Gmail MCP Server: Google's Official Preview, Community Options, and the Safe Setup

Nick Timms
Nick Timms, Co-founder
July 17, 2026·7 min read·verifiedReviewed by Duda Bardavid

Yes, Google ships an official Gmail MCP server, in preview and draft-only. What it does, what community servers risk, and the governed path for teams.

  • Google ships an official Gmail MCP server as a Developer Preview: ten tools covering search, reading, labels, and drafts, with least-privilege scopes and deliberately no send capability.
  • Most community servers request the gmail.modify scope, which bundles reading and autonomous sending into one grant, and the long-time default repo was archived by its maintainer in early 2026.
  • A send-capable server on a personal inbox completes the lethal trifecta: private data, attacker-writable content, and an exfiltration channel in one place.
  • For a team, the governed path is a shared inbox with an official MCP server: scoped tools, per-user authentication, drafts where actions have consequences, and an audit trail.
Table of contents

Yes, there is now an official Gmail MCP server from Google, and the way Google built it tells you most of what you need to know about connecting AI to a mailbox safely. It shipped quietly as a Developer Preview in 2026, it can read mail and prepare drafts, and it deliberately cannot send. The community servers that dominate this search are the opposite: most request broad modify access and happily send email autonomously, which is exactly the combination security researchers warn about. This guide covers what Google's server actually does, what the community options do differently, why the send permission is the whole ballgame, and what a team should use instead of wiring an agent to a personal inbox.

Your options at a glance

OptionWhat it can doCan it send?Best for
Google's official server (preview)Search, read, draft, label management (10 tools)No, drafts onlyIndividuals in the preview program
Community servers (GongRzhe-lineage, shinzo-labs)Read plus autonomous send and settings on mostYes, immediatelyExperimenters who checked the scopes
Drag's official serverA team's shared Gmail inbox: read, draft, reply, assign, move, label (47 tools)Yes, governed and auditableTeams running sales@ or support@

Google's server is the safe personal default, the community field is where the risk lives, and the team path is its own product category. The rest of this page is the detail.

Google's official Gmail MCP server: what it is and isn't

Google's server runs at a Google-hosted endpoint and is currently a Developer Preview rather than generally available, arriving through the Workspace preview channel. Two design choices define it. First, least-privilege scopes: it asks for read access and compose access, not full mailbox control. Second, no send tool: it can search your mail, read threads, and prepare drafts, but a human presses send. That restraint is not a missing feature; it is the security model. Google's own documentation warns against letting automated systems act on unverified inbound mail, and a draft-only server is what that warning looks like implemented.

The specifics, verified against Google's documentation in July 2026: the server lives at a hosted endpoint (gmailmcp.googleapis.com) and ships through the Google Workspace Developer Preview Program, with no general availability date announced. Google's configuration guide and tool reference list ten tools in total: searching threads, reading a thread, listing drafts, creating a draft, and six label operations for creating, listing, applying, and removing labels at thread and message level. Authentication is OAuth 2.0 against exactly two scopes, gmail.readonly and gmail.compose. There is no send tool anywhere in the list, no delete tool, and no settings access. Trying it today means enrolling in the preview program, pointing your MCP client at the endpoint, and authenticating with the Google account whose mail it should read.

The community Gmail MCP servers, honestly assessed

Community servers filled this gap long before Google moved, and they remain what most of this search's results point at. The pattern to check before installing any of them is the scope grant: most request broad modify access, which bundles reading, labeling, deleting, and sending into one permission. The field also churns: the long-time default recommendation was archived by its maintainer in early 2026, with an actively maintained fork taking its place, so a tutorial from last year likely points at a dead repo. Community servers are genuinely useful for personal experimentation by people who understand what they granted. They are not what you connect to a mailbox that receives mail from strangers, for the reason the next section spells out.

Names and numbers, checked against GitHub in July 2026. The long-time default was GongRzhe/Gmail-MCP-Server, which grew to roughly 1,200 stars before its maintainer archived it; the code still installs, but nobody is patching it. Its send tool sends immediately, and its source requests the gmail.modify and gmail.settings.basic scopes. The actively maintained successor is the ArtyMcLabin fork of that same codebase, which carries the toolset forward with commits as recent as this month. And shinzo-labs/gmail-mcp wraps more than 50 Gmail endpoints, including sending messages, sending drafts, and editing send-as settings, which is more surface, not less.

ServerStatus, July 2026Send capabilityAccess requested
Google's official serverDeveloper Preview, Google-maintainedNone, drafts onlygmail.readonly and gmail.compose
GongRzhe/Gmail-MCP-ServerArchived by its maintainerSends immediatelygmail.modify plus settings
ArtyMcLabin forkActively maintainedSends immediatelySame codebase as the original
shinzo-labs/gmail-mcpMaintainedSends messages and drafts50+ endpoints, including settings

If you do install one, three checks take five minutes and remove most of the risk. First, read the OAuth consent screen and reject anything requesting gmail.modify or full mail.google.com access unless you genuinely want autonomous sending. Second, check the repo's last commit and its issue tracker before trusting it with credentials; an archived or dormant server will not be patched when the Gmail API shifts under it. Third, prefer configurations that draft rather than send, because a draft is a decision you still get to make. None of this is exotic security advice. It is the same discipline Google applied when it built its own server, applied at install time instead.

