivedEvent, MessageReceivedSpamEvent, MessageReceivedBlockedEvent, MessageSentEvent, MessageDeliveredEvent, MessageBouncedEvent, MessageComplainedEvent, MessageRejectedEvent, DomainVerifiedEvent
-  Spam/blocked events require explicit opt-in via event_types and label_spam_read / label_blocked_read permissions.
+  Event types: Subscribed, MessageReceivedEvent, MessageSentEvent, MessageDeliveredEvent, MessageBouncedEvent, MessageComplainedEvent, MessageRejectedEvent, DomainVerifiedEvent
+  Spam, blocked, and unauthenticated events require explicit opt-in via event_types. Spam and blocked events require label_spam_read / label_blocked_read permissions.
   """
   from agentmail import AgentMail, Subscribe, Subscribed, MessageReceivedEvent
 
@@ -24164,9 +24218,15 @@ components:
     type_inbox-events:InboxEventType:
       type: string
       enum:
-        - label_added
-        - label_removed
-      description: Type of inbox event.
+        - label.added
+        - label.removed
+      description: |-
+        Type of inbox event. Wire format is dot.case to match the
+        convention used by webhook events (`message.received`,
+        `domain.verified`, etc. in events.yml). Pre-2026-04 these were
+        `label_added`/`label_removed` (snake_case). The Fern enum's `name`
+        field stays uppercase-snake (Fern convention); only the wire
+        `value` changed.
       title: InboxEventType
     type_inbox-events:InboxEvent:
       type: object
@@ -28571,6 +28631,7 @@ components:
         - message.received
         - message.received.spam
         - message.received.blocked
+        - message.received.unauthenticated
         - message.sent
         - message.delivered
         - message.bounced
@@ -28865,6 +28926,7 @@ components:
         - message.received
         - message.received.spam
         - message.received.blocked
+        - message.received.unauthenticated
         - message.sent
         - message.delivered
         - message.bounced
@@ -29163,6 +29225,7 @@ components:
         - message.received
         - message.received.spam
         - message.received.blocked
+        - message.received.unauthenticated
         - message.sent
         - message.delivered
         - message.bounced
@@ -29559,6 +29622,7 @@ components:
         - message.received
         - message.received.spam
         - message.received.blocked
+        - message.received.unauthenticated
         - message.sent
         - message.delivered
         - message.bounced
@@ -30073,6 +30137,14 @@ components:
       format: date-time
       description: Timestamp of webhook message.
       title: SvixTimestamp
+    type_events:MessageReceivedEventType:
+      type: string
+      enum:
+        - message.received
+        - message.received.spam
+        - message.received.blocked
+        - message.received.unauthenticated
+      title: MessageReceivedEventType
     type_events:EventId:
       type: string
       description: ID of event.
@@ -30425,9 +30497,7 @@ components:
           enum:
             - event
         event_type:
-          type: string
-          enum:
-            - message.received
+          $ref: '#/components/schemas/type_events:MessageReceivedEventType'
         event_id:
           $ref: '#/components/schemas/type_events:EventId'
         message:
@@ -30440,6 +30510,10 @@ components:
         - event_id
         - message
         - thread
+      description: >-
+        A message was received. Spam, blocked, and unauthenticated
+        received-message events use the same payload shape with different
+        `event_type` values.
       title: MessageReceivedEvent
 
 ```
@@ -31328,23 +31402,19 @@ channels:
           - $ref: >-
               #/components/messages/subpackage_websockets.websockets-server-1-message_received
           - $ref: >-
-              #/components/messages/subpackage_websockets.websockets-server-2-message_received_spam
+              #/components/messages/subpackage_websockets.websockets-server-2-message_sent
           - $ref: >-
-              #/components/messages/subpackage_websockets.websockets-server-3-message_received_blocked
+              #/components/messages/subpackage_websockets.websockets-server-3-message_delivered
           - $ref: >-
-              #/components/messages/subpackage_websockets.websockets-server-4-message_sent
+              #/components/messages/subpackage_websockets.websockets-server-4-message_bounced
