The open standard for
email trust
SecureStamp defines a protocol for senders to publish cryptographically verifiable stamps, and for any system to validate them independently, without data centralization. Three integration points: DNS TXT record, email header, API query.
DNS TXT record
Publish once, verifiable forever
Email header
X-SecureStamp on every message
REST API
GET /v1/trust/:domain
What is the stamp
The stamp is art. The status is plugin-verified.
The stamp is a visual certification.
It's an artistic, collectible element that proves a domain is registered with SecureStamp. It does not by itself indicate whether an email is safe.
The status indicator is a different thing.
What tells the user whether an email is safe is the plugin's status indicator: a color (green / amber / red) or a new column in the email client. That indicator is verified in real-time — the plugin queries the backend with the cryptographic token.
A copied image has no validity.
If someone copies the stamp image and pastes it into a fake email, it's just pixels. Without the cryptographic token that the plugin verifies against the backend, the stamp has zero validity.
Protocol — integration points
Three ways to declare trust
DNS TXT record
Publish a TXT record under _securestamp.<domain>. No infrastructure change required on the mail server. Verifiers resolve the subdomain and validate the stamp against the ledger.
- —v=1 — protocol version, required
- —id=<stamp_id> — UUID v4 from the ledger
- —url=<verify_url> — canonical verification URL
_securestamp.example.com. 3600 IN TXT
"securestamp=v=1;
id=f47ac10b-58cc-4372-a567-0e02b2c3d479;
url=https://securestamp.org/verify/eyJhbG..."Email header
Inject X-SecureStamp in outbound messages. The token is a JWT signed with ES256 by the issuing node. Verifiers check the signature against the node's published public key.
- —Signed with ES256 (ECDSA P-256)
- —Claims: stampId, domain, orgId, score, exp
- —Public key at /v1/keys/<node_id>
X-SecureStamp: v=1;
token=eyJhbGciOiJFUzI1NiJ9.eyJzdGFtcElkIjoiZjQ3YWMxM...;
verify=https://securestamp.org/verify/eyJhbG...API query
Query any domain without DNS access or message inspection. Returns the active stamp, trust score, SPF/DKIM/DMARC signals, and a reference to the ledger transaction. Rate-limited; authenticated requests get higher quotas.
- —1000 req/hour unauthenticated
- —Bearer <api_key> for higher limits
- —stamp=null if domain not registered
- —status=revoked if stamp was revoked
GET https://securestamp.org/v1/trust/example.com{
"domain": "example.com",
"stamp": {
"stampId": "f47ac10b-...",
"score": 92,
"status": "active",
"signals": { "spf": "pass", "dkim": "pass", "dmarc": "pass" }
},
"ledgerRef": "https://securestamp.org/v1/ledger/tx/abc123"
}Federated network
Becoming an approved node
Only nodes approved by the SecureStamp Foundation can write to the shared Hyperledger Fabric ledger. Approval is not automatic — it requires review of technical capacity and alignment with the foundation's governance principles.
Submit application
Provide organization name, ASN, region, uptime SLA, and declared use of the node. Applications are reviewed by the foundation technical committee.
Foundation review
The committee evaluates technical capacity, geographic coverage, and absence of conflicts of interest. Review period: 30 business days.
CA certificate issued
On approval, the foundation CA issues an X.509 certificate identifying the node in the Fabric channel. Valid 1 year, renewable.
Join the channel
Run peer channel join -b securestamp-main.block with your certificate. Your node receives the full ledger history from genesis block.
Node obligations
Public registry
Verify any stamp publicly
Every stamp issued to the ledger is verifiable by anyone without authentication. Pass the token from a DNS record or email header to the public verifier.
securestamp.org/verify/<token>Specification
Protocol documentation
The full protocol specification covers DNS format, JWT structure, chaincode asset definitions, federated network rules, correlation database schema, and the real-time alert system.