Web Key Directory: the technology that every email domain should adopt to ensure the authenticity and security of communications - TL;DR

Why Encryption Is the Foundation of Digital Privacy

Encryption is the technology that transforms readable information into incomprehensible code for anyone without the decryption key. It’s what protects banking transactions, government communications, and healthcare data. In the context of the European GDPR, strong encryption also enables the transfer of personal data outside the EU: when data is properly encrypted, individuals are no longer identifiable, simplifying regulatory compliance for international communications. Yet, paradoxically, the world’s most used communication technology – email – remains largely unencrypted, exposing billions of daily messages to potential interception. This article explores how the protocol Web Key Directory (WKD) finally solves this paradox, making email encryption simple and automatic: just as we now visit secure websites (HTTPS) without doing anything special, with WKD emails are also encrypted automatically without any user intervention.

The Fundamental Problem We All Face

Every day, billions of emails travel across the internet, carrying sensitive information, including contracts, medical reports, financial documents, and personal conversations. Yet most of these messages travel completely unencrypted, readable like a postcard to anyone who intercepts them. The technology to encrypt emails has existed since 1991, with PGP (Pretty Good Privacy) freeware software created by Philip Zimmermann. However, after three decades, encrypted emails remain the exception rather than the rule.

flowchart TB Title["📧 TRADITIONAL EMAIL FLOW (UNENCRYPTED)"] Title --> Flow subgraph Flow[" "] Sender["👤 SENDER
Sends in plain text"] Sender -->|"📝 PLAIN TEXT"| Internet subgraph Internet["🌐 INTERNET"] direction TB Exposed["⚠️ EMAIL EXPOSED TO:
━━━━━━━━━━━━
• ISP (Internet Providers)
• Mail servers
• Hackers/Interceptors
• Government agencies
• Data brokers
━━━━━━━━━━━━
Can read, copy
save and analyze"] end Internet -->|"📝 PLAIN TEXT"| Recipient Recipient["👤 RECIPIENT
Receives in plain text"] end Flow --> Warning Warning["🚨 WARNING
━━━━━━━━━━━━━━━━━━
Every step can read, save and analyze your message
Data remains exposed indefinitely on multiple servers"] style Title fill:#dc2626,color:#fff style Flow fill:transparent,stroke:none style Sender fill:#fef3c7,stroke:#f59e0b,stroke-width:2px style Internet fill:#fee2e2,stroke:#dc2626,stroke-width:3px style Exposed fill:#fecaca,color:#7f1d1d style Recipient fill:#fef3c7,stroke:#f59e0b,stroke-width:2px style Warning fill:#991b1b,color:#fff,stroke:#dc2626,stroke-width:3px

Why? The answer lies in a deceptively simple problem: key distribution.

Imagine you want to send me an encrypted message. To do so, you need my public key—think of it as an open lock that only I can unlock. But how do you get this key? How can you be sure it’s really mine and not an impostor’s? This challenge has crippled the adoption of email encryption for decades, leaving our digital communications vulnerable.

graph TB
A[Sender] -.->|“How do I get your key?<br/>How do I verify that it's yours?<br/>Where should I look for it?”| B[Recipient]

style A fill:#f9f9f9
style B fill:#f9f9f9

Traditional solutions have all failed.

Manual key exchange works between individuals but does not scale.

Centralized keyservers have become polluted with fake keys, raising serious privacy concerns—anyone can see who you are preparing to communicate with securely. Social media profiles claiming to contain keys are trivially forgeable.

The result? Most people give up on email encryption altogether.

The Advent of the Web Key Directory

The Web Key Directory (WKD) represents a fundamental rethinking of how we distribute cryptographic keys.

Instead of relying on third-party keyservers or manual exchange, the WKD protocol leverages something we already have: the Domain Name System (DNS) and HTTPS infrastructure that powers the modern web.

I explored this technology in depth back in February 2023, publishing the article “Digital Identity: Web Key Directory as a Possible Solution” at a time when few were discussing the potential of WKD. That article laid the groundwork for understanding WKD not only as a technical protocol but as a fundamental change in how we approach digital identity and secure communication.

I continued to develop these themes in my latest book, “Artificial Intelligence, Privacy, and Neural Networks: The Balance Between Innovation, Knowledge, and Ethics in the Digital Age,” where I explore how cryptographic identity verification becomes even more critical in an AI-dominated future where distinguishing human communications from machine communications is essential.

The strength of WKD lies in its functional elegance, based on simplicity. When you control a domain—let’s say example.com—you already demonstrate this control through your ability to configure DNS records and serve content via HTTPS. WKD builds on this existing trust relationship. If you trust example.com enough to send emails to its accounts, you can trust the cryptographic keys published on its infrastructure.

Here’s how it works in practice: when you compose an email to alice@example.com, your email client automatically queries a specific URL on the example.com server. If Alice has published her key there, the sender’s client downloads it, verifies it, and enables encryption—all without lifting a finger. No manual searching, no verifying the key fingerprint via phone calls, no centralized authority.

Encryption happens.

sequenceDiagram participant User participant EmailClient as Email Client participant WKDServer as WKD Server User->>EmailClient: Compose email to alice@example.com EmailClient->>EmailClient: Calculate WKD URL
SHA1("alice") → z-base32 EmailClient->>WKDServer: HTTPS request to:
openpgpkey.example.com/.well-known/... WKDServer-->>EmailClient: Returns Alice's public key EmailClient->>EmailClient: Verify key EmailClient-->>User: Email automatically encrypted ✓ Note over User,WKDServer: Total time: ~1 second
Zero user interaction

Why This Is More Important Than Ever: The Global Battle for Encryption

As a member of the Global Encryption Coalition, I have witnessed firsthand how encryption has become the primary line of defense for human rights in the digital age.