           - $ref: >-
-              #/components/messages/subpackage_websockets.websockets-server-5-message_delivered
+              #/components/messages/subpackage_websockets.websockets-server-5-message_complained
           - $ref: >-
-              #/components/messages/subpackage_websockets.websockets-server-6-message_bounced
+              #/components/messages/subpackage_websockets.websockets-server-6-message_rejected
           - $ref: >-
-              #/components/messages/subpackage_websockets.websockets-server-7-message_complained
+              #/components/messages/subpackage_websockets.websockets-server-7-domain_verified
           - $ref: >-
-              #/components/messages/subpackage_websockets.websockets-server-8-message_rejected
-          - $ref: >-
-              #/components/messages/subpackage_websockets.websockets-server-9-domain_verified
-          - $ref: >-
-              #/components/messages/subpackage_websockets.websockets-server-10-error
+              #/components/messages/subpackage_websockets.websockets-server-8-error
     subscribe:
       operationId: websockets-subscribe
       summary: Client message
@@ -31376,39 +31446,31 @@ components:
       name: message_received
       payload:
         $ref: '#/components/schemas/type_events:MessageReceivedEvent'
-    subpackage_websockets.websockets-server-2-message_received_spam:
-      name: message_received_spam
-      payload:
-        $ref: '#/components/schemas/type_events:MessageReceivedSpamEvent'
-    subpackage_websockets.websockets-server-3-message_received_blocked:
-      name: message_received_blocked
-      payload:
-        $ref: '#/components/schemas/type_events:MessageReceivedBlockedEvent'
-    subpackage_websockets.websockets-server-4-message_sent:
+    subpackage_websockets.websockets-server-2-message_sent:
       name: message_sent
       payload:
         $ref: '#/components/schemas/type_events:MessageSentEvent'
-    subpackage_websockets.websockets-server-5-message_delivered:
+    subpackage_websockets.websockets-server-3-message_delivered:
       name: message_delivered
       payload:
         $ref: '#/components/schemas/type_events:MessageDeliveredEvent'
-    subpackage_websockets.websockets-server-6-message_bounced:
+    subpackage_websockets.websockets-server-4-message_bounced:
       name: message_bounced
       payload:
         $ref: '#/components/schemas/type_events:MessageBouncedEvent'
-    subpackage_websockets.websockets-server-7-message_complained:
+    subpackage_websockets.websockets-server-5-message_complained:
       name: message_complained
       payload:
         $ref: '#/components/schemas/type_events:MessageComplainedEvent'
-    subpackage_websockets.websockets-server-8-message_rejected:
+    subpackage_websockets.websockets-server-6-message_rejected:
       name: message_rejected
       payload:
         $ref: '#/components/schemas/type_events:MessageRejectedEvent'
-    subpackage_websockets.websockets-server-9-domain_verified:
+    subpackage_websockets.websockets-server-7-domain_verified:
       name: domain_verified
       payload:
         $ref: '#/components/schemas/type_events:DomainVerifiedEvent'
-    subpackage_websockets.websockets-server-10-error:
+    subpackage_websockets.websockets-server-8-error:
       name: error
       payload:
         $ref: '#/components/schemas/type_websockets:Error'
@@ -31419,6 +31481,7 @@ components:
         - message.received
         - message.received.spam
         - message.received.blocked
+        - message.received.unauthenticated
         - message.sent
         - message.delivered
         - message.bounced
@@ -31460,6 +31523,14 @@ components:
       required:
         - type
       title: Subscribed
+    type_events:MessageReceivedEventType:
+      type: string
+      enum:
+        - message.received
+        - message.received.spam
+        - message.received.blocked
+        - message.received.unauthenticated
+      title: MessageReceivedEventType
     type_events:EventId:
       type: string
       description: ID of event.
@@ -31812,60 +31883,7 @@ components:
           enum:
             - event
         event_type:
-          type: string
-          enum:
-            - message.received
-        event_id:
-          $ref: '#/components/schemas/type_events:EventId'
-        message:
-          $ref: '#/components/schemas/type_messages:Message'
