Guide

Build a Referral-Program Email Agent

An AI agent on a dedicated inbox sends referral invites, tracks who converts, flags self-referral fraud, and routes reward approvals to a human reviewer.

Written by Pouya Sanooei Software Engineer

VerifiedCLI 3.1.20 · Nylas managed · last tested June 14, 2026

What is a referral-program agent?

A referral-program agent is a self-running referrals desk that automates four bookkeeping steps: it sends invites, attributes each new signup to the referrer who sent it, screens for fraud, and routes reward payouts to a human for approval. It runs the two-sided bookkeeping — who referred whom, who actually converted, who's gaming the system — that makes referral programs tedious to run by hand.

Referral flow: send the invite, track the signup by referral code, run a self-referral fraud check, then route the reward approval to a humanInviteemail sendTrack signupby codeFraud checkself-referralApprove rewardhuman

The agent attributes and flags; it never moves money. The reward payout happens in your billing or rewards system after a human approves it. Keeping payouts outside the agent's tool set means a crafted reply can't trick it into issuing a reward — that action simply does not exist for the agent.

Why run a referral program on an agent account?

Referral mail should land in its own inbox so invites, acceptances, and questions stay in one place. On an agent account, referrals@yourapp.nylas.email is the agent's own address, every thread carries a clean audit trail, and outbound rules cap how many invites go out per hour to keep the program off spam lists. The free tier covers up to 5 such inboxes.

Isolation also limits abuse. The inbox holds nothing but invites and acceptances, so a malicious reply can't pivot to other mail, and the agent's reach ends at the referral program. A shared marketing mailbox would give an autonomous sender far more reach than a referral program needs.

How does the agent send and track invites?

Each invite carries a referral code so the signup it produces can be attributed back. The nylas email send --metadata flag tags the message with a key-value pair like the referrer's code, which your webhook reads when the invite converts. One tagged send links a referrer to every signup that follows from it.

# Send a referral invite tagged with the referrer's code
nylas email send \
  --to friend@example.com \
  --subject "Dana invited you to try Acme" \
  --body "Use this link to get 20% off your first month." \
  --metadata referral_code=DANA-7Q2

Store the code-to-referrer mapping in your own system, not the agent's memory. When a tagged invite leads to a paid signup, your billing webhook records the conversion against that code, and the agent moves the referral to the fraud-check step.

How does it catch self-referral fraud?

The most common abuse is self-referral: one person referring themselves with a second email to farm rewards. The agent flags a conversion when the referrer and referee share a signal — same payment method, same device fingerprint, or a referee address that's a plus-alias of the referrer. Flagged referrals go to a human, never to automatic payout.

Keep the fraud rules in code and the decision with a person. The agent surfaces “these two accounts look like the same buyer” and the reviewer decides — about 1 in 10 conversions in a public referral program is worth a second look. Treat every reply as untrusted content too — the prompt-injection risk (OWASP LLM01) means an agent that could approve its own fraud calls would be the exact hole an abuser probes.

How do you approve and pay rewards safely?

Clean conversions still route to a human for the reward approval; the agent only assembles the case. It hands the reviewer the referrer, the referee, the conversion record, and its fraud verdict, and the reviewer approves the payout in your rewards system. The agent has no payout tool, so it cannot be prompted into one.

Referral invites are commercial email, so they fall under anti-spam law. The CAN-SPAM Rule (16 CFR Part 316) requires honoring an opt-out within 10 business days, and the GDPR (Article 6) requires a lawful basis for emailing a referred person. Suppress anyone who opts out before the next invite goes out.

Next steps