ZI2 Certified is a server-level cryptographic email attestation protocol. It proves which specific server sent an email — something SPF, DKIM, and DMARC cannot do.
Email spoofing costs $12.5 billion per year (FBI IC3). The current authentication stack — SPF, DKIM, and DMARC — operates at the domain level. They answer: "Did this domain authorize the sending?"
None of them answer the critical question: "Did THIS specific server actually send THIS email?"
On multi-tenant servers (500,000+ worldwide), any domain can send email as any other domain on the same server. SPF passes. DKIM passes. DMARC passes. Every check says the email is legitimate. It isn't.
ZI2 Certified adds server-level cryptographic attestation using Ed25519 digital signatures. Every mail server generates a unique key pair. Every outbound email is signed. Receiving servers verify the signature against the sender's published public key.
Verification is mathematical — the signature is either valid or it isn't. No confidence scores. No heuristics. No AI guessing. If a signature is missing from a domain expected to sign, the email is 100% spoofed.
Server generates an Ed25519 key pair on first install. Public key published via DNS TXT record at _zi2cert.domain.
Every outbound email signed with sender + recipient + timestamp + message ID + server ID + body hash + nonce.
Receiving server retrieves public key from DNS, reconstructs payload, verifies Ed25519 signature.
Level 3 (Absolute): same server. Level 2 (Verified): direct key exchange. Level 1 (DNS): public key lookup. Level 0: no certification.
| Attack | SPF/DKIM/DMARC | ZI2 Certified |
|---|---|---|
| Intra-server spoofing | All pass | Detected |
| Lookalike domain | All pass | Detected |
| Body tampering | Partial | Full SHA-256 |
| Replay attack | Vulnerable | Nonce + timestamp |
| Recipient forgery | Not checked | Signed in payload |
| Missing cert from local domain | Ambiguous | 100% spoofed |
Live on production since April 19, 2026. Full penetration test: 18 out of 18 attack vectors detected with zero false positives and zero false negatives. Automated quarterly key rotation. DNS-based cross-server verification.
Patent Pending: ZI2-PAT-2026-002 — "System and Method for Server-Level Cryptographic Email Origin Attestation with Multi-Tenant Spoofing Detection and AI-Integrated Trust Verification." 16 claims (4 independent, 12 dependent). No blocking prior art identified.
IETF Internet-Draft: draft-kadjo-zi2cert-00 — submitted to the IETF for consideration as an internet standard alongside SPF, DKIM, and DMARC.
ZI2 Certified is designed as the fourth pillar of email authentication:
SPF (2006) + DKIM (2011) + DMARC (2015) + ZI2 Certified (2026)
Zenith Intelligence Technologies builds modular AI, cryptographic security, and enterprise software. The ZI2 ecosystem includes 16 modules spanning AI, encryption, identity, communications, and operations — deployed across multiple live platforms.
ZI2 Certified is the company's contribution to internet infrastructure: a cryptographic layer that fills the structural gap in email authentication that has persisted since the standardization of SPF, DKIM, and DMARC.
See if your domain has ZI2 Certified server-level attestation, SPF, DKIM, and DMARC.