-        thread:
-          $ref: '#/components/schemas/type_threads:ThreadItem'
-      required:
-        - type
-        - event_type
-        - event_id
-        - message
-        - thread
-      title: MessageReceivedEvent
-    type_events:MessageReceivedSpamEvent:
-      type: object
-      properties:
-        type:
-          type: string
-          enum:
-            - event
-        event_type:
-          type: string
-          enum:
-            - message.received.spam
-        event_id:
-          $ref: '#/components/schemas/type_events:EventId'
-        message:
-          $ref: '#/components/schemas/type_messages:Message'
-        thread:
-          $ref: '#/components/schemas/type_threads:ThreadItem'
-      required:
-        - type
-        - event_type
-        - event_id
-        - message
-        - thread
-      description: >-
-        A message was received and classified as spam. Requires
-        `label_spam_read` permission.
-      title: MessageReceivedSpamEvent
-    type_events:MessageReceivedBlockedEvent:
-      type: object
-      properties:
-        type:
-          type: string
-          enum:
-            - event
-        event_type:
-          type: string
-          enum:
-            - message.received.blocked
+          $ref: '#/components/schemas/type_events:MessageReceivedEventType'
         event_id:
           $ref: '#/components/schemas/type_events:EventId'
         message:
@@ -31879,9 +31897,10 @@ components:
         - message
         - thread
       description: >-
-        A message was received and matched a block list entry. Requires
-        `label_blocked_read` permission.
-      title: MessageReceivedBlockedEvent
+        A message was received. Spam, blocked, and unauthenticated
+        received-message events use the same payload shape with different
+        `event_type` values.
+      title: MessageReceivedEvent
     type_events:Timestamp:
       type: string
       format: date-time
@@ -49073,40 +49092,39 @@ For more on maintaining healthy sending metrics, see the [Email Deliverability](
 # Why are my emails not showing up?
 
 <Warning>
-  **The sender's domain must have SPF or DKIM configured.** To reduce spoofing and phishing, AgentMail now drops inbound emails when the sender's domain has neither SPF nor DKIM set up. If a sender reports that their email never arrived, this is the most likely cause — once they configure SPF/DKIM on their domain, their emails will start landing in your inbox again.
+  **Inbound emails are checked for SPF, DKIM, and DMARC authentication.** AgentMail drops emails when authentication headers are present and explicitly fail. If authentication headers are missing, AgentMail still processes the email and labels it `unauthenticated`.
 </Warning>
 
-AgentMail verifies every inbound email using SPF, DKIM, and DMARC authentication before delivering it to your inbox. Emails that fail any of these checks are dropped to prevent spoofing, phishing, and spam from reaching your agents.
+AgentMail verifies inbound email using SPF, DKIM, and DMARC authentication before delivering it to your inbox. Emails with authentication headers that explicitly fail are dropped to prevent spoofing, phishing, and spam from reaching your agents.
 
 This is the same standard enforced by Gmail, Outlook, Yahoo, and other major email providers.
 
 ## How inbound authentication works
 
-When an email arrives, AgentMail inspects the SPF, DKIM, and DMARC verdicts provided by the receiving mail server. To be delivered, an email must meet **all** of the following conditions:
+When an email arrives, AgentMail inspects the SPF, DKIM, and DMARC verdicts provided by the receiving mail server. To be delivered as authenticated, an email must meet **all** of the following conditions:
 
 * Neither SPF nor DKIM returns a `FAIL` verdict
-* At least one of SPF or DKIM is configured (not both `GRAY`)
 * DMARC does not return `FAIL` (unless the sender's DMARC policy is `none`)
 * The message passes virus scanning
 
-If any check fails, the email is dropped.
+If authentication headers are present and any check fails, the email is dropped. If authentication headers are missing, the email is delivered with the `unauthenticated` label because some legitimate senders do not include those headers.
 
-| Scenario                       | SPF  | DKIM | Result    |