The Coalition, representing over 400 organizations and individuals in more than 100 countries, understands a fundamental truth: encryption is not just a technical tool—it is a cornerstone of democracy, privacy, and human dignity.

We live in an era of unprecedented digital surveillance and data breaches.

Every unencrypted email you send creates permanent records that could be exposed, sold, or subpoenaed years from now.

Consider the implications:

flowchart TB Start["📧 UNENCRYPTED EMAIL"] Start --> Journey subgraph Journey[" "] You["👤 Bob"] You -->|"📨 Send email"| Access subgraph Access["⚠️ WHO CAN ACCESS"] List["INFRASTRUCTURE:
• Bob's ISP + Alice's ISP
• Mail servers (both)
• Backups and archives
• Spam/antivirus filters
• Cloud providers

SURVEILLANCE:
• Government programs
• Intelligence services
• Data brokers

CRIMINALS:
• Hackers
• Rogue employees"] end Access -->|"📨 Exposed email"| Dest Dest["👤 Alice"] end Journey --> Warning Warning["
🚨 FINAL RESULT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
The 'private' email is:
📋 Copied by 10+ different entities
💾 Saved indefinitely on their servers
🔍 Continuously analyzed for various purposes
📁 Archived for years or forever
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
"] style Start fill:#1e40af,color:#fff,stroke:#1e3a8a,stroke-width:2px style Journey fill:transparent,stroke:#6b7280,stroke-width:2px style You fill:#fbbf24,stroke:#f59e0b,stroke-width:2px style Access fill:transparent,stroke:#f59e0b,stroke-width:3px style List fill:#ffffff,color:#000,stroke:#e5e7eb style Dest fill:#fbbf24,stroke:#f59e0b,stroke-width:2px style Warning fill:#ef4444,color:#fff,stroke:#dc2626,stroke-width:3px

Your medical discussions with doctors, legal conversations with lawyers, business negotiations, and personal relationships—all preserved indefinitely in plain text on multiple servers.

The WKD protocol fundamentally changes this dynamic.

When implemented correctly, it makes encrypted emails as easy as unencrypted ones.

Your email client handles everything automatically, transforming email from an insecure medium to a private communication channel.

That isn’t just about protecting secrets; it’s about preserving the fundamental human right to private correspondence in the digital age.

Furthermore, the WKD protocol addresses the identity verification crisis we face online.

Email spoofing—where attackers send messages that appear to come from trusted sources—costs businesses billions every year and enables countless scams.

When WKD is combined with digital signatures, recipients can cryptographically verify that messages genuinely come from the claimed sender.

No more CEO fraud, no more phishing attacks impersonating your bank, no more uncertainty about whether that urgent message from IT is legitimate.

The strategic advantages of implementation

For organizations, the WKD protocol offers compelling benefits beyond simple encryption.

In fact, it demonstrates technical competence and commitment to security, factors that are increasingly important in business relationships. When customers see that your organization has successfully implemented the WKD protocol, they understand that you take data protection seriously.

That can be a decisive factor in business.

❌ Traditional Keyserver✅ Web Key Directory (WKD)
🚫Unauthenticated Upload
Anyone can upload keys in your name
Risk: impersonation
🔒Owner Control
Only domain controller can publish
Authenticity guarantee
No Verification
Zero checks on email ownership
Risk: identity theft
HTTPS Verification
SSL certificate confirms authenticity
Cryptographic verification
👁️Compromised Privacy
Social graph publicly visible
Exposed metadata
🛡️Preserved Privacy
No public database or tracking
Complete privacy
🔗Immutable Data
Impossible to remove uploaded keys
Compromised keys forever
🔄Full Management
Control over updates and revocations
Manageable lifecycle
🎯Centralized
Central servers as point of failure
Risk: global outages
🌐Decentralized
Each domain is independent
Maximum resilience
📊 Conclusion: WKD solves the critical security, privacy, and control problems of traditional keyservers, offering a modern and reliable alternative for PGP key distribution.

The privacy implications are equally significant.

Unlike traditional keyservers, WKD reveals nothing about your communication patterns.

There is no central database tracking who is looking for whose keys, nor is there a public record of your preparations for secure communications.

You control your keys on your own infrastructure, maintaining complete sovereignty over your cryptographic identity.

Consider the regulatory landscape as well.

With GDPR in Europe, CCPA in California, and similar regulations spreading globally, organizations face increasing liability for data breaches. Encrypted communications significantly reduce this risk.

If encrypted emails are compromised, attackers get unreadable ciphertext rather than usable information.

The WKD protocol enables this protection to be achieved at scale.

The Italian context and digital identity certainty

In the Italian context, where digital identity is already regulated through SPID and CIE, WKD offers a complementary but fundamental level of verification. While SPID and CIE provide a government-verified identity for public services, WKD extends this certainty to everyday email communications.

Consider the implications for Italian professionals. A lawyer communicating with clients on sensitive matters, an accountant sending tax documents, a notary coordinating real estate transactions—all of these professionals handle information that requires not only confidentiality but also certainty of identity. WKD provides both, without relying on government infrastructure or commercial services.

GDPR compliance also becomes easier. When you implement WKD, you demonstrate that you have put in place appropriate technical and organizational measures to protect personal data—a fundamental requirement of the GDPR (Article 32). It is not just a matter of avoiding penalties; it is a matter of demonstrating respect for the data that has been entrusted to the data controller.

Understanding the technical architecture

The technical beauty of WKD lies in its ability to reuse existing web infrastructure for key distribution.

Rather than creating new protocols or systems, it leverages existing standards: DNS, HTTPS, and static file serving.

