State AI Disclosure Laws Are Here. Your AI Emails Need to Comply.

Six states now require AI chatbot disclosure. When your AI agent emails consumers, those laws apply. MultiMail adds signed disclosure headers and body text automatically.

The problem

Why this matters

US states are passing AI chatbot disclosure laws faster than Congress can act. Maine LD 1727 (effective September 24, 2025) requires disclosure when AI chatbots communicate with consumers. New York S-3008C (effective November 5, 2025) mandates disclosure at first contact and every three hours. California SB 243 (effective January 1, 2026) adds minor protections on top of disclosure. Illinois and Colorado have their own requirements for AI in employment and consequential decisions. No state law explicitly mentions email, but the language is broad: Maine covers any 'AI chatbot used to communicate with consumers.' When your AI agent sends email to a consumer in Maine, that is an AI chatbot communicating with a consumer. Compliance teams face a patchwork of effective dates, disclosure intervals, and scope definitions that change by state and update frequently.

The solution

How MultiMail solves this

MultiMail provides three layers of AI disclosure for every outbound email: a cryptographically signed ai_generated field in the identity header (tamper-proof), an X-AI-Generated convenience header (machine-readable), and configurable body disclosure text (human-readable). You configure disclosure settings per mailbox to match the requirements of each state your recipients reside in. The audit log records that disclosure was present on every message, giving compliance teams evidence for regulatory inquiries.

1

Configure Disclosure Per Mailbox

Set up mailboxes with state-appropriate disclosure text. A mailbox serving Maine recipients gets the LD 1727 required disclosure. A mailbox for New York recipients includes the S-3008C initial disclosure and re-disclosure interval configuration.

2

AI Agent Composes Email

Your AI agent drafts outbound emails as usual. MultiMail automatically attaches the signed ai_generated identity header and X-AI-Generated convenience header to every message sent through an AI-configured mailbox.

3

Body Disclosure Injected

MultiMail prepends or appends the configured disclosure text to the email body. For New York compliance, the system tracks conversation timing and re-injects disclosure every three hours of active communication.

4

Human Reviews Under Gated Send

Under gated_send oversight, a compliance officer or legal reviewer approves each email before delivery, verifying that the correct state-specific disclosure is present and the content meets regulatory requirements.

5

Audit Trail for Regulators

Every sent email is logged with its disclosure status, headers, and body text. When a state regulator asks for evidence of compliance, you export the audit log filtered by date range and recipient state.

Code examples

Implementation

Configure State-Specific Disclosure Per Mailbox
python
import requests

API = "https://api.multimail.dev/v1"
HEADERS = {"Authorization": "Bearer mm_live_xxx"}

"cm"># State disclosure configurations
STATE_DISCLOSURES = {
    "ME": {
        "text": "This message was composed by an AI assistant. "
                "You are communicating with an artificial intelligence "
                "chatbot, not a human.",
        "law": "Maine LD 1727 (eff. 2025-09-24)"
    },
    "NY": {
        "text": "DISCLOSURE: This email was generated by an AI "
                "companion model. This disclosure is provided pursuant "
                "to New York S-3008C.",
        "law": "New York S-3008C (eff. 2025-11-05)"
    },
    "CA": {
        "text": "This communication was generated by an artificial "
                "intelligence system. California SB 243.",
        "law": "California SB 243 (eff. 2026-01-01)"
    }
}

def configure_mailbox_disclosure(mailbox_id: str, state: str):
    disclosure = STATE_DISCLOSURES[state]
    resp = requests.put(
        f"{API}/mailboxes/{mailbox_id}",
        headers=HEADERS,
        json={
            "ai_disclosure_text": disclosure["text"],
            "ai_generated": True,
            "display_name": f"Support ({state} compliant)"
        }
    )
    resp.raise_for_status()
    print(f"Mailbox {mailbox_id} configured for {disclosure[&"cm">#039;law']}")

# Configure a mailbox for each state you serve
configure_mailbox_disclosure("mbx_maine_01", "ME")
configure_mailbox_disclosure("mbx_newyork_01", "NY")
configure_mailbox_disclosure("mbx_california_01", "CA")

Set up mailboxes with disclosure text matching each state's requirements.