-| ------------------------------ | ---- | ---- | --------- |
-| Both pass                      | PASS | PASS | Delivered |
-| One passes, other unconfigured | PASS | GRAY | Delivered |
-| One passes, other unconfigured | GRAY | PASS | Delivered |
-| Neither configured             | GRAY | GRAY | Dropped   |
-| Either explicitly fails        | FAIL | any  | Dropped   |
-| Either explicitly fails        | any  | FAIL | Dropped   |
+| Scenario                       | SPF  | DKIM | Result                         |
+| ------------------------------ | ---- | ---- | ------------------------------ |
+| Both pass                      | PASS | PASS | Delivered                      |
+| One passes, other unconfigured | PASS | GRAY | Delivered                      |
+| One passes, other unconfigured | GRAY | PASS | Delivered                      |
+| Authentication headers missing | GRAY | GRAY | Delivered as `unauthenticated` |
+| Either explicitly fails        | FAIL | any  | Dropped                        |
+| Either explicitly fails        | any  | FAIL | Dropped                        |
 
 <Warning>
-  Emails dropped due to failed authentication are **silently rejected**. The sender's mail server may still report successful delivery because AgentMail's servers did receive the message, but it was rejected during authentication verification. The sender gets no bounce-back or error notification.
+  Emails dropped due to failed authentication are rejected without a bounce-back to the sender. The sender's mail server may still report successful delivery because AgentMail's servers did receive the message, but it was rejected during authentication verification. To monitor emails with missing authentication headers, subscribe to the `message.received.unauthenticated` webhook or WebSocket event.
 </Warning>
 
 ## Why this matters
 
-Without these checks, anyone could send emails claiming to be from any domain. SPF and DKIM authentication proves that the sending server is authorized to send on behalf of the domain in the `From` address, while DMARC ties those results to the domain's published policy. Dropping unauthenticated emails protects your agents from:
+Without these checks, anyone could send emails claiming to be from any domain. SPF and DKIM authentication proves that the sending server is authorized to send on behalf of the domain in the `From` address, while DMARC ties those results to the domain's published policy. Dropping emails that explicitly fail authentication protects your agents from:
 
 * **Spoofing:** forged sender addresses impersonating trusted contacts
 * **Phishing:** malicious emails designed to trick your agent into taking harmful actions
@@ -49114,7 +49132,7 @@ Without these checks, anyone could send emails claiming to be from any domain. S
 
 ## Diagnosing missing emails
 
-If a sender reports that their email never arrived, check whether their domain has SPF and DKIM records configured:
+If a sender reports that their email never arrived, check whether their domain's authentication records are configured correctly:
 
 ```bash
 # check for SPF record
@@ -49126,11 +49144,11 @@ For DKIM, use [MXToolbox DKIM Lookup](https://mxtoolbox.com/dkim.aspx) or a simi
 
 You can also use [MXToolbox SPF Lookup](https://mxtoolbox.com/spf.aspx) to verify SPF records online.
 
-If the domain has neither an SPF record nor a DKIM record, that is the cause. Emails from that domain will be dropped by AgentMail and likely by other providers as well.
+If the sender's authentication headers are missing, AgentMail will still process the email and mark it `unauthenticated`. If those headers are present but fail, the email is dropped by AgentMail and may be rejected by other providers as well.
 
 ## What to tell the sender
 
-The sender needs to configure SPF and/or DKIM on their domain's DNS. This is not something you can fix on the AgentMail side, as the records must be set up by the domain owner.
+The sender should configure SPF and/or DKIM on their domain's DNS and make sure their mail provider includes authentication headers. This is not something you can fix on the AgentMail side, as the records and headers must be set up by the domain owner or their email provider.
 
 * Add an SPF record to authorize their mail server (e.g., `v=spf1 include:_spf.google.com ~all` for Google Workspace)
 * Enable DKIM signing through their email provider's admin console