WKD Directory Structure (Advanced Method)

openpgpkey.example.com/
│
└── .well-known/
    └── openpgpkey/
        └── example.com/              ← Email domain
            │
            ├── policy                ← File indicating WKD support
            │
            └── hu/                   ← "Hashed User" directory
                │
                ├── kwtfi7pgr93wergze6aymr9j8x1mp1wm
                │   └── [Alice's public key]
                │       ↑
                │       SHA1("alice") → z-base32 encoding
                │
                ├── 9hb6x5cnwqok7zn5pnx41jym5jq8wi4s
                │   └── [Bob's public key]
                │       ↑
                │       SHA1("bob") → z-base32 encoding
                │
                └── [other hash files for other users...]

Note: Each file contains the user's binary OpenPGP key
      Filenames are hashed to protect privacy

WKD defines two methods for key discovery, as specified in the June 2025 updated Internet Draft (draft-koch-openpgp-webkey-service).

The Direct method places keys in a subdomain such as openpgpkey.example.com, requiring a single DNS record and a simple directory structure.

The Advanced method, which I prefer, allows multiple domains to be served from a single subdomain by including the domain in the path structure. This flexibility proves invaluable for organizations that manage multiple domains or email domains that differ from their prominent web presence.

The actual location of the key uses a clever hashing system.

Instead of exposing email addresses directly in URLs (which would allow enumeration attacks), WKD hashes the local part of email addresses using SHA-1 and encodes them with z-base32. That means that alice@example.com becomes an opaque string, such as kwtfi7pgr93wergze6aymr9j8x1mp1wm, revealing nothing about the actual email address while allowing for precise key retrieval.

Real-world implementation considerations

Implementing WKD requires careful planning, but surprisingly modest resources are needed. You need a web server capable of serving static files over HTTPS—something virtually every organization already has (or should have). Storage requirements are minimal; public keys typically measure only a few kilobytes. There is no database to maintain, no complex application logic to debug, no API versioning to manage.

Security considerations, however, deserve careful attention. Rate limiting becomes essential to prevent enumeration attacks, where adversaries attempt to discover valid email addresses by checking thousands of potential hashes. One must configure Cross-Origin Resource Sharing (CORS) headers to enable web tools to verify your WKD implementation. These are not complex requirements, but they are easy to overlook.

Your key management strategy also matters. While WKD handles distribution, you still need processes for key generation, rotation, and revocation.

How will you handle employee departures? What about shared mailboxes?

These operational questions need answers before deployment, not after.

The Keyoxide Revolution: Beyond Simple Encryption

WKD becomes even more powerful when used in conjunction with Keyoxide, an open source project that

can be used to verify the online identity of people to make sure one is interacting with whom they are supposed to be and not imposters. Unlike real life passports, Keyoxide works with online identities or “personas”, meaning these identities can be anonymous and one can have multiple separate personas to protect their privacy, both online and in real life.

While WKD proves that you control a domain, Keyoxide extends this verification across platforms, creating a cryptographically provable digital identity that spans your entire online presence.

🔐 DIGITAL IDENTITY VERIFICATION STACK
1
📝 KEYOXIDE - Identity Proofs
Verify decentralized online identities (e.g.: ✓ GitHub ✓ Mastodon ✓ Website)
Creates a public profile with verifiable proofs from multiple platforms
2
🔑 OPENPGP KEY - Encryption
Contains digitally signed cryptographic proofs
Proofs are embedded in the key and cannot be modified
3
🌐 WKD - Automatic Distribution
Automatic key discovery via HTTPS
IETF standard for secure key distribution
4
🛡️ HTTPS + DNS - Authentication
Cryptographic proof of domain ownership
SSL certificate and DNS control verify authenticity
✅ RESULT: Unforgeable Digital Identity
Each layer reinforces the security of the previous one

This combination addresses one of the fundamental problems of the internet: proving identity without relying on centralized authorities. When someone receives an email, they can not only verify that it is encrypted with keys from the sender’s domain, but also confirm that the same cryptographic identity controls, for example, specific accounts and websites (such as GitHub, Mastodon, or a website), as well as other online ownership. That creates a network of non-falsifiable identities, making impersonation virtually impossible.

The implications extend far beyond individual security.

For journalists, this means that sources can verify that they are indeed communicating with the person they intend to reach. For businesses, it means that contracts and negotiations can be conducted with absolute certainty about the identities of the participants. For activists and dissidents, it means secure communication channels that do not depend on trusting third parties.

For email service users: Gmail, ProtonMail, and Other Providers

The fundamental distinction

It is essential to clarify one crucial point immediately: WKD can only be implemented by those who control an email domain.

If you use a @gmail.com, @outlook.com, @protonmail.com, or similar address, you cannot implement WKD directly.

However, this does not mean that you cannot benefit from it.

Providers that support WKD

For domain name owners: a necessary clarification

Suppose you own a domain name (e.g., @company.com) with MX records pointing to ProtonMail, Posteo, Mailbox.org, or any other provider. In that case, it is helpful to know that all email providers only implement WKD for their own domain names, not for those of their customers.

If you have access to a web server (even inexpensive hosting space is sufficient), it is advisable to implement WKD to maximize the benefits of automatic encryption.

There are two requirements for implementing WKD:

  • ownership of a domain name;
  • a web server where the keys can be published (with HTTPS support).

Concrete examples:

  • ProtonMail has WKD for @proton.me and @protonmail.com, but not for other domain names;
  • Posteo has WKD for @posteo.de, but not for other domain names;
  • Mailbox.org has WKD for @mailbox.org, but not for other domain names;
  • And so on for all providers.

Implementing your own WKD has significant advantages:

  • External users can automatically find the public key of the sender who owns the domain name;
  • You get all the benefits of automatic key discovery;
  • People no longer have to manually search for and verify the key of the sender who owns the domain name.

