OpenClaw Email Setup Guide

Step-by-step setup for Gmail, Outlook, iCloud, ProtonMail, custom IMAP/SMTP, and managed AgentMail.

What does email integration with OpenClaw actually mean?

OpenClaw is an AI agent that can read, draft, send, and act on email once it is connected to a real inbox. Which connection method you use depends on two things:

Which email provider you use — Gmail, Outlook, iCloud, ProtonMail, or something else
Where OpenClaw is running — managed hosting or self-hosted

Most guides cover one provider in isolation. This one covers all of them so you can pick the path that matches your stack. For provider-specific deep-dives, the Gmail-specific deep-dive and the Outlook setup walkthrough go further.

What are the four ways OpenClaw connects to email?

Every email integration falls into one of four buckets. The right choice depends on your provider, your privacy needs, and how much setup you want to handle yourself.

Method	Best for	Setup time	Provider support
AgentMail (managed inbox)	Fastest start, no email account needed	60 seconds	Ampere-hosted only
OAuth	Gmail, Outlook, Microsoft 365 users	3–5 minutes	Gmail, Outlook, Workspace
IMAP/SMTP	iCloud, ProtonMail, FastMail, custom domains	5–10 minutes	Universal
Skill-based MCP	Advanced multi-mailbox workflows	15+ minutes	Any provider

Each method exposes the same agent capabilities — read, summarize, draft, send, archive, label. The differences are in three areas: how authentication works, how much access you grant, and how quickly you can be operational.

Method 1: AgentMail — Managed inbox via Ampere

AgentMail is a dedicated inbox that ships with your agent on Ampere. You do not need an existing Gmail, Outlook, or any other account. Your agent gets its own email address. Any incoming message is delivered straight to its context.

When this fits:

You want to give your agent a public-facing email like support@yourdomain.com without setting up a separate mail server
You do not want OAuth, app passwords, or IMAP credentials in your config
You want every inbound message to trigger the agent automatically

Setup steps:

Sign up at ampere.sh and deploy an agent
Open the agent dashboard and click Email
Pick your inbox address — <yourname>@agentmail.ampere.sh or a custom domain
Done. Send a test email to your new address and the agent replies

Behind the scenes Ampere maps the AgentMail inbox to your agent's runtime. The conversation surface includes email alongside chat, Telegram, or Slack. The inbox is permanent for the life of the agent and survives restarts.

Get Your Inbox

Method 2: Gmail via OAuth

Gmail integration uses Google OAuth to grant your OpenClaw agent scoped access to a real Gmail or Google Workspace account.

Required permissions OpenClaw requests:

gmail.readonly — read messages
gmail.compose — draft messages
gmail.send — send messages (optional, default off)
gmail.modify — apply labels, mark as read

You approve each scope during the OAuth flow. The agent never sees your password.

High-level setup:

Open your OpenClaw dashboard and pick Add integration → Gmail
Sign into the Google account you want the agent to use
Review and approve only the scopes you need (start with read-only)
The agent shows the connected address in your dashboard

For the full Google permissions walkthrough including OAuth consent screens, scopes, and revoking access, see the Google Workspace permissions guide.

Method 3: Outlook / Microsoft 365 via OAuth

Outlook uses Microsoft Graph OAuth and works for both personal outlook.com accounts and Microsoft 365 business accounts.

Setup steps:

In your OpenClaw dashboard, pick Add integration → Outlook
Sign in with your Microsoft account
Approve the requested mailbox scopes
Test by asking the agent for your unread count

Microsoft 365 admins must approve the OpenClaw app at the tenant level first. Only then can users complete the consent flow. Personal Outlook accounts skip that step.

Method 4: iCloud Mail via IMAP/SMTP

iCloud Mail does not offer OAuth for third-party agents. The supported path is IMAP for reading and SMTP for sending, authenticated with an Apple app-specific password.

