Connecting AI assistants to your data (MCP)

What is MCP, and what does this give me?

MCP (the Model Context Protocol) is an open standard that lets an AI assistant talk to an outside service in a structured way. trustyourinbox runs an MCP server, so any MCP-capable client can read your DMARC data and answer questions about it without you exporting anything or writing a query.

Once connected, you can ask in plain language and get an answer built from your real reports. For example:

• "How much spoof mail did acme.com get last week?"
• "Which of my domains are failing compliance right now?"
• "What should I fix next?"
• "Show me the top sending sources for acme.com over the last 30 days."
• "List my domains."

The answers come back as clean tables and summaries, computed by the same logic that powers your dashboard. So the numbers your assistant shows you always match what you see in the product.

Step 1: Create a token

Access is authenticated with a personal access token that you create in the app. In the dashboard, go to Settings, then Integrations, then MCP, give the token a name you'll recognize (for example "Claude on my laptop"), and click Create token.

You'll see the token once. It looks like tyi_mcp_.... Copy it now and store it like a password. If you lose it, just revoke it on that same page and create a new one. You can keep several tokens (one per client or device) and revoke any of them at any time.

The server URL you'll need is https://mcp.trustyourinbox.com.

Step 2: Add the server to your client

Every MCP client needs the same two things: the server URL above, and your token sent as a Bearer credential. The menus differ from client to client, and they change often, but the two ingredients don't. Here are the common ones.

Cursor

Cursor reads MCP servers from a JSON file (a project-level .cursor/mcp.json, or your global ~/.cursor/mcp.json). Add an entry with the URL and an Authorization header:

{
  "mcpServers": {
    "trustyourinbox": {
      "url": "https://mcp.trustyourinbox.com",
      "headers": {
        "Authorization": "Bearer tyi_mcp_your_token_here"
      }
    }
  }
}

Save the file, then open Cursor's MCP settings and confirm the trustyourinbox server shows its tools as connected. Ask it "list my domains" to check it works.

Claude (desktop app)

The Claude desktop app reads MCP servers from its claude_desktop_config.json (Settings, then Developer, then Edit Config). Because the desktop app launches servers as local commands, the simplest way to connect a remote server with a token is the small open-source bridge mcp-remote, which forwards to our URL and attaches your token:

{
  "mcpServers": {
    "trustyourinbox": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://mcp.trustyourinbox.com",
        "--header",
        "Authorization: Bearer tyi_mcp_your_token_here"
      ]
    }
  }
}

Save the file and restart Claude. You'll see the trustyourinbox tools appear in the tools menu. (npx comes with Node.js; if you don't have Node installed, install it first.)

Any other client

Any client that supports a remote (Streamable HTTP) MCP server with a custom header works the same way: set the URL to https://mcp.trustyourinbox.com and add the header Authorization: Bearer tyi_mcp_your_token_here. For a client that only speaks the local (stdio) transport, use the same mcp-remote bridge shown above. To sanity-check a connection outside any client, the official MCP Inspector can point at the URL with the same bearer header.

What it can and can't do

The connection is read-only. The assistant can look at your data and summarize it. It cannot change your DNS, your settings, your plan, or anything else. There is no tool that writes.

It's also scoped to one workspace: the workspace the token was created in. A token can never see another customer's data, and a domain name that isn't in your workspace simply comes back as "not found". The assistant runs as the person who created the token, so if that person's access is removed, the token stops working.

The tools available today answer questions about:

• your domains and their status,
• spoofing blocked for a domain over a time range,
• overall workspace health and alignment,
• compliance status against the Google, Microsoft, BIMI, and TLS mandates,
• your open action items,
• who is sending as a domain (known senders vs unknown sources),
• your most recent reports,
• and a workspace-wide threat overview.

Keeping the token safe

Treat the token like a password. We store only a one-way hash of it, so nobody (including us) can read it back. That's also why you only see it once at creation. If a laptop is lost or a token is shared by mistake, open Settings, then Integrations, then MCP, and click Revoke next to it. It stops working immediately, and any client still using it gets locked out on the next request.

Anyone with workspace data access can create their own tokens. Each token is tied to its creator, and every create and revoke is recorded in your audit log.

Troubleshooting

The client says "unauthorized" or the connection is refused. The token is wrong, expired from a typo, or was revoked. Make sure the header is exactly Authorization: Bearer tyi_mcp_... with a single space, and that you copied the whole token. If in doubt, create a fresh one.

It can't find my domain. Use the exact domain name as it appears under "list my domains". A domain that isn't monitored in this workspace (or that belongs to a different workspace) returns "not found" by design.

The tools don't show up at all. Double-check the URL is https://mcp.trustyourinbox.com, restart the client after editing its config, and confirm the JSON is valid (a stray comma is the usual culprit).

Still stuck? Open the help bubble in the dashboard and send us a note. We read every one.