How to proceed: You can export the public key from your provider (every provider offers this feature in the settings) and publish it via WKD on your server by following the instructions in this article.

There is no conflict: the provider manages the email service, you operate the distribution of the public key—they work together perfectly.

Providers with WKD Support:

Providers that do NOT support WKD:

  • Gmail - No native OpenPGP or WKD support
  • Outlook/Microsoft - No WKD support
  • Tuta (formerly Tutanota) - Uses a proprietary encryption system, not OpenPGP, so no WKD support
  • Yahoo Mail - No WKD support
  • iCloud Mail - No WKD support

What you can do as a user

For those using a provider that supports WKD (such as ProtonMail):

  • Emails to domains with WKD enabled are automatically encrypted.
  • Your public key is automatically available to those using WKD.
  • You don’t need to do anything: everything works in the background.

For those using a provider without WKD support (such as Gmail):

  1. Option 1: Consider switching to a provider that supports WKD and OpenPGP;
  2. Option 2: Use browser extensions such as Mailvelope or FlowCrypt;
  3. Option 3: If privacy is critical, purchase your own domain and configure WKD.

Why it matters

Even if you cannot implement WKD directly, your choice of email provider has significant consequences:

  • With ProtonMail or other WKD-enabled providers, you contribute to the encrypted communications network;
  • The more people use providers with WKD support, the stronger the network becomes;
  • It’s a vote with your wallet: you support providers who invest in privacy and security.

For organizations: a clear message

If you run an organization that uses Google Workspace, Microsoft 365, or a similar service with a custom domain (@yourcompany.com), you can and should implement WKD. It doesn’t matter which email provider you use: if you control the domain name, you can configure WKD by following the instructions in this article. Employees will be able to receive encrypted emails from anyone using WKD-compatible clients, significantly increasing corporate security.

How to implement and use WKD in practice

For users: initial setup

Implementing WKD requires two parties:

  • those who publish the key (you or your organization) and
  • those who use it (your correspondents).

Here’s how to proceed step by step.

Step 1: Generate the OpenPGP key pair

# With GnuPG (available for Windows, Mac, Linux)
gpg --full-generate-key

# Choose:
# - RSA and RSA (default)
# - Key length: 4096 bits
# - Validity: 2-3 years (renewable)
# - Real name: Your name
# - Email: indirizzo-e-mail@example.com

Step 2: Export the public key

# Find the key ID
gpg --list-keys indirizzo-e-mail@example.com

# Export in binary format for WKD
gpg --export indirizzo-e-mail@example.com > public-key.key

Step 3: Calculate the WKD file name

# Calculate the hash of the local part of the email
echo -n “local-name” | sha1sum | cut -d' ' -f1 | python3 -c "
import sys, base64
h = bytes.fromhex(sys.stdin.read().strip ())
print(base64.b32encode(h).decode().lower())"

For administrators: publishing the key

Web server configuration (e.g., nginx):

server {
server_name openpgpkey.example.com;

# Enable HTTPS (required)
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;

# Configure CORS for web verification
location /.well-known/openpgpkey/ {
add_header Access-Control-Allow-Origin “*”;
add_header Access-Control-Allow-Methods “GET”;

# Set the correct content-type
location ~ /hu/ {
default_type application/octet-stream;
}
}

# Rate limiting for security
limit_req_zone $binary_remote_addr zone=wkd:10m rate=10r/s;
limit_req zone=wkd burst=20;
}

Directory structure to be created:

# Create the structure
mkdir -p /var/www/openpgpkey/.well-known/openpgpkey/example.com/hu/

# Copy the key with the correct hash name
cp public-key.key /var/www/openpgpkey/.well-known/openpgpkey/example.com/hu/[calculated-hash]

# Create the policy file (even if empty)
touch /var/www/openpgpkey/.well-known/openpgpkey/example.com/policy

# Set permissions
chmod 644 /var/www/openpgpkey/.well-known/openpgpkey/example.com/hu/*
chmod 644 /var/www/openpgpkey/.well-known/openpgpkey/example.com/policy

How it works in everyday use

Scenario 1: Sending an encrypted email

When writing to bob@example.com - for example - with Thunderbird configured:

  1. Compose the email as usual;
  2. Thunderbird automatically searches for the key on https://openpgpkey.example.com;
  3. If it finds the key, a green padlock appears;
  4. Click “Send” and the email is sent encrypted;
  5. Result: Only Bob can read the content.
flowchart TB Title["🔑 USER EXPERIENCE: TRADITIONAL vs WKD"] Title --> Compare subgraph Compare[" "] direction LR subgraph Traditional["❌ WITHOUT WKD"] direction TB T1["😕 'Do you have the PGP key?'"] T2["🔍 'Where do I find it?'"] T3["🤔 'Is it really yours?'"] T4["📧 Manual exchange via email/phone"] T5["☎️ Voice fingerprint verification"] T6["⏱️ Time: 10-30 minutes"] T1 --> T2 --> T3 --> T4 --> T5 --> T6 end subgraph VS[" "] Versus["VS"] end subgraph WKD["✅ WITH WKD"] direction TB W1["✍️ Write email"] W2["🔐 Automatic encryption"] W3["✨ No action required"] W4["⏱️ Time: 0 additional seconds"] W1 --> W2 --> W3 --> W4 end Traditional -.-> VS VS -.-> WKD end style Title fill:#1e40af,color:#fff,stroke-width:2px style Compare fill:transparent,stroke:none style Traditional fill:#fee2e2,stroke:#dc2626,stroke-width:3px style WKD fill:#dcfce7,stroke:#16a34a,stroke-width:3px style VS fill:transparent,stroke:none style T6 fill:#ef4444,color:#fff style W4 fill:#22c55e,color:#fff

Scenario 2: Digital signature verification

You receive an important email from providers@partner.com:

  1. The client automatically displays “✓ Valid Signature”
  2. You know with mathematical certainty that:
  • It really comes from partner.com
  • It has not been modified in transit
  • It can be used as legal evidence

In a WKD context, what has just been described is true.