Setup steps:

Sign into appleid.apple.com → Sign-In and Security → App-Specific Passwords
Generate a new password labeled "OpenClaw"
In your OpenClaw config (or dashboard for managed hosting) add:

email:
  provider: imap
  imap:
    host: imap.mail.me.com
    port: 993
    user: yourname@icloud.com
    password: <app-specific-password>
    tls: true
  smtp:
    host: smtp.mail.me.com
    port: 587
    user: yourname@icloud.com
    password: <app-specific-password>
    starttls: true

Restart the gateway: openclaw gateway restart
Send yourself a test email and ask the agent to summarize it

Notes:

iCloud requires two-factor authentication on your Apple ID before app-specific passwords are available
Apple sometimes revokes app-specific passwords automatically on suspicious activity — regenerate if reads fail
Use the agent's local skill or a container-isolated deployment to keep credentials off the host filesystem

Method 5: ProtonMail via Bridge + IMAP

ProtonMail's end-to-end encryption means standard IMAP cannot reach the inbox directly. Proton's Bridge app runs locally and exposes a decrypted IMAP/SMTP endpoint on 127.0.0.1.

Setup steps:

Install Proton Mail Bridge on the machine running OpenClaw
Sign in with your ProtonMail account and let Bridge generate its IMAP credentials
Copy the IMAP host, port, username, and password from the Bridge UI
Add to OpenClaw config:

email:
  provider: imap
  imap:
    host: 127.0.0.1
    port: 1143
    user: <bridge-username>
    password: <bridge-password>
    tls: false
  smtp:
    host: 127.0.0.1
    port: 1025
    user: <bridge-username>
    password: <bridge-password>
    starttls: true

Restart the gateway and test

Bridge must run on the same machine as OpenClaw. If you self-host on a VPS, install Bridge there and keep it running as a service.

Method 6: Custom IMAP/SMTP

The universal fallback. Works for FastMail, Zoho Mail, Yandex, custom domain providers, and any mail host that exposes IMAP and SMTP.

Setup steps:

Find your provider's IMAP and SMTP server settings (usually under "Mail Client Setup" in their dashboard)
If your provider supports app passwords, generate one for OpenClaw rather than using your account password
Add the config:

email:
  provider: imap
  imap:
    host: imap.yourprovider.com
    port: 993
    user: you@yourdomain.com
    password: <app-password>
    tls: true
  smtp:
    host: smtp.yourprovider.com
    port: 587
    user: you@yourdomain.com
    password: <app-password>
    starttls: true

Restart the gateway: openclaw gateway restart

Most providers accept this exact shape. The only fields that vary are the host names and ports.

Choosing the right method

If you…	Use
Want to start in under a minute	AgentMail
Use Gmail or Google Workspace	OAuth (Method 2)
Use Outlook or Microsoft 365	OAuth (Method 3)
Use iCloud Mail	IMAP/SMTP with app password (Method 4)
Use ProtonMail	Proton Bridge + IMAP (Method 5)
Use any other provider	Custom IMAP/SMTP (Method 6)
Run multiple mailboxes on one agent	Skill-based MCP (advanced)

If you are deciding between self-hosting and managed hosting, the self-hosted alternative covers the trade-offs. For agents that need to run continuously to catch incoming mail, see keep the agent running around the clock.

Skip Setup — Use Managed

What are the most common email setup problems and how do you fix them?

OAuth flow completes but the agent shows no mail

The most common cause is that OpenClaw was not running when the OAuth callback fired. Restart the gateway and re-run the connection flow. If the issue persists, revoke the app in your Google or Microsoft account and start fresh. A clean reinstall of the integration usually fixes stuck states.

"App password not accepted" on iCloud or Gmail

App passwords require 2FA to be enabled on the upstream account. Confirm 2FA is on, then generate a fresh app-specific password. Old passwords get auto-revoked after long periods of inactivity.

ProtonMail Bridge connection refused

Bridge listens only on localhost. If OpenClaw runs in a container or on a different machine, the connection will fail. Either run Bridge on the same host or use Proton's SMTP relay for outbound only.

Mail arrives but the agent does not respond

Check the agent has the email tool enabled in its tools list. Run openclaw plugins inspect <plugin-id> --runtime --json to confirm the email plugin is live. Cold config can show "enabled" even when the runtime never imported the plugin properly.

