Maildriply
Start free
All posts
2 min readby Maildriply Team

Why we only request gmail.send (and why it costs us)

The smallest Gmail OAuth scope means we can't read your inbox, which means a few features are harder to build. We think the tradeoff is worth it. Here's the math.

securityoauthprinciples

Most email tools you've used asked for permission to read every message you own. Maildriply does not. We ask for gmail.send and that's it.

This post explains why, what we give up, and what we believe the trade is worth.

What gmail.send lets us do

It lets us send messages on your behalf. Gmail automatically files those messages in your Sent folder. That's the entire feature surface.

It does not let us:

  • List your inbox
  • Read any existing message
  • See message metadata (subject, recipients, dates)
  • Watch your mail flow

We could not read your mail tomorrow if we wanted to. The Google OAuth grant you sign is the contract.

Why the smallest scope is the right scope

When users complain about "creepy" tracking tools, the complaint isn't usually about the tracking itself — it's about the capability gradient. The product needed to send a tracked email. The product asked for the keys to your inbox. That's the part that feels wrong.

We don't want that gradient in our product. So we declined to build features that require read access.

What we give up

A few features become harder or impossible:

  1. Reply detection inside threads. Other tools poll your inbox to notice replies. We can't. When we ship sequences, we'll use Gmail's Push notifications API with a topic filter scoped to messages we sent — not a read scope.
  2. Conversation context. We can't show you the prior thread when you're composing a reply, because we can't read the prior thread. This is a real UX cost.
  3. Auto-import contacts from your inbox. Some tools build a contact graph from past correspondence. We rely on you to paste or upload recipient lists.

These costs are real. We pay them on purpose.

What we gain

  • Faster Google verification. Restricted scopes (the ones that read user data) require a manual security review, sometimes weeks long, and ongoing annual audits. gmail.send is a sensitive scope, but the verification path is shorter.
  • A clean answer when prospects ask. "We can't read your inbox" is not marketing copy. It's a property of the grant.
  • A simpler threat model. A leaked Maildriply database does not leak anyone's email history.

The general principle

Ask for the least power that makes the product work. If you need more power later, ask then. Every additional capability you carry is something the next breach is going to leak.

Verify it yourself

Visit myaccount.google.com/permissions, find Maildriply, and check what we asked for. The list should be short. If it isn't, we owe you an apology — please email us.

Keep reading

May 12, 2026 · 2 min
How Gmail open tracking actually works (and where it lies)
Read post
May 3, 2026 · 2 min
Tracking pixels vs link tracking — pick the right signal
Read post