However, to avoid misunderstandings, it is worth pointing out that if an email client displays a “✓ Valid Signature” icon for a digitally signed email, this does not always guarantee with mathematical certainty that:

  • The email actually comes from the partner.com domain
  • The content has not been modified in transit
  • The signature is automatically usable as legal evidence without further verification

For a digital signature to have full legal value and be used as evidence, the following conditions must be met:

  • The digital signature must be issued by an accredited and recognized certifier (e.g., AgID in Italy)
  • The certificate associated with the signature has not expired, been revoked, or suspended at the time of verification
  • A thorough verification of the certificate and the integrity of the message is carried out
  • The verification is based on the signer’s certificate recognized by the client and corresponding to the actual sender

In other words, the simple “✓ Valid Signature” icon in the client indicates that the signature is formally valid, but to have mathematical certainty and legal probative value, you must ensure that the digital certificate is valid, not suspended or revoked, and that the identity of the signatory is indeed as stated. Only then can the signature be considered solid legal evidence.

Scenario 3: Multi-device protection

Configure WKD once, and it works everywhere:

  • Desktop: Thunderbird, Outlook (with plugin)
  • Mobile: K-9 Mail, Faire-mail (Android); Canary Mail (iOS)
  • Webmail: Mailvelope, FlowCrypt
  • Terminal: Mutt, NeoMutt with auto-crypt

Concrete advantages in everyday use

For professionals:

  • Lawyers: Client-lawyer communications automatically protected;
  • Doctors: Encrypted reports and consultations without additional effort;
  • Accountants: End-to-end protected tax documents;
  • Notaries: Deeds and documents with enhanced legal value.

For businesses:

  • Zero Training: Employees don’t have to learn anything new;
  • Automatic Compliance: GDPR compliance by design;
  • Audit Trail: Every communication is cryptographically verifiable;
  • Phishing Protection: Impossible to impersonate domains with WKD enabled.

For individuals:

  • Privacy by Default: Every email potentially encrypted;
  • No Cost: Uses existing infrastructure;
  • No Vendor Lock-in: Open standard, works with any provider;
  • Total Control: You manage your keys, no middlemen.

You can verify that WKD works as follows:

# Local test with GnuPG
gpg --locate-keys --auto-key-locate clear,wkd,nodefault indirizzo-e-mail@example.com

# If configured correctly, it should automatically download the key

You can use online validation tools:

  1. Web Key Directory Validator (https://www.webkeydirectory.com/)
  • The most comprehensive validator available
  • Checks both the Direct and Advanced methods
  • Checks all technical requirements: CORS headers, Content-Type, policy file
  • Checks that the key has not expired or been revoked
  • Tests directory listing is disabled for security
  • Checks support for the HEAD method
  1. WKD Checker by dp42.dev (https://wkd.dp42.dev/)
  • Modern and clean interface
  • Quick WKD configuration test
  • Shows detailed information about the key found
  1. WKD Checker by Miarecki (https://miarecki.eu/tools/wkd-checker/)
  • Alternative tool for WKD verification
  • Useful for comparison and double-checking
  • Simple and effective interface

What these tools check:

  • ✓ Presence of the policy file
  • ✓ Correct HTTP headers (200 OK)
  • ✓ CORS configured correctly (Access-Control-Allow-Origin: *)
  • ✓ Appropriate Content-Type (application/octet-stream)
  • ✓ Valid and unexpired OpenPGP key
  • ✓ User ID matching the email
  • ✓ Key encryption capability
  • ✓ Directory listing disabled for security

Monitoring and maintenance:

  • Check web server logs for WKD requests;
  • Renew keys before they expire;
  • Maintain secure backups of private keys;
  • Document the process for the IT team.

Integration with existing systems

WKD integrates seamlessly with:

  • Active Directory: PowerShell script to publish employee keys;
  • LDAP: Automatic key-user synchronization;
  • Mail Server: Postfix/Dovecot with automatic outgoing signature;
  • Webmail: Roundcube, Zimbra with OpenPGP plugin;
  • Mobile Device Management: Key distribution on corporate devices.

The beauty of WKD lies in its operational simplicity: once configured, it works silently in the background, making email encryption as transparent as HTTPS has made web browsing secure.

WKD in the age of artificial intelligence: an essential defense

The convergence of WKD and AI represents a critical turning point for digital identity and communications security.

As I clarified in my latest book “Artificial Intelligence, Privacy, and Neural Networks: The Balance Between Innovation, Knowledge, and Ethics in the Digital Age,” the rise of generative AI fundamentally changes the threat landscape for digital communications. WKD transforms from a valuable security tool to an essential component of human identity verification in a world saturated with AI.

WKD: Cryptographic Proof of Authenticity in the Age of AI

We have entered an era where AI can perfectly mimic writing styles, generate convincing business communications, and create emails indistinguishable from those written by humans. GPT models can analyze your previous emails and reproduce your tone, vocabulary, and even your typical typos. Speech synthesis can fake phone calls. Deepfake videos can simulate video conferences. In this landscape, cryptographic signatures via WKD could become the ultimate reliable proof that a communication genuinely comes from a specific human being.

Consider the implications: when you receive an urgent email from the CEO requesting a wire transfer, how do you know it’s really the CEO?

When a supplier sends revised project specifications, how can you verify that they weren’t generated by an AI trained on stolen emails?

WKD provides the answer through mathematical certainty. An AI could perfectly mimic writing style, but it cannot forge a cryptographic signature without the private key.

