circuit breaker pattern for agent email services: keeping your pipeline alive
How the circuit breaker pattern prevents cascading failures when your AI agent sends email. States, thresholds, fallbacks, and real implementation advice.
Your agent sends a password reset email. The email service times out. Your agent retries. Times out again. Retries harder. Now your agent is stuck in a loop, burning through rate limits, backing up its task queue, and ignoring everything else it should be doing.
This is exactly the kind of failure the circuit breaker pattern was designed to prevent. Borrowed from electrical engineering (where a tripped breaker stops current from frying your wiring), the software version does the same thing for service calls. When a downstream dependency starts failing, the circuit breaker cuts it off before the failures cascade through your entire system.
For agents that depend on email (sending verification codes, dispatching notifications, handling outbound workflows), circuit breaker implementation isn't optional. It's the difference between a momentary hiccup and a full pipeline meltdown.
How the circuit breaker pattern works for agent email services#
The pattern operates through three states:
- Closed (normal operation): Your agent sends emails as usual. The circuit breaker counts failures silently. Everything works.
- Open (service cut off): Failures cross a threshold. The breaker trips. All email requests are immediately rejected without contacting the email service, and your agent falls back to an alternative behavior.
- Half-open (testing recovery): After a cooldown period, the breaker allows one test request through. If it succeeds, the breaker resets to Closed. If it fails, the breaker returns to Open and the timer restarts.
This three-state cycle means your agent never hammers a dead service. It fails fast, preserves resources, and automatically recovers when the email provider comes back online.
Why agents need this more than traditional services#
A human-operated application can show an error message. "Email failed, try again later." The user grumbles, waits, clicks retry. Problem contained.
An autonomous agent doesn't grumble. It retries. And retries. And retries. Without a circuit breaker, an agent encountering email delivery failures will typically:
- Exhaust its retry budget in seconds
- Queue hundreds of duplicate send attempts
- Consume API rate limits that affect other agents sharing the same account
- Block its own execution loop waiting for timeouts to resolve
- Miss time-sensitive tasks because it's stuck on a failed email call
I've seen agents burn through an entire day's send quota in under a minute because a provider had a 30-second outage. The provider recovered. The agent's reputation didn't.
The circuit breaker pattern solves this by making failure a discrete, handled state rather than something the agent fights against.
Setting failure thresholds for email services#
Generic circuit breaker tutorials tell you to trip after "5 failures in 60 seconds." That's fine for HTTP APIs. Email services are different.
Email failures come in two flavors. Transient failures (timeouts, 429 rate limits, 503 service unavailable) are candidates for circuit breaker protection. Permanent failures (550 rejections, invalid addresses, authentication errors) are not. A 550 will never succeed on retry, so counting it toward your circuit breaker threshold creates false trips.
Here's what I'd recommend for an agent email pipeline:
- Count only transient failures (timeouts, 5xx responses, connection errors)
- Threshold: 3 consecutive transient failures, or 5 within a 30-second window
- Open duration: 30 seconds for initial trip, doubling on each consecutive trip (30s, 60s, 120s), capped at 5 minutes
- Half-open probe: Send a single low-priority test email, not a queued production message
The doubling backoff matters. If a provider is having a real outage (not just a blip), you don't want your circuit breaker testing recovery every 30 seconds for an hour. Let the intervals grow.
For agents using LobsterMail, the SDK already handles basic retry logic with exponential backoff on transient errors. A circuit breaker sits one layer above that. If the SDK's own retries are exhausted and the call still fails, that's when your circuit breaker should count a failure.
Fallback strategies when the circuit is open#
The breaker tripped. Your agent can't send email right now. What should it do?
This depends on what the email is for:
Time-sensitive transactional emails (OTP codes, verification links, password resets): Queue to a dead-letter queue with a TTL. If the circuit closes within the TTL, send immediately. If not, log the failure and notify the orchestrating agent or a monitoring channel. Don't silently drop these.
Non-urgent notifications (welcome emails, status updates, summaries): Queue locally and retry when the circuit closes. These can wait minutes or even hours without consequence.
Outbound sequences (drip campaigns, follow-ups): Pause the sequence entirely. Sending half a sequence is worse than delaying the whole thing.
The key insight: your agent should know which category each email falls into before it tries to send. Tag your emails with a priority level at composition time, and let the fallback logic route accordingly.
