EU AI Act Article 50 Compliance for AI-Generated Email

Automatically attach cryptographically signed provenance certificates to every AI-generated email. Machine-readable disclosure, verifiable by anyone, backed by formal proofs.

The problem

Why this matters

EU AI Act Article 50 becomes enforceable on August 2, 2026, requiring providers of AI systems that generate text to mark that content in a machine-readable format. Penalties reach up to €15M or 3% of global annual turnover. For AI agents that send email, no email-specific RFC exists yet, and only 8 of 27 EU member states have published enforcement contacts. Most teams have no mechanism to mark outbound AI-generated email as such — let alone in a format that is cryptographically verifiable and tamper-evident. Waiting for a standard to emerge means scrambling to retrofit compliance after enforcement begins.

The solution

How MultiMail solves this

MultiMail attaches an X-MultiMail-Identity header to every AI-generated email — an ECDSA P-256 signed provenance certificate that satisfies the EU Code of Practice recommendation for digitally signed manifests. The header contains a machine-readable payload including the ai_generated boolean, operator identity, oversight mode, and agent capabilities. Recipients verify signatures against the public key published at /.well-known/multimail-signing-key. Tamper evidence is formally proven in Lean 4. Early adoption gives your organization a compliance advantage while enforcement infrastructure is still forming.

1

Enable AI Disclosure on Your Mailbox

Configure the ai_disclosure setting on your mailbox. This tells MultiMail to attach a signed provenance certificate to every outbound message from this mailbox.

2

Send Email via API or MCP

Your AI agent sends email through the MultiMail API or MCP tools as usual. No changes to your sending code are required — disclosure headers are attached automatically.

3

Provenance Certificate Attached

MultiMail signs the identity payload (ai_generated, operator, oversight mode, capabilities) with ECDSA P-256 and attaches it as the X-MultiMail-Identity header. The signature covers the payload to prevent modification in transit.

4

Recipient Verification

Any recipient or regulator can verify the provenance certificate by fetching the public key from /.well-known/multimail-signing-key and checking the signature. A verification page at multimail.dev/verify provides a human-friendly interface.

5

Audit Trail for Regulators

MultiMail's audit log records every disclosure header attached, creating evidence of systematic Article 50 compliance that you can present during regulatory examinations.

Code examples

Implementation

Configure AI Disclosure on a Mailbox
python
import requests

API = "https://api.multimail.dev/v1"
HEADERS = {"Authorization": "Bearer mm_live_xxx"}

"cm"># Enable AI disclosure for a mailbox
response = requests.patch(
    f"{API}/mailboxes/mb_abc123",
    headers=HEADERS,
    json={
        "ai_disclosure": {
            "enabled": True,
            "operator": "YourCompany GmbH",
            "capabilities": ["compose", "reply", "summarize"]
        }
    }
)

print(response.json())
"cm"># {
"cm">#   "id": "mb_abc123",
"cm">#   "ai_disclosure": {
"cm">#     "enabled": true,
"cm">#     "operator": "YourCompany GmbH",
"cm">#     "capabilities": ["compose", "reply", "summarize"]
"cm">#   }
"cm"># }

Enable Article 50 disclosure headers for a mailbox. Once enabled, all outbound emails include the signed provenance certificate.

Send an AI-Generated Email with Disclosure
python
import requests

API = "https://api.multimail.dev/v1"
HEADERS = {"Authorization": "Bearer mm_live_xxx"}

response = requests.post(
    f"{API}/send",
    headers=HEADERS,
    json={
        "from": "[email protected]",
        "to": "[email protected]",
        "subject": "Q3 Report Summary",
        "text_body": "Please find the Q3 summary attached..."
    }
)

result = response.json()
print(f"Message ID: {result[&"cm">#039;message_id']}")
print(f"Disclosure attached: {result.get(&"cm">#039;ai_disclosure_attached', False)}")
"cm"># Message ID: msg_xyz789
"cm"># Disclosure attached: True

Send email normally — the provenance certificate is attached automatically when ai_disclosure is enabled on the mailbox.