The pre-AI timestamp: documents of indisputable authenticity

Documents and communications cryptographically signed via WKD before the widespread adoption of generative AI will acquire a special status in the coming years. These “pre-AI authentic” documents cannot be created or modified retroactively by future technologies. They represent a permanent, unalterable record of human intent before the era of synthetic content.

That has profound legal implications. Contracts signed with WKD keys before the emergence of AI carry an inherent authenticity that post-AI documents may never attain. Courts may develop different evidentiary standards for cryptographically signed pre-AI documents than for post-AI communications. Organizations implementing WKD today are creating an unbroken chain of cryptographic trust that extends backward into the pre-AI era, providing crucial legal protection against future disputes involving AI-generated fakes.

WKD-Enabled AI Workflows: Accountability in Automated Systems

As organizations increasingly integrate AI into their communication workflows, WKD provides an essential accountability infrastructure. When an AI assistant drafts emails on behalf of an executive, WKD can cryptographically sign these communications with the key of the responsible human, creating transparent chains of accountability. That is not about preventing the use of AI, but about ensuring accountability when AI systems interact with the outside world.

flowchart TB Title["🤖 AI-ASSISTED COMMUNICATION FLOW WITH WKD"] Title --> Step1 Step1["1️⃣ AI GENERATION
━━━━━━━━━━━━━
🤖 AI assistant generates
intelligent email draft"] Step1 --> Step2 Step2["2️⃣ HUMAN REVIEW
━━━━━━━━━━━━━
👤 Human reviews
and approves
the final content"] Step2 --> Step3 Step3["3️⃣ CRYPTOGRAPHIC SIGNATURE
━━━━━━━━━━━━━
🔐 WKD automatically signs
with human private key"] Step3 --> Step4 Step4["4️⃣ RECIPIENT VERIFICATION
━━━━━━━━━━━━━
Recipient can verify:
✓ Human identity via WKD
✓ Human approval
✓ Legal accountability"] Step4 --> Result Result["🎯 FINAL RESULT
━━━━━━━━━━━━━━━━━━
⚡ AI Efficiency
+
👤 Human Accountability
━━━━━━━━━━━━━━━━━━
The best of both worlds"] style Title fill:#6366f1,color:#fff,stroke:#4f46e5,stroke-width:2px style Step1 fill:#dbeafe,stroke:#3b82f6,stroke-width:2px style Step2 fill:#fef3c7,stroke:#f59e0b,stroke-width:2px style Step3 fill:#dcfce7,stroke:#16a34a,stroke-width:2px style Step4 fill:#e0e7ff,stroke:#6366f1,stroke-width:2px style Result fill:#4ade80,color:#fff,stroke:#22c55e,stroke-width:3px

This model preserves the efficiency gains of AI while maintaining human responsibility.

The cryptographic signature via WKD becomes a statement: “I, the key holder, take responsibility for this content, regardless of how it was produced.

Defense against AI-powered social engineering

AI is revolutionizing social engineering attacks.

Attackers can now:

  • analyze thousands of public communications to mimic writing styles perfectly;
  • generate highly personalized phishing emails at scale;
  • create synthetic voices for vishing attacks;
  • produce deepfake videos for sophisticated fraud.

Traditional defenses are crumbling. Employees can no longer rely on recognizing writing style, checking for grammatical errors, or even trusting phone calls.

WKD provides a binary defense: either the declared sender’s key cryptographically signs the message, or it is not. There is no middle ground for AI to exploit.

Organizations without WKD face an existential threat from AI-powered attacks. A single successful AI-generated CEO fraud can bankrupt a company. WKD converts this vulnerability into a straightforward check: no valid signature = no trust, regardless of how convincing the message appears.

Bridge between government identity and AI resistance

In the Italian context, and increasingly across Europe, WKD can bridge the gap between government digital identity systems (such as SPID, CIE, and eIDAS) and AI-resistant communication protocols. While SPID verifies who you are for the government, WKD extends this verification into everyday communications, creating a multi-layered identity system that is resilient to AI manipulation.

flowchart TB Title["🏛️ LAYERED IDENTITY ARCHITECTURE"] Title --> Gov Gov["⚖️ Government Layer (SPID/CIE)
'This person is legally identified'"] Gov -->|Binding| Crypto Crypto["🔐 WKD Cryptographic Layer
'This specific key belongs to this identity'"] Crypto -->|Signature| Comm Comm["✉️ Communication Layer
'This message cryptographically proves its origin'"] Comm --> Equals Equals(["="]) Equals --> Result Result["🛡️ AI-Resistant Identity Stack"] style Title fill:#1e3a8a,color:#fff style Gov fill:#fef3c7,stroke:#d97706,stroke-width:2px style Crypto fill:#dbeafe,stroke:#2563eb,stroke-width:2px style Comm fill:#dcfce7,stroke:#16a34a,stroke-width:2px style Equals fill:#fff,stroke:#94a3b8,stroke-width:2px,stroke-dasharray: 5 5 style Result fill:#e0e7ff,stroke:#4f46e5,stroke-width:3px

This layered approach creates defense in depth against AI impersonation. An attacker would need to compromise multiple independent systems to impersonate someone, making large-scale, AI-powered fraud economically unviable.

The Urgency of Implementation

The window to implement WKD as a defense against AI is rapidly closing. Every day, AI systems become increasingly sophisticated, analyzing patterns in unstructured communications and building profiles for potential future attacks.

Organizations that implement WKD today gain:

  1. Retroactive protection: All communications signed from today forward are protected against future AI impersonations.
  2. Network effects: As more organizations adopt WKD, the entire email ecosystem becomes more resilient to AI attacks.
  3. Competitive advantage: Early adopters can guarantee the authenticity of their communications while competitors remain vulnerable.
  4. Legal clarity: Cryptographically signed communications provide clear evidentiary trails, which are essential as AI-generated content floods the legal system.