If you're running webhooks to receive inbound email while your outbound circuit is open, inbound delivery is unaffected. The circuit breaker only gates outbound calls. We covered the tradeoffs of different inbound approaches in webhooks vs polling: how your agent should receive emails.
Circuit breaker vs. retry: they're not the same thing#
A common confusion. Retries and circuit breakers solve different problems.
Retries handle individual request failures. "This one call failed, try it again." Good for transient blips. Retries are optimistic: they assume the next attempt will probably work.
Circuit breakers handle systemic failures. "This service is down, stop trying." Good for outages. Circuit breakers are pessimistic: they assume the next attempt will probably fail too, so don't waste the resources.
You need both. Retries handle the 0.1% of requests that fail randomly. The circuit breaker catches the scenario where retries themselves are failing repeatedly, and stops the bleeding.
In practice, the stack looks like this: your agent calls the email SDK, the SDK retries transient failures 2-3 times with backoff, and if it still fails, your circuit breaker implementation records the failure. Three of those recorded failures trip the breaker.
Multi-agent coordination#
What happens when five agents share the same email service, and they each have their own circuit breaker? Agent A's breaker trips. Agents B through E keep hammering the failing service until their breakers trip too. That's four agents' worth of unnecessary failed requests.
The better approach: share circuit breaker state across agents. This doesn't require anything fancy. A shared Redis key, a small SQLite table, or even a file on disk works fine. When one agent detects the service is down, all agents stop calling it immediately.
The tradeoff is coordination overhead. If your agents run on separate machines, sharing state adds a network dependency. For self-hosted setups, a local shared store (SQLite or an in-memory cache) keeps it simple. For distributed deployments, Redis is the standard choice.
Watch out for the thundering herd problem on recovery. When the circuit closes, don't let all five agents send their queued emails simultaneously. Stagger the drain: each agent should add a small random delay before flushing its queue.
Monitoring circuit breaker state#
A circuit breaker that trips silently is worse than no circuit breaker at all. You need to know when it trips, how often, and how long it stays open.
Track these metrics:
- Trip count per hour/day. A breaker that trips once a week is protecting you from rare outages. A breaker tripping five times a day means your email provider has a reliability problem.
- Time spent in open state. This is your email downtime. If you're in open state for 15 minutes a day, that's 15 minutes of queued or dropped emails.
- Half-open success rate. If your probe requests are failing frequently during half-open, your cooldown period is too short. Increase it.
- Queue depth during open state. If your dead-letter queue or local queue grows faster than you can drain it on recovery, you have a capacity problem.
Log every state transition (Closed → Open, Open → Half-Open, Half-Open → Closed or Open) with a timestamp, the failure count that triggered it, and the last error message. When something goes wrong at 3 AM, these logs are what you'll actually read.
A practical implementation sketch#
If you're building this in Node.js with LobsterMail's SDK, the structure looks roughly like this:
import { LobsterMail } from '@lobsterkit/lobstermail';
const breaker = {
state: 'closed' as 'closed' | 'open' | 'half-open',
failures: 0,
threshold: 3,
cooldown: 30_000,
lastFailure: 0,
};
async function sendWithBreaker(inbox: any, to: string, subject: string, body: string) {
if (breaker.state === 'open') {
if (Date.now() - breaker.lastFailure > breaker.cooldown) {
breaker.state = 'half-open';
} else {
throw new Error('Circuit open: email service unavailable');
}
}
try {
const result = await inbox.send({ to, subject, body });
breaker.state = 'closed';
breaker.failures = 0;
return result;
} catch (err: any) {
if (isTransient(err)) {
breaker.failures++;
breaker.lastFailure = Date.now();
if (breaker.failures >= breaker.threshold) {
breaker.state = 'open';
console.log(`Circuit breaker tripped at ${new Date().toISOString()}`);
}
}
throw err;
}
}
function isTransient(err: any): boolean {
const code = err?.statusCode || err?.code;
return code === 429 || code === 503 || code === 'ETIMEDOUT' || code === 'ECONNREFUSED';
}
This is intentionally minimal. Production implementations should add the doubling backoff, shared state, queue management, and monitoring hooks. Libraries like opossum (Node.js) or pybreaker (Python) give you all of that out of the box.
Where to start#
If your agent sends fewer than 50 emails a day, you probably don't need a circuit breaker yet. A simple retry with exponential backoff covers most failure scenarios at that scale.
