Gmail MCP Server: Google's Official Preview, Community Options, and the Safe Setup
Yes, Google ships an official Gmail MCP server, in preview and draft-only. What it does, what community servers risk, and the governed path for teams.
- Google ships an official Gmail MCP server as a Developer Preview: ten tools covering search, reading, labels, and drafts, with least-privilege scopes and deliberately no send capability.
- Most community servers request the gmail.modify scope, which bundles reading and autonomous sending into one grant, and the long-time default repo was archived by its maintainer in early 2026.
- A send-capable server on a personal inbox completes the lethal trifecta: private data, attacker-writable content, and an exfiltration channel in one place.
- For a team, the governed path is a shared inbox with an official MCP server: scoped tools, per-user authentication, drafts where actions have consequences, and an audit trail.
Table of contents
Yes, there is now an official Gmail MCP server from Google, and the way Google built it tells you most of what you need to know about connecting AI to a mailbox safely. It shipped quietly as a Developer Preview in 2026, it can read mail and prepare drafts, and it deliberately cannot send. The community servers that dominate this search are the opposite: most request broad modify access and happily send email autonomously, which is exactly the combination security researchers warn about. This guide covers what Google's server actually does, what the community options do differently, why the send permission is the whole ballgame, and what a team should use instead of wiring an agent to a personal inbox.
Your options at a glance
| Option | What it can do | Can it send? | Best for |
|---|---|---|---|
| Search, read, draft, label management (10 tools) | No, drafts only | Individuals in the preview program | |
| Read plus autonomous send and settings on most | Yes, immediately | Experimenters who checked the scopes | |
| A team's shared Gmail inbox: read, draft, reply, assign, move, label (47 tools) | Yes, governed and auditable | Teams running sales@ or support@ |
Google's server is the safe personal default, the community field is where the risk lives, and the team path is its own product category. The rest of this page is the detail.
Google's official Gmail MCP server: what it is and isn't
Google's server runs at a Google-hosted endpoint and is currently a Developer Preview rather than generally available, arriving through the Workspace preview channel. Two design choices define it. First, least-privilege scopes: it asks for read access and compose access, not full mailbox control. Second, no send tool: it can search your mail, read threads, and prepare drafts, but a human presses send. That restraint is not a missing feature; it is the security model. Google's own documentation warns against letting automated systems act on unverified inbound mail, and a draft-only server is what that warning looks like implemented.
The specifics, verified against Google's documentation in July 2026: the server lives at a hosted endpoint (gmailmcp.googleapis.com) and ships through the Google Workspace Developer Preview Program, with no general availability date announced. Google's configuration guide and tool reference list ten tools in total: searching threads, reading a thread, listing drafts, creating a draft, and six label operations for creating, listing, applying, and removing labels at thread and message level. Authentication is OAuth 2.0 against exactly two scopes, gmail.readonly and gmail.compose. There is no send tool anywhere in the list, no delete tool, and no settings access. Trying it today means enrolling in the preview program, pointing your MCP client at the endpoint, and authenticating with the Google account whose mail it should read.
The community Gmail MCP servers, honestly assessed
Community servers filled this gap long before Google moved, and they remain what most of this search's results point at. The pattern to check before installing any of them is the scope grant: most request broad modify access, which bundles reading, labeling, deleting, and sending into one permission. The field also churns: the long-time default recommendation was archived by its maintainer in early 2026, with an actively maintained fork taking its place, so a tutorial from last year likely points at a dead repo. Community servers are genuinely useful for personal experimentation by people who understand what they granted. They are not what you connect to a mailbox that receives mail from strangers, for the reason the next section spells out.
Names and numbers, checked against GitHub in July 2026. The long-time default was GongRzhe/Gmail-MCP-Server, which grew to roughly 1,200 stars before its maintainer archived it; the code still installs, but nobody is patching it. Its send tool sends immediately, and its source requests the gmail.modify and gmail.settings.basic scopes. The actively maintained successor is the ArtyMcLabin fork of that same codebase, which carries the toolset forward with commits as recent as this month. And shinzo-labs/gmail-mcp wraps more than 50 Gmail endpoints, including sending messages, sending drafts, and editing send-as settings, which is more surface, not less.
| Server | Status, July 2026 | Send capability | Access requested |
|---|---|---|---|
| Google's official server | Developer Preview, Google-maintained | None, drafts only | gmail.readonly and gmail.compose |
| GongRzhe/Gmail-MCP-Server | Archived by its maintainer | Sends immediately | gmail.modify plus settings |
| ArtyMcLabin fork | Actively maintained | Sends immediately | Same codebase as the original |
| shinzo-labs/gmail-mcp | Maintained | Sends messages and drafts | 50+ endpoints, including settings |
If you do install one, three checks take five minutes and remove most of the risk. First, read the OAuth consent screen and reject anything requesting gmail.modify or full mail.google.com access unless you genuinely want autonomous sending. Second, check the repo's last commit and its issue tracker before trusting it with credentials; an archived or dormant server will not be patched when the Gmail API shifts under it. Third, prefer configurations that draft rather than send, because a draft is a decision you still get to make. None of this is exotic security advice. It is the same discipline Google applied when it built its own server, applied at install time instead.