The question is not whether AI will render unsigned email obsolete, but whether your organization will have a cryptographic identity infrastructure in place when it does.

Implementation Challenges and Solutions

Despite its elegance, the implementation of WKD can present challenges. The most common problem concerns incorrect hash generation. Many implementations mistakenly use SHA-256 instead of SHA-1, or standard base32 encoding instead of z-base32. These subtle differences can completely undermine key discoveries, leading to frustration and abandonment.

flowchart TB Title["⚙️ WKD IMPLEMENTATION: COMPARISON"] Title --> Container subgraph Container[" "] direction LR subgraph Wrong["❌ COMMON ERRORS"] direction TB W1["🚫 SHA-256 instead of SHA-1"] W2["🚫 base32 instead of z-base32"] W3["🚫 Path without domain"] W4["🚫 CORS not configured"] W1 ~~~ W2 W2 ~~~ W3 W3 ~~~ W4 end subgraph VS[" "] direction TB Versus["VS"] end subgraph Right["✅ CORRECT IMPLEMENTATION"] direction TB R1["✓ USE SHA-1 for hashing"] R2["✓ USE z-base32 encoding"] R3["✓ Include domain in path"] R4["✓ Configure CORS headers"] R1 ~~~ R2 R2 ~~~ R3 R3 ~~~ R4 end Wrong -.-> VS VS -.-> Right end style Title fill:#2563eb,color:#fff,stroke:#1e40af,stroke-width:2px style Container fill:transparent,stroke:none style Wrong fill:#fee2e2,stroke:#dc2626,stroke-width:2px style Right fill:#dcfce7,stroke:#16a34a,stroke-width:2px style VS fill:transparent,stroke:none style W1 fill:#fecaca,stroke:#ef4444,color:#000 style W2 fill:#fecaca,stroke:#ef4444,color:#000 style W3 fill:#fecaca,stroke:#ef4444,color:#000 style W4 fill:#fecaca,stroke:#ef4444,color:#000 style R1 fill:#bbf7d0,stroke:#22c55e,color:#000 style R2 fill:#bbf7d0,stroke:#22c55e,color:#000 style R3 fill:#bbf7d0,stroke:#22c55e,color:#000 style R4 fill:#bbf7d0,stroke:#22c55e,color:#000 style Versus fill:#f9fafb,stroke:#d1d5db,stroke-width:2px,stroke-dasharray: 5 5

CORS headers present another common obstacle.

Without proper CORS configuration, web testing tools cannot check your WKD implementation, leading administrators to incorrectly believe that their setup has failed. The solution involves adding appropriate Access-Control headers, which requires an understanding of how modern browsers enforce same-origin policies.

Permission issues often hinder implementations. The web server must be able to read the key files, but you don’t want them to be writable by everyone. Finding the right balance between security and functionality requires understanding your web server’s user context and your system’s permissions model.

The biggest challenge, however, is organizational inertia. Implementing WKD requires coordination among email administrators, web administrators, and security teams—groups that often do not communicate effectively. Success requires not only technical implementation but also organizational alignment on the importance of encrypted communication.

The path forward

The trajectory is clear: encrypted email is evolving from a niche concern to a standard expectation. Major email clients now include WKD support by default. Governments are beginning to recommend or require the use of encrypted communications in sensitive sectors. Privacy regulations increasingly treat the transmission of unencrypted data as negligence.

Organizations implementing WKD today are positioning themselves ahead of this curve. They are not just adopting a technology; they are embracing a philosophy that respects user privacy, takes security seriously, and recognizes that trust must be earned through verifiable actions, not just policy statements.

For individuals, WKD represents the reclamation of control over digital identity and communication. In a world where tech giants monetize every aspect of our digital lives, WKD offers something revolutionary: privacy without asking permission, security without subscription fees, identity verification without surveillance.

Making the decision

The question is not whether to implement WKD, but how quickly it can be done. Every day without WKD is another day of unnecessary exposure, another day of messages that could be encrypted but are not, another day of uncertainty about digital identity.

The technical barriers have largely been resolved. Modern email clients support WKD natively. The configuration, although requiring attention to detail, is well-documented. The infrastructure requirements are minimal. What remains is the decision to act.

For organizations, this decision should be simple. The costs of WKD implementation are negligible compared to the costs of a single data breach. The reputational benefits of properly secured communications far outweigh the modest implementation effort. The operational benefits of automatic key distribution eliminate the ongoing support burden.

For individuals, especially those in sensitive professions—such as lawyers, doctors, journalists, and activists—WKD is becoming essential infrastructure. It’s the difference between hoping your communications remain private and knowing they are protected with mathematical certainty.

WKD and the Global Encryption Movement

Alongside the Global Encryption Coalition

As a proud member of the Global Encryption Coalition, I believe that implementing technologies such as WKD is not just a technical choice, but a statement of values. The Coalition, which brings together over 400 organizations, companies, and individuals from more than 100 countries, supports a simple but powerful message: strong encryption is essential to protecting human rights, press freedom, free expression, and privacy in our interconnected world.

The Coalition’s work becomes more critical every day as governments around the world propose legislation that would weaken encryption through backdoors, key escrow, or client-side scanning. These proposals, often made in the name of security, fundamentally misunderstand that there is no such thing as encryption that only works for the “good guys.” Any weakness introduced for law enforcement can and will be exploited by criminals, authoritarian regimes, and hostile actors.