Here is the shape of the difference in practice, first against a mailbox through Drag's server:

Prompt · "Anything urgent in support@ this morning? Draft replies for the top two."
tool_call: list_threads({ board: "Support", status: "open" })
tool_call: get_thread({ id: "thr_2941" })
tool_call: create_draft({ thread: "thr_2941" })
→ 7 open, 2 flagged urgent
→ billing dispute (Acme), SSO outage (Datron)
→ 2 drafts created, awaiting human send

AI Platform

The inbox your team and your AI work in together

Shared inbox, live chat, and AI in Gmail, with an MCP server your AI tools can drive.

Start free trial
ChromeWebDesktopMobileAPIMCP

The send permission is the whole ballgame

Security researchers call it the lethal trifecta: an AI with access to private data, exposure to content an attacker can write, and a channel to send information out can be manipulated into exfiltrating data with no software vulnerability at all, just persuasive text. A personal Gmail account with a send-capable MCP server is the cleanest example of all three at once. Your inbox is attacker-writable by design, anyone can email you. Your mailbox holds password resets, invoices, and one-time codes. And a send tool is the exfiltration channel, gift-wrapped. A prompt-injected agent that can read your mail and send email is an account-takeover kit waiting for a sufficiently crafted message. This is why Google shipped draft-only, why scope-checking community servers matters, and why the calculus changes completely when the inbox is a governed team surface rather than your personal account.

Google's own scope reference makes the point in taxonomy form. The gmail.modify scope most community servers request grants "Read, compose, and send emails from your Gmail account", one permission covering the entire loop, and the full mail.google.com scope adds permanent deletion on top. Both sit in Google's Restricted tier, the one it gates hardest, which tells you how Google weighs them. A few community servers skip OAuth entirely and run on IMAP app passwords, a static full-mailbox credential with no per-scope limits at all. So the first question to ask of any Gmail MCP server is not what it can do for you; it is what its token could do without you.

For teams: the governed path

The safe shape for AI-connected email is the one where access is scoped, actions are auditable, and the mailbox is a shared work surface rather than someone's personal identity anchor. That is what Drag's MCP server provides for Gmail-based teams: the shared inbox, sales@ or support@, becomes the surface, with per-user authentication, scoped read and write tools, drafts and confirmations where actions have consequences, and an audit trail of what the AI did. The distinction from a personal-mailbox server is structural: a team inbox contains work, not your password resets, and governance is built in rather than bolted on. Setup takes about five minutes, and our connection guide walks through it for Claude and ChatGPT. The server itself is public: it ships on npm as @dragapp/mcp-server with the source on GitHub, and it is listed on the public MCP registries.

Drag shared drafts: a reply drafted in the shared inbox, visible to the whole team for review before anyone presses send

Getting connected, briefly

Google's official server requires the Workspace Developer Preview program: enrolment, then configuration through Google's MCP setup guide, and it connects to Claude and other MCP clients as a remote server. Community servers install locally, and the only advice that matters is reading the OAuth consent screen before clicking: if it asks to read, compose, send and manage settings, that is what you are granting. Drag's server takes about five minutes against a team inbox, and our connection guide covers Claude and ChatGPT step by step.

WhatsApp has the same question with a sharper answer; our WhatsApp MCP server guide covers it.

Frequently asked questions

Is there an official Gmail MCP server?

Yes. Google ships one as a Developer Preview: it can search and read mail and prepare drafts, using least-privilege scopes, and it deliberately has no send capability. General availability has not been announced.

Are community Gmail MCP servers safe?

They can be for personal experimentation if you check the scopes before granting. Most request broad modify access including autonomous sending, which combined with a personal inbox creates the exact prompt-injection exfiltration pattern researchers warn about. Prefer read-only or draft-only configurations, and treat any send-capable server on a personal account as a real risk.

Can I connect my team's Gmail to Claude or ChatGPT?

Yes, and a governed route exists: a shared inbox tool with an official MCP server, like Drag, connects the team's Gmail-based inbox to AI clients with per-user auth, scoped tools, and audit logs, which is the appropriate model for mail that belongs to a business rather than a person.

What can Google's Gmail MCP server actually do?

In the current preview: search the mailbox, read messages and threads, manage labels, and create drafts. It cannot send or delete anything, and it requires the preview program. The capability set may widen at general availability.

Nick Timms

Nick Timms

Co-founder

Building Drag for nearly ten years: shared inboxes, boards, and now the AI and agent layer, all on Gmail, plus HeyHelp for the personal inbox. Writes the honest versions of the comparisons.

AI Platform

The inbox your team and your AI work in together

Shared inbox, boards, live chat, and WhatsApp with AI included, in Gmail and beyond, plus an MCP server your AI tools can drive.

7-day trial, no card required4.7 · 1,200+ reviews
Gmail extension
Web app
Desktop
iOS + Android
API
MCP server: works with Claude, ChatGPT, Copilot, Cursor