Skip to main content
securestamp.org
ESGitHub
Open protocol — draft v0.1

メール信頼の
オープン標準

SecureStamp は、送信者が検証可能な暗号署名付き stamps を公開し、任意のシステムがデータを集中管理せず独立して検証できる protocol を定義します。3 つの integration points: DNS TXT record, Email header, API query.

仕様を読むノードを運用 →

DNS TXT record

一度公開すれば継続的に検証可能

Email header

各メッセージの X-SecureStamp

REST API

GET /v1/trust/:domain

What is the stamp

The stamp is art. The status is plugin-verified.

The stamp is a visual certification.

It's an artistic, collectible element that proves a domain is registered with SecureStamp. It does not by itself indicate whether an email is safe.

The status indicator is a different thing.

What tells the user whether an email is safe is the plugin's status indicator: a color (green / amber / red) or a new column in the email client. That indicator is verified in real-time — the plugin queries the backend with the cryptographic token.

A copied image has no validity.

If someone copies the stamp image and pastes it into a fake email, it's just pixels. Without the cryptographic token that the plugin verifies against the backend, the stamp has zero validity.

Protocol — integration points

Three ways to declare trust

DNS TXT record

Publish a TXT record under _securestamp.<domain>. No infrastructure change required on the mail server. Verifiers resolve the subdomain and validate the stamp against the ledger.

  • v=1 — protocol version, required
  • id=<stamp_id> — UUID v4 from the ledger
  • url=<verify_url> — canonical verification URL
DNS zone
_securestamp.example.com.  3600  IN  TXT
  "securestamp=v=1;
   id=f47ac10b-58cc-4372-a567-0e02b2c3d479;
   url=https://securestamp.org/verify/eyJhbG..."

Email header

Inject X-SecureStamp in outbound messages. The token is a JWT signed with ES256 by the issuing node. Verifiers check the signature against the node's published public key.

  • Signed with ES256 (ECDSA P-256)
  • Claims: stampId, domain, orgId, score, exp
  • Public key at /v1/keys/<node_id>
SMTP header
X-SecureStamp: v=1;
  token=eyJhbGciOiJFUzI1NiJ9.eyJzdGFtcElkIjoiZjQ3YWMxM...;
  verify=https://securestamp.org/verify/eyJhbG...

API query

Query any domain without DNS access or message inspection. Returns the active stamp, trust score, SPF/DKIM/DMARC signals, and a reference to the ledger transaction. Rate-limited; authenticated requests get higher quotas.

  • 1000 req/hour unauthenticated
  • Bearer <api_key> for higher limits
  • stamp=null if domain not registered
  • status=revoked if stamp was revoked
request
GET https://securestamp.org/v1/trust/example.com
response
{
  "domain": "example.com",
  "stamp": {
    "stampId": "f47ac10b-...",
    "score": 92,
    "status": "active",
    "signals": { "spf": "pass", "dkim": "pass", "dmarc": "pass" }
  },
  "ledgerRef": "https://securestamp.org/v1/ledger/tx/abc123"
}

Federated network

Becoming an approved node

Only nodes approved by the SecureStamp Foundation can write to the shared Hyperledger Fabric ledger. Approval is not automatic — it requires review of technical capacity and alignment with the foundation's governance principles.

01

Submit application

Provide organization name, ASN, region, uptime SLA, and declared use of the node. Applications are reviewed by the foundation technical committee.

02

Foundation review

The committee evaluates technical capacity, geographic coverage, and absence of conflicts of interest. Review period: 30 business days.

03

CA certificate issued

On approval, the foundation CA issues an X.509 certificate identifying the node in the Fabric channel. Valid 1 year, renewable.

04

Join the channel

Run peer channel join -b securestamp-main.block with your certificate. Your node receives the full ledger history from genesis block.

Node obligations

Uptime ≥ 99% in 30-day windows
Run chaincode within [current−1, current]
Publish /v1/health endpoint
Report correlation anomalies to foundation
Modify endorsement policies without approval
Expose internal Fabric world state directly
Apply to operate a nodeSend your application to nodes@securestamp.org

Public registry

Verify any stamp publicly

Every stamp issued to the ledger is verifiable by anyone without authentication. Pass the token from a DNS record or email header to the public verifier.

Open public verifier
securestamp.org/verify/<token>

Specification

Protocol documentation

The full protocol specification covers DNS format, JWT structure, chaincode asset definitions, federated network rules, correlation database schema, and the real-time alert system.

Protocol v0.1

Full specification

ADR-004

Hyperledger Fabric decision

API reference

REST endpoints

Questions about the specification or protocol design? protocol@securestamp.org

Contact

Get in touch

Each address routes directly to the right team. No ticketing system — real people.

info@securestamp.org

General information

Questions about SecureStamp, the foundation, or how to get started.

nodes@securestamp.org

Node applications

Apply to operate an approved node in the federated network.

protocol@securestamp.org

Protocol & technical

Specification questions, implementation details, proposed changes.

security@securestamp.org

Security disclosures

Responsible disclosure of vulnerabilities in the protocol or infrastructure.

abuse@securestamp.org

Abuse & revocation

Report misuse, compromised stamps, or request emergency revocation.

foundation@securestamp.org

Foundation & governance

Partnership, governance proposals, institutional collaboration.

SecureStamp Foundation — Open Email Trust Protocol