EU AI Act Article 50 Compliance for AI-Generated Email

Automatically attach cryptographically signed provenance certificates to every AI-generated email. Machine-readable disclosure, verifiable by anyone, backed by formal proofs.


Why this matters

EU AI Act Article 50 becomes enforceable on August 2, 2026, requiring providers of AI systems that generate text to mark that content in a machine-readable format. Penalties reach up to €15M or 3% of global annual turnover. For AI agents that send email, no email-specific RFC exists yet, and only 8 of 27 EU member states have published enforcement contacts. Most teams have no mechanism to mark outbound AI-generated email as such — let alone in a format that is cryptographically verifiable and tamper-evident. Waiting for a standard to emerge means scrambling to retrofit compliance after enforcement begins.


How MultiMail solves this

MultiMail attaches an X-MultiMail-Identity header to every AI-generated email — an ECDSA P-256 signed provenance certificate that satisfies the EU Code of Practice recommendation for digitally signed manifests. The header contains a machine-readable payload including the ai_generated boolean, operator identity, oversight mode, and agent capabilities. Recipients verify signatures against the public key published at /.well-known/multimail-signing-key. Tamper evidence is formally proven in Lean 4. Early adoption gives your organization a compliance advantage while enforcement infrastructure is still forming.

1

Enable AI Disclosure on Your Mailbox

Configure the ai_disclosure setting on your mailbox. This tells MultiMail to attach a signed provenance certificate to every outbound message from this mailbox.

2

Send Email via API or MCP

Your AI agent sends email through the MultiMail API or MCP tools as usual. No changes to your sending code are required — disclosure headers are attached automatically.

3

Provenance Certificate Attached

MultiMail signs the identity payload (ai_generated, operator, oversight mode, capabilities) with ECDSA P-256 and attaches it as the X-MultiMail-Identity header. The signature covers the payload to prevent modification in transit.

4

Recipient Verification

Any recipient or regulator can verify the provenance certificate by fetching the public key from /.well-known/multimail-signing-key and checking the signature. A verification page at multimail.dev/verify provides a human-friendly interface.

5

Audit Trail for Regulators

MultiMail's audit log records every disclosure header attached, creating evidence of systematic Article 50 compliance that you can present during regulatory examinations.


Try it with your agent

Pick your platform, copy the prompt, and paste it to your AI agent — it sets up MultiMail and builds the whole flow. Nothing to fill in.

1. Read https://multimail.dev/llms.txt, connect the MultiMail MCP server, create a free inbox, and set up a verified sender for the domain your AI-generated emails will use. 2. In the OpenAI API workflow that drafts outbound email, add a tool/function call that runs whenever the model produces a message intended for an external recipient, before any email is sent. 3. Have the agent classify the message as AI-generated, capture the operator identity, intended recipient, business purpose, and any human-provided context, then compose the final email through MultiMail so the outbound message carries machine-readable AI provenance. 4. Run every first send and any changed compliance template in MultiMail gated_send mode; only send after the designated reviewer approves the recipient, subject, body, and provenance details. 5. To go live, ask me only for the OpenAI project credentials, the sending-domain DNS access or owner, the approved operator identity, and the brand voice to use in customer-facing emails.

What you get

Article 50 Compliance Out of the Box

Every AI-generated email includes a machine-readable provenance certificate with the ai_generated flag, operator identity, and oversight mode — satisfying the Article 50 requirement to mark AI-generated content in a machine-readable format.

Cryptographic Tamper Evidence

The X-MultiMail-Identity header is signed with ECDSA P-256. Any modification to the disclosure payload invalidates the signature. Tamper evidence properties are formally proven in Lean 4, not just tested.

Early Compliance Advantage

Only 8 of 27 EU member states have published enforcement contacts. Organizations that implement disclosure now establish compliance history before regulators begin auditing — demonstrating good faith that matters in enforcement discretion.

No Code Changes Required

Enable ai_disclosure on your mailbox configuration and every outbound email is automatically tagged. Your AI agent's sending code stays the same — no header manipulation, no payload construction, no key management.

Publicly Verifiable

Anyone can verify the provenance certificate using the public key at /.well-known/multimail-signing-key or the human-friendly verification page at multimail.dev/verify. This transparency builds trust with recipients and regulators.


Recommended oversight mode

Recommended
gated_send
AI-generated emails that carry regulatory disclosure headers should be reviewed before delivery. An incorrect disclosure (wrong operator, missing capabilities) could itself be a compliance violation. Gated send ensures a human verifies that both the email content and the disclosure metadata are accurate before the message leaves your organization.

Common questions

When does EU AI Act Article 50 take effect?
Article 50 transparency obligations become enforceable on August 2, 2026. This applies to providers of AI systems that generate synthetic text, audio, image, or video content. Penalties for non-compliance reach up to €15 million or 3% of global annual turnover, whichever is higher.
What exactly does Article 50 require for AI-generated email?
Article 50 requires that AI-generated content be marked in a machine-readable format so that it can be detected as artificially generated. For email, no specific RFC exists yet. The EU Code of Practice recommends provenance certificates — digitally signed manifests — as the mechanism for text content. MultiMail's X-MultiMail-Identity header implements this recommendation.
What is a provenance certificate?
A provenance certificate is a digitally signed manifest that attests to the origin of content. The EU Code of Practice recommends this approach for AI-generated text. MultiMail's implementation signs a JSON payload containing the ai_generated flag, operator identity, oversight mode, and capabilities with ECDSA P-256. The signature can be verified against the public key at /.well-known/multimail-signing-key.
Does this apply to emails sent outside the EU?
The EU AI Act applies to providers placing AI systems on the EU market and deployers in the EU, regardless of where the provider is established. If your AI agent sends email to EU recipients or you operate within the EU, Article 50 obligations apply. Enabling disclosure on all mailboxes avoids the complexity of per-recipient compliance logic.
What happens if my email is forwarded or modified in transit?
If the email content or disclosure header is modified, the ECDSA signature will fail verification — this is by design. The tamper evidence property is formally proven in Lean 4. Recipients who verify a forwarded email will see that the signature is invalid, which correctly signals the content may have been altered.
How do formal proofs strengthen my compliance position?
MultiMail's Lean 4 proofs mathematically verify that the signing scheme provides tamper evidence — not through testing, but through formal verification. In a regulatory examination, this demonstrates that the disclosure mechanism is provably correct, not just empirically tested. This is a stronger compliance argument than test suites alone.
Can I enable disclosure only for some mailboxes?
Yes. AI disclosure is configured per mailbox. You can enable it on mailboxes used by AI agents while leaving human-only mailboxes unchanged. However, if any mailbox is used by an AI system that generates content, Article 50 requires disclosure on that mailbox.
Is MultiMail the only way to comply with Article 50 for email?
No. Article 50 is technology-neutral — any machine-readable marking mechanism can satisfy the requirement. However, there is no email-specific RFC or industry standard yet. MultiMail's signed header approach aligns with the EU Code of Practice recommendation for provenance certificates and is verifiable today, rather than waiting for a standard that may take years to finalize.

Explore more use cases

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.