Check and Update Disclosure Settings via MCP
typescript
"cm">// Audit all mailboxes for AI disclosure compliance

interface MailboxDisclosureStatus {
  mailbox_id: string;
  address: string;
  ai_generated: boolean;
  has_disclosure_text: boolean;
  state_target: string | null;
}

async function auditDisclosureSettings(): Promise<MailboxDisclosureStatus[]> {
  const mailboxes = await mcp.list_mailboxes({});
  const results: MailboxDisclosureStatus[] = [];

  for (const mbx of mailboxes) {
    results.push({
      mailbox_id: mbx.id,
      address: mbx.address,
      ai_generated: mbx.ai_generated ?? false,
      has_disclosure_text: !!mbx.ai_disclosure_text,
      state_target: mbx.display_name?.match(/\(([A-Z]{2}) compliant\)/)?.[1] ?? null
    });
  }

  const noncompliant = results.filter(r => !r.ai_generated || !r.has_disclosure_text);
  if (noncompliant.length > 0) {
    console.log(`WARNING: ${noncompliant.length} mailbox(es) missing disclosure:`);
    for (const mbx of noncompliant) {
      console.log(`  - ${mbx.address} (${mbx.mailbox_id})`);
    }
  }

  return results;
}

async function enableDisclosure(mailboxId: string, disclosureText: string) {
  await mcp.update_mailbox({
    mailbox_id: mailboxId,
    ai_generated: true,
    ai_disclosure_text: disclosureText
  });
  console.log(`Disclosure enabled for ${mailboxId}`);
}

"cm">// Run audit
const status = await auditDisclosureSettings();

Use MultiMail MCP tools to audit and update mailbox disclosure configurations.

Generate State Compliance Report
python
import requests
from datetime import datetime

API = "https://api.multimail.dev/v1"
HEADERS = {"Authorization": "Bearer mm_live_xxx"}

STATE_LAWS = {
    "ME": {"law": "LD 1727", "effective": "2025-09-24"},
    "NY": {"law": "S-3008C", "effective": "2025-11-05"},
    "CA": {"law": "SB 243", "effective": "2026-01-01"},
    "IL": {"law": "AI Employment Act", "effective": "2026-01-01"},
    "CO": {"law": "SB 24-205", "effective": "2026-06-30"},
    "UT": {"law": "HB 452", "effective": "enacted"}
}

def generate_compliance_report():
    resp = requests.get(f"{API}/mailboxes", headers=HEADERS)
    resp.raise_for_status()
    mailboxes = resp.json()["mailboxes"]

    report = {
        "generated_at": datetime.utcnow().isoformat(),
        "total_mailboxes": len(mailboxes),
        "disclosure_enabled": 0,
        "disclosure_missing": 0,
        "state_coverage": {},
        "mailbox_details": []
    }

    for mbx in mailboxes:
        has_disclosure = mbx.get("ai_generated", False)
        has_text = bool(mbx.get("ai_disclosure_text"))
        compliant = has_disclosure and has_text

        if compliant:
            report["disclosure_enabled"] += 1
        else:
            report["disclosure_missing"] += 1

        "cm"># Detect state from display_name convention
        name = mbx.get("display_name", "")
        state = None
        for code in STATE_LAWS:
            if code in name:
                state = code
                report["state_coverage"][code] = \
                    report["state_coverage"].get(code, 0) + 1

        report["mailbox_details"].append({
            "address": mbx["address"],
            "ai_generated_header": has_disclosure,
            "disclosure_text_set": has_text,
            "compliant": compliant,
            "target_state": state
        })

    "cm"># Check for states with no mailbox coverage
    today = datetime.utcnow().date().isoformat()
    for code, info in STATE_LAWS.items():
        if code not in report["state_coverage"]:
            effective = info["effective"]
            if effective <= today or effective == "enacted":
                print(f"ALERT: No mailbox configured for {code} "
                      f"({info[&"cm">#039;law']}, effective {effective})")

    print(f"Compliance Report - {report[&"cm">#039;generated_at']}")
    print(f"  Mailboxes with disclosure: {report[&"cm">#039;disclosure_enabled']}")
    print(f"  Mailboxes missing disclosure: {report[&"cm">#039;disclosure_missing']}")
    print(f"  States covered: {list(report[&"cm">#039;state_coverage'].keys())}")
    return report

report = generate_compliance_report()

Produce a compliance report showing disclosure status across all mailboxes and states.