Verify the AI Disclosure Header
bash
"cm"># Extract the X-MultiMail-Identity header from a received email
IDENTITY_HEADER=$(grep -i &"cm">#039;X-MultiMail-Identity:' email.eml | cut -d' ' -f2-)

"cm"># Decode the base64 payload (before the signature delimiter)
PAYLOAD=$(echo "$IDENTITY_HEADER" | cut -d&"cm">#039;.' -f1 | base64 -d)

echo "$PAYLOAD" | jq .
"cm"># {
"cm">#   "ai_generated": true,
"cm">#   "operator": "YourCompany GmbH",
"cm">#   "oversight_mode": "gated_send",
"cm">#   "capabilities": ["compose", "reply", "summarize"],
"cm">#   "timestamp": "2026-08-02T10:30:00Z"
"cm"># }

"cm"># Fetch the public key and verify the signature
curl -s https://api.multimail.dev/.well-known/multimail-signing-key \
  -o /tmp/multimail-pub.pem

"cm"># Verify ECDSA P-256 signature
echo -n "$(echo "$IDENTITY_HEADER" | cut -d&"cm">#039;.' -f1)" \
  | openssl dgst -sha256 -verify /tmp/multimail-pub.pem \
    -signature <(echo "$IDENTITY_HEADER" | cut -d&"cm">#039;.' -f2 | base64 -d)
"cm"># Verified OK

Decode and verify the X-MultiMail-Identity header to confirm AI-generated content is properly disclosed.

Check Mailbox Disclosure Status via MCP
typescript
"cm">// Check disclosure status across all mailboxes

async function auditDisclosureCompliance() {
  const mailboxes = await mcp.list_mailboxes({});

  const results = mailboxes.map((mb: any) => ({
    address: mb.address,
    disclosure_enabled: mb.ai_disclosure?.enabled ?? false,
    operator: mb.ai_disclosure?.operator ?? "NOT SET",
    oversight_mode: mb.oversight_mode
  }));

  const noncompliant = results.filter(
    (r: any) => !r.disclosure_enabled
  );

  if (noncompliant.length > 0) {
    console.log(
      `WARNING: ${noncompliant.length} mailbox(es) lack ` +
      `AI disclosure headers — non-compliant with Art. 50`
    );
    for (const mb of noncompliant) {
      console.log(`  - ${mb.address}`);
    }
  } else {
    console.log("All mailboxes have AI disclosure enabled.");
  }

  return results;
}

Use MultiMail MCP tools to audit which mailboxes have AI disclosure enabled — useful for compliance dashboards.

Bulk Enable Disclosure Across All Mailboxes
python
import requests

API = "https://api.multimail.dev/v1"
HEADERS = {"Authorization": "Bearer mm_live_xxx"}

"cm"># List all mailboxes
mailboxes = requests.get(
    f"{API}/mailboxes", headers=HEADERS
).json()["mailboxes"]

"cm"># Enable disclosure on any mailbox that lacks it
for mb in mailboxes:
    if not mb.get("ai_disclosure", {}).get("enabled"):
        requests.patch(
            f"{API}/mailboxes/{mb[&"cm">#039;id']}",
            headers=HEADERS,
            json={
                "ai_disclosure": {
                    "enabled": True,
                    "operator": "YourCompany GmbH",
                    "capabilities": ["compose", "reply"]
                }
            }
        )
        print(f"Enabled disclosure: {mb[&"cm">#039;address']}")

print(f"Audit complete: {len(mailboxes)} mailboxes checked.")

Ensure every mailbox in your account has Article 50 disclosure enabled before the enforcement date.

Benefits

What you get

Article 50 Compliance Out of the Box

Every AI-generated email includes a machine-readable provenance certificate with the ai_generated flag, operator identity, and oversight mode — satisfying the Article 50 requirement to mark AI-generated content in a machine-readable format.

