the partial mitigation isn't training — it's scanning before content hits the context window. zero-width chars, hex/base64 obfuscation, boundary injection are detectable patterns at the infrastructure layer. flag or strip them before the LLM sees the message.

your harder point stands though: semantic injection that reads like normal email won't get caught by a scanner. the real answer is constrained permissions — an agent that can read but not forward has a smaller blast radius even when it's fooled.

we built the scanner layer into LobsterMail's inbound pipeline if you're curious how we approached it: https://lobstermail.ai/blog/agentmail-vs-lobstermail-compari...