How It Works · How To Install

Server attestation that can't be spoofed

ZI² Certified is a lightweight cryptographic protocol that proves which server actually sent every email. SPF, DKIM, and DMARC verify the domain — ZI² Certified verifies the server. Together they close the gap that lets attackers send convincing display-name spoofs from rented infrastructure.

The Problem

Modern phishing rarely fails SPF, DKIM, or DMARC. Attackers register a lookalike domain, host it on a clean IP, set up valid auth records, and send. The email passes every check — and then asks the user to wire money to the "CEO."

The missing signal is server identity. SPF says "this IP is authorized to send for this domain." DKIM says "this content wasn't tampered with." Neither says "this specific server is the one we always send from, and you've seen its key before." That's the layer ZI² Certified adds.

How It Works

Generate an Ed25519 keypair

Single command on the sending server. Private key stays on the box; public key gets a short identifier (the kid).

Publish the public key in DNS

A single TXT record at _zi2cert.<kid>.<domain> holds the base64 public key. Same DNS plane as DKIM — no new infrastructure.

Sign every outbound message

A milter signs From, To, Subject, Date, Message-ID, and a body hash, then injects an X-ZI2-Certified header carrying the signature, kid, and server hostname.

Receivers verify in milliseconds

The receiving server fetches the public key, verifies Ed25519, and tracks the result. After a handful of certified messages, the sending server earns a trust level — and any future "from" that domain without a valid signature flags as a spoof.

How It's Different

Layer	Verifies	Stops display-name spoof	Per-server identity
SPF	Sender IP allowed	no	no
DKIM	Body integrity	no	no
DMARC	SPF/DKIM alignment	partial	no
BIMI	Brand logo	no	no
ZI² Certified	Sending server identity	yes	yes

ZI² Certified complements SPF/DKIM/DMARC — it doesn't replace them. The header is added alongside DKIM signatures and verified after the existing chain runs.

Trust Levels

Verifiers track sender history. A new sending server starts at UNVERIFIED and earns trust as it accumulates valid signatures.

UNVERIFIED · 0 valid signatures

First contact from a server. Email is delivered but flagged as unattested in headers; downstream filters can quarantine.

PROVISIONAL · 1–4 valid signatures

Server has demonstrated key control. Treated as a known sender; mismatched future emails (same domain, missing or invalid signature) get marked as spoofs.

TRUSTED · 5+ valid signatures over time

Verifier treats the server identity as established. Mail Guard and similar engines can route certified messages around heavyweight checks for sub-100ms triage.

Install — Under a Minute

For a Postfix MTA running the ZI² Mail Guard milter (or any pymilter-compatible host):

# 1. Generate keypair (run as the milter service user)
zi2-cert keygen --domain example.com --kid zi2-cert-2026-04

# Output:
#   Private key written to /etc/zi2-mail-guard/zi2-cert.key (mode 0600)
#   Public key written to /etc/zi2-mail-guard/zi2-cert.pub
#   DNS record to publish:
#     _zi2cert.zi2-cert-2026-04.example.com  TXT  "v=ZI2CERT1; k=ed25519; p=<base64>"

# 2. Publish the TXT record at your DNS provider (Cloudflare, Route53, etc.)

# 3. Restart the milter — it reads the key on startup
systemctl restart zi2-milter

# 4. Verify
zi2-cert verify --domain example.com
# → kid=zi2-cert-2026-04 OK (Ed25519, 32 bytes)

Every outbound email from that point forward carries an X-ZI2-Certified header. Other ZI²-aware MTAs verify it; non-aware MTAs ignore it harmlessly (it's just an extra header). No SPF, DKIM, DMARC, or BIMI changes required.

The Header Format

One line, base64-encoded signature, three required tags:

X-ZI2-Certified: v=1; d=example.com; s=mail.example.com;
                 kid=zi2-cert-2026-04; t=1777319101;
                 h=from:to:subject:date:message-id;
                 bh=<sha256-body-hash>;
                 b=<ed25519-signature-base64>

d — sending domain
s — sending server hostname (the identity being attested)
kid — key identifier for DNS lookup
h — list of headers covered by the signature
bh — SHA-256 of the body
b — Ed25519 signature over the canonicalized headers + bh

Where It's Already Live

ZI² Certified is in production on every functional ZI² ecosystem domain — currently 32+ domains across mail.kohp.cloud and partner MTAs. Live triage results show ~95% of inbound mail to ZI²-protected mailboxes either carries a valid signature (trusted-source bypass) or fails verification cleanly (correctly flagged as a spoof attempt).

See the live adopter list and check any domain at zi2.app/certified.

Ready to deploy?

Read the protocol spec or get help wiring it into your MTA.

Check Your Domain Get Install Help