Cryptographic Tamper Evidence

The X-MultiMail-Identity header is signed with ECDSA P-256. Any modification to the disclosure payload invalidates the signature. Tamper evidence properties are formally proven in Lean 4, not just tested.

Early Compliance Advantage

Only 8 of 27 EU member states have published enforcement contacts. Organizations that implement disclosure now establish compliance history before regulators begin auditing — demonstrating good faith that matters in enforcement discretion.

No Code Changes Required

Enable ai_disclosure on your mailbox configuration and every outbound email is automatically tagged. Your AI agent's sending code stays the same — no header manipulation, no payload construction, no key management.

Publicly Verifiable

Anyone can verify the provenance certificate using the public key at /.well-known/multimail-signing-key or the human-friendly verification page at multimail.dev/verify. This transparency builds trust with recipients and regulators.

Oversight

Recommended oversight mode

Recommended
gated_send
AI-generated emails that carry regulatory disclosure headers should be reviewed before delivery. An incorrect disclosure (wrong operator, missing capabilities) could itself be a compliance violation. Gated send ensures a human verifies that both the email content and the disclosure metadata are accurate before the message leaves your organization.
FAQ

Common questions

When does EU AI Act Article 50 take effect?
Article 50 transparency obligations become enforceable on August 2, 2026. This applies to providers of AI systems that generate synthetic text, audio, image, or video content. Penalties for non-compliance reach up to €15 million or 3% of global annual turnover, whichever is higher.
What exactly does Article 50 require for AI-generated email?
Article 50 requires that AI-generated content be marked in a machine-readable format so that it can be detected as artificially generated. For email, no specific RFC exists yet. The EU Code of Practice recommends provenance certificates — digitally signed manifests — as the mechanism for text content. MultiMail's X-MultiMail-Identity header implements this recommendation.
What is a provenance certificate?
A provenance certificate is a digitally signed manifest that attests to the origin of content. The EU Code of Practice recommends this approach for AI-generated text. MultiMail's implementation signs a JSON payload containing the ai_generated flag, operator identity, oversight mode, and capabilities with ECDSA P-256. The signature can be verified against the public key at /.well-known/multimail-signing-key.
Does this apply to emails sent outside the EU?
The EU AI Act applies to providers placing AI systems on the EU market and deployers in the EU, regardless of where the provider is established. If your AI agent sends email to EU recipients or you operate within the EU, Article 50 obligations apply. Enabling disclosure on all mailboxes avoids the complexity of per-recipient compliance logic.
What happens if my email is forwarded or modified in transit?
If the email content or disclosure header is modified, the ECDSA signature will fail verification — this is by design. The tamper evidence property is formally proven in Lean 4. Recipients who verify a forwarded email will see that the signature is invalid, which correctly signals the content may have been altered.
How do formal proofs strengthen my compliance position?
MultiMail's Lean 4 proofs mathematically verify that the signing scheme provides tamper evidence — not through testing, but through formal verification. In a regulatory examination, this demonstrates that the disclosure mechanism is provably correct, not just empirically tested. This is a stronger compliance argument than test suites alone.
Can I enable disclosure only for some mailboxes?
Yes. AI disclosure is configured per mailbox. You can enable it on mailboxes used by AI agents while leaving human-only mailboxes unchanged. However, if any mailbox is used by an AI system that generates content, Article 50 requires disclosure on that mailbox.
Is MultiMail the only way to comply with Article 50 for email?
No. Article 50 is technology-neutral — any machine-readable marking mechanism can satisfy the requirement. However, there is no email-specific RFC or industry standard yet. MultiMail's signed header approach aligns with the EU Code of Practice recommendation for provenance certificates and is verifiable today, rather than waiting for a standard that may take years to finalize.
Related

Explore more use cases

Compliance Notifications

legal

View guide →

Regulatory Update Notifications

legal

View guide →

AI Disclosure Headers

legal

View guide →

State AI Disclosure Law Compliance

legal

View guide →
Get started

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a 38-tool MCP server. Formally verified in Lean 4.

Read the Docs See Pricing