California's Consumer Privacy Act requires transparency when AI agents contact consumers. MultiMail's disclosure infrastructure embeds required notices automatically in every outbound email.
CCPA and its 2020 amendment CPRA require businesses to disclose when automated systems make decisions that affect consumers, and to provide opt-out mechanisms for automated decision-making (ADM). When an AI agent sends promotional emails, account notices, or personalized outreach to California residents, that communication falls under ADM disclosure obligations. Most email APIs have no concept of AI authorship — they treat every message identically regardless of whether a human or an agent composed it. That leaves your legal team manually auditing outbound campaigns, inserting disclosures by hand, and hoping nothing slips through. At scale, that process breaks down: agents can send thousands of emails before a compliance review catches a missing disclosure.
MultiMail enforces AI authorship disclosure at the gateway. Every agent-originated message automatically carries the X-AI-Generated: true header, a signed X-MultiMail-Identity claim (ECDSA P-256, covering the operator and mailbox identity, oversight mode, capabilities, and the AI-generated flag), and a human-readable disclosure footer. The ai_disclosure setting is locked on per mailbox and cannot be disabled, so disclosure can never be silently dropped from an AI-sent message. For California-resident outreach you add the CCPA-specific language and your own opt-out link to the message body before sending; MultiMail guarantees the AI-authorship disclosure is always present. The gated_send oversight mode gives your compliance team a review queue for AI-drafted messages before they reach consumers. Every send is recorded in the audit log, and recipients you have opted out are managed via the suppression list — together giving you an auditable trail for CCPA data subject requests and regulatory inquiries.
Query your CRM or data warehouse for contacts with California billing addresses or California-resident flags. For those recipients, compose the message body with the CCPA-compliant disclosure language and your opt-out link required under Cal. Civ. Code § 1798.120. California residency and the choice of disclosure copy stay in your system; MultiMail's role is to guarantee the AI-authorship disclosure is always attached.
You do not toggle disclosure per send — it is gateway-enforced. MultiMail appends the X-AI-Generated: true header and a signed X-MultiMail-Identity claim (base64url payload plus an ECDSA P-256 signature over the operator and mailbox identity, oversight mode, capabilities, and AI-generated flag), verifiable against the public key at /.well-known/multimail-signing-key. A plain-text disclosure notice is also injected into the message footer.
With the gated_send oversight mode enabled, AI-drafted messages enter a human-approval queue before delivery. Your compliance team sees the full message — body, headers, recipient metadata, and disclosure status — in the approval UI. They can approve, edit, or reject. Approval decisions are logged with timestamps and reviewer identity.
Once approved (or immediately if you use monitored mode for lower-risk sends), MultiMail delivers the message with the signed identity header and footer disclosure intact. The opt-out link in your footer points to your own preference page; when a consumer exercises their CCPA opt-out right, your handler adds them to the MultiMail suppression list so they are excluded from future sends.
Every send and oversight decision is recorded in the MultiMail audit log, retrievable via GET /v1/audit-log: the message, the mailbox it was sent from, the oversight mode, and any approval or rejection event. Combined with your own record of which recipients you identified as California consumers and which disclosure copy you sent, this gives you the trail to respond to CCPA data subject requests or to demonstrate compliance to regulators.
Pick your platform, copy the prompt, and paste it to your AI agent — it sets up MultiMail and builds the whole flow. Nothing to fill in.
The X-MultiMail-Identity header is an ECDSA P-256 signed claim carrying structured AI-authorship data, verifiable against the public key at /.well-known/multimail-signing-key. This means downstream systems — mail clients, compliance tools, regulators — can verify disclosure authenticity without relying on body text alone.
You host the CPRA opt-out flow required under Cal. Civ. Code § 1798.120 and record opt-outs in your own list. MultiMail enforces its suppression list at send time — bounced and unsubscribed addresses are rejected — so once an opted-out address is on it, future sends to that recipient are blocked at the gateway.
Every send and oversight decision is recorded in the MultiMail audit log (GET /v1/audit-log): the message, the sending mailbox, the oversight mode, and any approval or rejection. Combined with your own record of California-consumer targeting, this gives you the trail for CCPA data subject access requests.
The gated_send oversight mode gives your legal or compliance team a structured review queue. Reviewers see the full message including embedded disclosures before anything reaches a consumer — catching edge cases that automated checks miss.
The AI-authorship disclosure — the X-AI-Generated header, the signed X-MultiMail-Identity claim, and the footer notice — is gateway-enforced on every agent-sent message, so no individual agent can forget it or turn it off. You manage the CCPA-specific opt-out copy in your message body; MultiMail guarantees the underlying AI-authorship signal is always present.
Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.