Once you're past that, or if your agent handles time-sensitive transactional email, add a breaker. Start with the basic three-state implementation, set conservative thresholds (3 failures, 30-second cooldown), and tune from there based on your monitoring data.
The goal isn't zero email failures. That's impossible. The goal is making sure a failing email service doesn't take down everything else your agent is doing.
Frequently asked questions
What is the circuit breaker pattern and why does it matter for email delivery agents?
The circuit breaker pattern stops your agent from repeatedly calling a failing email service. It detects sustained failures, cuts off requests, and automatically resumes when the service recovers. Without it, agents can burn through rate limits and stall their entire task queue during a provider outage.
What are the three states of a circuit breaker and how do they apply to an email service?
Closed (normal sending), Open (all sends blocked, agent uses fallback), and Half-Open (one test email is sent to check recovery). The breaker transitions between these states based on failure counts and cooldown timers.
How do I set the right failure threshold for a circuit breaker protecting an email service?
Count only transient failures (timeouts, 5xx errors, connection refused). Ignore permanent rejections like 550 bounces. A threshold of 3 consecutive transient failures or 5 within 30 seconds works well for most agent email pipelines. Tune based on your provider's typical error rate.
What fallback should an AI agent use when the email circuit breaker is open?
Queue time-sensitive emails (OTPs, verification codes) to a dead-letter queue with a TTL. Buffer non-urgent emails locally for retry when the circuit closes. Pause outbound sequences entirely rather than sending partial drip campaigns.
How does the circuit breaker pattern differ from simply retrying failed email sends?
Retries are optimistic: they assume the next attempt will work. Circuit breakers are pessimistic: they recognize the service is down and stop wasting resources. Use retries for individual transient failures and circuit breakers for sustained outages. You need both working together.
Can multiple AI agents share a single circuit breaker instance for the same email provider?
Yes, and they should. Shared state (via Redis, SQLite, or a shared file) lets all agents stop calling a failing service as soon as one agent detects the problem. Without shared state, each agent independently hammers the dead service until its own breaker trips.
How do I prevent email queues from overflowing when a circuit breaker is in the open state?
Set a maximum queue depth and a TTL on queued messages. When the queue is full, drop the lowest-priority emails and log the discard. On recovery, stagger the queue drain across agents to avoid a thundering herd hitting the email provider all at once.
What observability metrics should I track to detect circuit breaker trips in an email pipeline?
Track trip count per day, time spent in open state, half-open probe success rate, and queue depth during outages. Log every state transition with a timestamp and the error that triggered it. These metrics reveal whether your thresholds need tuning.
How does half-open state work when testing email service recovery after an outage?
After the cooldown timer expires, the breaker sends a single test email. If it succeeds, the breaker resets to Closed and normal sending resumes. If it fails, the breaker returns to Open and the cooldown period doubles to avoid pestering a still-recovering service.
Should I use a circuit breaker per email provider or a single global breaker across all providers?
One breaker per provider. If you use multiple email services, a global breaker would cut off healthy providers when only one is failing. Per-provider breakers let your agent route around the specific service that's down.
How do I handle time-sensitive transactional emails when the circuit is open?
Queue them to a dead-letter queue with a short TTL (e.g., 5 minutes for OTP codes). If the circuit closes within the TTL, send immediately. If not, log the failure and alert your monitoring system. Don't silently drop transactional emails.
What tools or libraries support circuit breaker patterns in Node.js and Python?
How does the circuit breaker pattern interact with email rate limiting and ISP throttling?
Rate limiting (429 responses) should count as transient failures toward your circuit breaker threshold. ISP throttling is different: it usually manifests as deferred delivery (4xx), not rejected delivery. Your breaker should distinguish between "the service is down" and "the service is slowing you down."
What is a dead-letter queue and how does it complement the circuit breaker pattern?
A dead-letter queue stores emails that couldn't be sent while the circuit was open. When the circuit closes, the queue drains automatically. It ensures no emails are silently lost during outages while preventing your agent from retrying in real-time against a broken service.
Does LobsterMail have built-in circuit breaker support?
The LobsterMail SDK handles retry logic with exponential backoff for transient errors automatically. For circuit breaker behavior on top of that, you'd implement it in your agent's orchestration layer using a library like opossum or a simple custom implementation like the one shown in this article.
