Trust & Provenance - AI-readiness signals
All 16 signals in the Trust & Provenance category, with what each tests and why it matters for visibility in AI.
-
Does your site offer the modern TLS 1.3 encryption that AI crawlers expect?
Confirms your HTTPS connection uses the current encryption standard rather than an older, deprecated version.
-
Is your TLS certificate publicly logged so AI agents can verify it is genuine?
Checks that your HTTPS certificate is registered in public Certificate Transparency logs that prove it is not forged.
-
Have you told the world which certificate authorities are allowed to issue certs for your domain?
Confirms a small public DNS record exists that restricts who can issue HTTPS certificates for your domain.
-
Do you publish a standard contact file telling researchers how to report security issues?
Checks that you publish the small, well-known file describing how to reach you about security vulnerabilities.
-
Does your domain publish an SPF record that says which servers are allowed to send your email?
Checks for the DNS record that prevents others from sending email pretending to be from your domain.
-
Does your domain publish a DKIM public key so receiving servers can verify your emails?
Checks that you publish the cryptographic key that lets mail servers confirm your emails really came from you.
-
Is your DMARC policy strict enough to actually block spoofed email from your domain?
Checks that your DMARC DNS policy is set to quarantine or reject, not merely monitoring.
-
Does your brand logo show in inboxes via a verified BIMI record with a trademark-validated certificate?
Checks that your domain publishes a BIMI record with a verified mark certificate proving you own your logo.
-
Does your domain enforce TLS encryption for inbound email via MTA-STS?
Checks that you publish a policy requiring senders to encrypt mail to your servers, not just sign it.
-
Do your articles and images publish a machine-readable license stating how AI may use them?
Checks for a license URL on each piece of content so AI systems know what they are allowed to do with it.
-
Do your articles cite their primary sources in a way AI systems can follow?
Checks for machine-readable citation links so AI tools can verify the sources behind your claims.
-
If you publish fact-checks, do they use the standard ClaimReview structured data?
Checks that fact-check content is marked up in the format AI grounding systems and search fact panels recognise.
-
Do your images carry C2PA Content Credentials proving where they came from?
Checks whether your images embed a cryptographic provenance manifest that distinguishes them from AI-generated fakes.
-
Do your third-party scripts carry integrity hashes so the browser can detect tampering?
Checks that scripts and stylesheets loaded from outside your domain have hash attributes proving they have not been altered.
-
Do you publish a Global Privacy Control file declaring you honor browser-sent privacy preferences?
Checks for the small JSON file at /.well-known/gpc.json declaring your site respects the Sec-GPC signal.
-
Do your API responses carry cryptographic signatures that AI agents can verify independently of TLS?
Checks whether your API endpoints sign their responses using the RFC 9421 HTTP Message Signatures standard.