IMAP polling delay feels slow

Default IMAP polling is 60 seconds. For lower-latency triggers, switch to IMAP IDLE (push-style) by adding idle: true to your email config. Not every provider supports IDLE reliably.

Security best practices

Prefer OAuth over passwords when available. OAuth scopes are revocable, time-limited, and visible in your account dashboard. Passwords sit in config files and survive rotations.

Use app-specific passwords, not account passwords. Every provider that does not offer OAuth still offers app passwords. Generate one per agent and label it clearly. This way you can revoke a single credential without affecting others.

Start with read-only scopes. Grant send and delete access only after the agent's draft-only behavior has been tested for a few days. The default for sales follow-up flows and similar high-volume use cases is draft-only with human approval in the loop.

Keep credentials off shared filesystems. Use a secrets manager or environment variables rather than committing the config file. Container deployments make this enforceable by default.

Audit which agent has which mailbox. A single agent with access to multiple inboxes is easier to misconfigure than separate agents per inbox. For multi-inbox workflows like remote work routines, an agent-per-mailbox setup stays cleaner over time.

Set up calendar workflows on the same account. If the agent will send meeting invites in reply to email, calendar access usually shares the OAuth consent flow. Approve both at once to avoid re-authentication later.

FAQs About OpenClaw Email Setup

Which email providers work with OpenClaw?

Any provider that supports OAuth (Gmail, Outlook, Microsoft 365) or IMAP/SMTP (iCloud, ProtonMail via Bridge, FastMail, Zoho, Yandex, custom domain hosts). Ampere also offers AgentMail, a managed inbox that does not require an existing provider account.

Do I need a Google Workspace or paid account to connect email?

No. A free personal Gmail or `outlook.com` account works for OAuth setup. Workspace and Microsoft 365 accounts add tenant-level admin controls but use the same flow.

Can OpenClaw work with ProtonMail or iCloud?

Yes. ProtonMail uses Proton Bridge to expose IMAP/SMTP locally. iCloud uses IMAP/SMTP directly with an Apple app-specific password. Both require the agent to run on a machine that can reach the mail endpoints.

Is IMAP/SMTP safe to use with OpenClaw?

Yes when paired with TLS, an app-specific password, and read-only access until you trust the workflow. The credentials sit in your OpenClaw config, so treat that file like a password manager entry — never commit it to a public repo.

What's the difference between AgentMail and Gmail integration?

AgentMail gives your agent its own brand-new inbox managed by Ampere. Gmail integration connects your existing Gmail account so the agent works on the mail you already receive. Pick AgentMail for new public-facing addresses, Gmail integration for personal or business mail you already use.

Can OpenClaw read and send from the same email address?

Yes. Grant both the read and send scopes during OAuth, or enable both IMAP and SMTP in IMAP-based setups. Most users start with read-only and enable send after a few days of testing.

How do I fix "App password not accepted" errors?

Confirm two-factor authentication is enabled on the upstream account, then generate a fresh app password. Old app passwords are sometimes auto-revoked after suspicious activity or long inactivity.

Can I connect multiple email accounts to one OpenClaw agent?

Yes, but the cleaner pattern is one agent per inbox. Multiple inboxes on one agent need a skill-based MCP setup so the agent knows which mailbox to act on for each request.

Also Read

Integration

How to Connect OpenClaw to Gmail

Integration

Openclaw On Outlook

Integration

Openclaw On Google Workspace

Written by

Sarah Mitchell

Integration Specialist Writer

Sarah is an API integration specialist with deep expertise in connecting AI agents with messaging platforms and productivity tools. She has architected integrations for Discord, Telegram, WhatsApp, Slack, and Notion, serving over 100,000 users. Passionate about creating seamless automation workflows and developer-friendly APIs.

Deploy OpenClaw with Email Ready to Go

Skip the IMAP, OAuth, and app-password setup. Ampere ships an OpenClaw agent with an inbox already attached.

Deploy OpenClaw with Email