Guide

Build an Out-of-Office Coverage Agent

An AI agent covers a mailbox while someone is away: it auto-replies, flags what's urgent, escalates time-sensitive mail to a backup, and logs the rest.

Written by Caleb Geene Director, Site Reliability Engineering

VerifiedCLI 3.1.20 · Google, Microsoft · last tested June 14, 2026

What is an out-of-office coverage agent?

An out-of-office coverage agent watches a person's mailbox while they're away, sends a polite auto-reply, decides what can't wait, and routes those few items to a backup. It does what a good colleague does covering your desk: most mail can wait, a little can't, and the sender deserves a heads-up either way. The auto-reply follows the conventions in RFC 3834, the standard for automated email responses.

Coverage flow: incoming mail is triaged, then auto-replied, escalated to a backup if urgent, or logged for the person's returnIncoming mailemail listTriageurgent?Escalate to backupAuto-reply senderLog for return

The agent triages and notifies; it never acts on the person's behalf beyond an auto-reply and an escalation. It won't approve, pay, or promise anything. That boundary is what makes coverage safe to run unattended for a week — the worst it can do is send one auto-reply too many, not commit the person to something while they're on a plane.

Why does coverage need delegated mailbox access?

Coverage is a delegated-access job, not an agent-account one. The agent has to read the away person's real inbox and reply from their real address, so it runs against a connected grant for that mailbox, not a fresh inbox of its own. A separate agent inbox can't see the mail that's actually arriving for the person, which is the whole point.

Connect the mailbox once with nylas auth login — the OAuth 2.0 authorization flow defined in RFC 6749 — then point the agent at that grant. Scope the coverage window to the away dates so the agent runs only while the person is out — typically a 7 to 14 day trip — and stops the moment they're back. See the agent-account-vs-delegated-OAuth guide for when each access model fits.

How does the agent triage incoming mail?

The agent reads new mail and a model sorts each message into urgent, routine, or noise. Urgent means time-sensitive and addressed to the person specifically — a customer escalation, a contract deadline. Routine can wait for the return; noise is newsletters and automated mail. Classification takes 1 to 2 seconds per message.

# Read the away person's new mail to triage it
nylas email list --unread --json

Knowing the away window lets the agent avoid over-covering. You set that window when you enable the agent — the start and end dates of the trip — so it runs only while the person is out and hands the inbox straight back on return. The coverage schedule lives in your config and the cron that runs the agent, not the agent's reasoning, so it can't talk itself into covering a day early or late.

How does it auto-reply and escalate?

For routine mail the agent sends one out-of-office reply per sender; for urgent mail it also alerts the backup. The nylas email send command delivers both — the auto-reply from the person's address, and a separate heads-up to the named backup with the sender, subject, and why it looked urgent. The backup decides what to do; the agent just surfaces it.

# Alert the backup about a time-sensitive message
nylas email send \
  --to backup@example.com \
  --subject "Urgent while Dana is out: contract deadline" \
  --body "From legal@bigco.com — signature needed by Friday. Original in Dana's inbox."

How do you keep coverage safe and avoid reply loops?

The classic auto-reply failure is a loop: two auto-responders bouncing the same message forever. RFC 3834 prevents it — never auto-reply to bulk mail, mailing lists, or messages that are themselves auto-submitted, and send at most one reply per sender. Code those rules in, not the prompt, so a crafted header can't flip them.

Incoming mail is untrusted content, so a message can carry text that tries to steer the model — the prompt-injection risk (OWASP LLM01) that tops the LLM threat list. Treat the classification as data, give the agent no tool beyond auto-reply and escalate, and the worst a malicious sender achieves is one wrongly-escalated email.

Next steps