Here is the shape of the difference in practice, first against a mailbox through Drag's server:
tool_call: get_thread({ id: "thr_2941" })
tool_call: create_draft({ thread: "thr_2941" })
→ billing dispute (Acme), SSO outage (Datron)
→ 2 drafts created, awaiting human send
AI Platform
The inbox your team and your AI work in together
Shared inbox, live chat, and AI in Gmail, with an MCP server your AI tools can drive.
The send permission is the whole ballgame
Security researchers call it the lethal trifecta: an AI with access to private data, exposure to content an attacker can write, and a channel to send information out can be manipulated into exfiltrating data with no software vulnerability at all, just persuasive text. A personal Gmail account with a send-capable MCP server is the cleanest example of all three at once. Your inbox is attacker-writable by design, anyone can email you. Your mailbox holds password resets, invoices, and one-time codes. And a send tool is the exfiltration channel, gift-wrapped. A prompt-injected agent that can read your mail and send email is an account-takeover kit waiting for a sufficiently crafted message. This is why Google shipped draft-only, why scope-checking community servers matters, and why the calculus changes completely when the inbox is a governed team surface rather than your personal account.
Google's own scope reference makes the point in taxonomy form. The gmail.modify scope most community servers request grants "Read, compose, and send emails from your Gmail account", one permission covering the entire loop, and the full mail.google.com scope adds permanent deletion on top. Both sit in Google's Restricted tier, the one it gates hardest, which tells you how Google weighs them. A few community servers skip OAuth entirely and run on IMAP app passwords, a static full-mailbox credential with no per-scope limits at all. So the first question to ask of any Gmail MCP server is not what it can do for you; it is what its token could do without you.
For teams: the governed path
The safe shape for AI-connected email is the one where access is scoped, actions are auditable, and the mailbox is a shared work surface rather than someone's personal identity anchor. That is what Drag's MCP server provides for Gmail-based teams: the shared inbox, sales@ or support@, becomes the surface, with per-user authentication, scoped read and write tools, drafts and confirmations where actions have consequences, and an audit trail of what the AI did. The distinction from a personal-mailbox server is structural: a team inbox contains work, not your password resets, and governance is built in rather than bolted on. Setup takes about five minutes, and our connection guide walks through it for Claude and ChatGPT. The server itself is public: it ships on npm as @dragapp/mcp-server with the source on GitHub, and it is listed on the public MCP registries.

Getting connected, briefly
Google's official server requires the Workspace Developer Preview program: enrolment, then configuration through Google's MCP setup guide, and it connects to Claude and other MCP clients as a remote server. Community servers install locally, and the only advice that matters is reading the OAuth consent screen before clicking: if it asks to read, compose, send and manage settings, that is what you are granting. Drag's server takes about five minutes against a team inbox, and our connection guide covers Claude and ChatGPT step by step.
WhatsApp has the same question with a sharper answer; our WhatsApp MCP server guide covers it.
Frequently asked questions
Is there an official Gmail MCP server?
Yes. Google ships one as a Developer Preview: it can search and read mail and prepare drafts, using least-privilege scopes, and it deliberately has no send capability. General availability has not been announced.
Are community Gmail MCP servers safe?
They can be for personal experimentation if you check the scopes before granting. Most request broad modify access including autonomous sending, which combined with a personal inbox creates the exact prompt-injection exfiltration pattern researchers warn about. Prefer read-only or draft-only configurations, and treat any send-capable server on a personal account as a real risk.
Can I connect my team's Gmail to Claude or ChatGPT?
Yes, and a governed route exists: a shared inbox tool with an official MCP server, like Drag, connects the team's Gmail-based inbox to AI clients with per-user auth, scoped tools, and audit logs, which is the appropriate model for mail that belongs to a business rather than a person.
What can Google's Gmail MCP server actually do?
In the current preview: search the mailbox, read messages and threads, manage labels, and create drafts. It cannot send or delete anything, and it requires the preview program. The capability set may widen at general availability.
Co-founder
Building Drag for nearly ten years: shared inboxes, boards, and now the AI and agent layer, all on Gmail, plus HeyHelp for the personal inbox. Writes the honest versions of the comparisons.