Benefits

What you get

Signed Proof of Disclosure

The cryptographically signed ai_generated field in the identity header provides tamper-proof evidence that disclosure was present. Unlike a plain-text disclaimer, this signature cannot be stripped or altered after sending.

State-by-State Configuration

Configure different disclosure text per mailbox to match each state's specific language requirements. Maine, New York, and California each have different statutory language expectations — one size does not fit all.

Audit Log for Regulatory Inquiries

Every outbound email is logged with its disclosure status, headers, and delivery timestamp. When a state attorney general or regulatory body requests evidence of compliance, the audit log provides it.

Human Oversight Before Delivery

Gated send ensures a compliance officer reviews each email before it reaches a consumer. This catches edge cases where AI-generated content might trigger additional state-specific requirements.

Future-Proof for New State Laws

As additional states pass AI disclosure laws, you add a new mailbox configuration or update existing disclosure text. The signed header and audit infrastructure already supports any disclosure requirement.

Oversight

Recommended oversight mode

Recommended
gated_send
State AI disclosure laws carry enforcement risk from state attorneys general. Gated send ensures a compliance officer verifies that the correct state-specific disclosure text is present and that email content does not trigger additional requirements (such as California's minor protections under SB 243) before delivery.
FAQ

Common questions

Do state AI disclosure laws actually apply to email?
No state law explicitly mentions email, but the statutory language is broad. Maine LD 1727 covers 'AI chatbots used to communicate with consumers.' When an AI agent sends email to a consumer, that is an AI system communicating with a consumer. Legal consensus is trending toward broad application. The safer compliance position is to disclose.
Which states have AI disclosure laws in effect now?
As of early 2026: Maine LD 1727 (effective September 24, 2025), New York S-3008C (effective November 5, 2025), California SB 243 (effective January 1, 2026), and Illinois AI Employment Act (effective January 1, 2026). Utah HB 452 is enacted with immediate disclosure requirements. Colorado SB 24-205 has been delayed to June 30, 2026.
How does New York's three-hour re-disclosure requirement work for email?
New York S-3008C requires disclosure at the start of interaction and every three hours during continued communication. For email threads, this means if your AI agent sends multiple emails in an ongoing conversation, disclosure must be re-included after any three-hour gap. MultiMail tracks conversation timing and re-injects disclosure text when needed.
What is the difference between the signed header and the body disclosure?
The signed ai_generated field in the identity header is a cryptographic proof that the email was AI-generated — it cannot be stripped or forged. The X-AI-Generated convenience header is machine-readable for downstream systems. The body disclosure text is the human-readable notice that satisfies the consumer-facing requirement of state laws. All three serve different purposes.
Do I need separate mailboxes for each state?
Not necessarily. If your disclosure text satisfies all applicable state laws, a single mailbox works. However, states have different statutory language expectations. Some compliance teams prefer state-specific mailboxes to ensure exact match with each law's requirements and to simplify audit log filtering.
How does this relate to the EU AI Act?
The EU AI Act also requires AI-generated content disclosure, but with different scope and enforcement mechanisms. US state laws are enforced by state attorneys general, while the EU AI Act is enforced by national authorities. MultiMail's disclosure infrastructure supports both regimes — the signed header and configurable body text work regardless of jurisdiction.
Will federal AI legislation preempt state laws?
Federal AI legislation is progressing slowly compared to state action. The pattern mirrors data breach notification laws: California passed the first in 2003, and 49 more states followed before any federal framework emerged. Compliance teams should plan for state-level requirements being the reality for the foreseeable future.
What happens if I send AI-generated email to a state without a disclosure law?
Including disclosure in states without a requirement carries no legal risk — you are simply being transparent. Omitting disclosure in a state that requires it carries enforcement risk. The prudent approach is to disclose on all AI-generated emails and configure state-specific text where statutes demand particular language.
Related

Explore more use cases

Compliance Notifications

legal

View guide →

Regulatory Update Notifications

legal

View guide →

EU AI Act Article 50 Email Compliance

legal

View guide →

AI Disclosure Headers

legal

View guide →
Get started

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a 38-tool MCP server. Formally verified in Lean 4.

Read the Docs See Pricing