WKD represents precisely the kind of decentralized, user-controlled encryption that the Global Encryption Coalition promotes. It embodies the principles we fight for:

  • No backdoors: WKD uses standard OpenPGP encryption without weakened algorithms or master keys.
  • User control: Individuals and organizations retain complete control over their cryptographic keys.
  • decentralization: no central authority can compromise or shut down the entire system;
  • transparency: based on open standards that anyone can verify;
  • accessibility: free to implement and use, ensuring that encryption is available to everyone, not just the privileged.

Why encryption is a human right

The United Nations and the international community have repeatedly recognized encryption as a fundamental aspect of human rights. The UN General Assembly resolution A/RES/79/175 of December 2024, entitled “The right to privacy in the digital age” reinforces the importance of encryption in protecting fundamental rights in the digital age. In his 2015 report (A/HRC/29/32) , Special Rapporteur David Kaye laid the groundwork by stating that “encryption and anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age.”

The European Court of Human Rights issued a landmark ruling in 2024 in the case Podchasov c. Russia (n. 33502/19), which represents a turning point in the debate on encryption. The Court ruled that measures such as the indiscriminate storage of all communications, direct access to data by state security agencies, and the obligation to decrypt communications violate Article 8 of the European Convention on Human Rights and are not necessary in a democratic society. Particularly significant is the Court’s recognition that encryption is an essential tool for protecting privacy and other fundamental rights such as freedom of expression. The ruling highlights that creating backdoors to allow government access to encrypted communications would weaken security for all users and encourage indiscriminate mass surveillance, which is contrary to the Convention. The Court suggested adopting investigative alternatives that do not compromise encryption, such as lawful interception of seized devices or undercover operations.

The Digital Watch Observatory in its 2025 report highlights how “encryption is essential for human rights, security, and freedom of expression,” denouncing growing government pressure for backdoors that would undermine these fundamental rights. UN resolution A/HRC/RES/54/21 explicitly affirms “the right to privacy in the digital age,” associating it with the legitimate use of encryption to protect communications. These principles are reinforced by Article 17 of the International Covenant on Civil and Political Rights (ICCPR).

Consider who depends on encryption every day:

  • Journalists protecting sources in authoritarian regimes;
  • Human rights defenders coordinating safe houses and escape routes;
  • Survivors of domestic abuse seeking help without the abuser knowing;
  • democracy activists organizing protests against oppressive governments;
  • whistleblowers exposing corruption and wrongdoing;
  • healthcare workers protecting patient privacy;
  • lawyers who must maintain client confidentiality.

As Amnesty International pointed out in their report “Encryption: A Matter of Human Rights” (2016) and reiterated in 2025, for these individuals, encryption is not about having “something to hide”—it is about having something to protect: their lives, their freedom, their ability to fight for justice. A 2025 EUI report highlights that several governments have blocked end-to-end encryption technologies, demonstrating how crucial it is to defend this fundamental right.

The economic imperative of strong encryption

Beyond human rights, the Global Encryption Coalition emphasizes the critical role of encryption in the digital economy.

Every day, encryption protects:

  • $3 trillion in global e-commerce transactions;
  • 4 billion pieces of personal data online;
  • critical infrastructure from power grids to water systems;
  • financial systems that process millions of transactions per second;
  • medical records containing our most sensitive information;
  • intellectual property worth trillions in economic value.

WKD strengthens this economic security by making corporate email communications—where deals are negotiated, contracts are signed, and strategies are discussed—cryptographically secure by default.

WKD: Practical Encryption for Global Impact

What makes WKD particularly aligned with the Global Encryption Coalition’s mission is its practical and implementable nature. While we advocate for encryption rights at the policy level, WKD provides a concrete tool that organizations and individuals can implement today. It does not require waiting for legislation, is independent of the benevolence of tech giants, and does not necessitate massive investments in infrastructure.

Every domain name that implements WKD becomes part of a global, decentralized network of secure communication. This bottom-up approach to encryption adoption is exactly what it sounds like: encryption spreading not through mandates but through recognition of its fundamental necessity.

Global Encryption Coalition - Make the Switch

The Global Encryption Coalition’s Make the Switch campaign encourages everyone to adopt encrypted communications. Implementing WKD is a powerful way to respond to this call.

Those who do so:

  1. protects communications from surveillance and tampering;
  2. contributes to network effects that make encryption more ubiquitous;
  3. sends a message to policymakers that citizens demand strong encryption;
  4. supports the global movement for digital rights and privacy.

As the Coalition often points out, encryption is under constant threat from well-intentioned but ill-conceived legislation. The proposed EU Chat Control Regulation, the UK’s Online Safety Bill, and similar measures worldwide aim to undermine end-to-end encryption. Our response must be swift and decisive: implement strong encryption everywhere, make it the default, and demonstrate through action that privacy is non-negotiable.

A personal commitment to encryption

My involvement with the Global Encryption Coalition stems from a deep belief that privacy is a fundamental human right, not a privilege. Through my blog, publications, book “Artificial Intelligence, Privacy, and Neural Networks: The Balance Between Innovation, Knowledge, and Ethics in the Digital Age,” and practical implementations such as WKD, I strive to make encryption accessible and understandable to everyone.

The Coalition provides resources, research, and advocacy that amplify individual efforts, such as mine. When we come together—technologists, activists, businesses, and citizens—we create an unstoppable force for privacy and security.

WKD is one piece of this larger puzzle, but it is a piece that every email domain owner can implement today.

The path forward with global solidarity

The Global Encryption Coalition reminds us that the fight for encryption is a global and ongoing effort. While some governments push for weakened encryption, others recognize its vital importance. The Coalition’s Global Encryption Day celebrates these victories while highlighting the challenges ahead.

Implementing WKD is a concrete action you can take to support this global movement. It is a technical implementation with political implications, a security measure with human rights ramifications, and a personal choice with collective impact.

Visit globalencryption.org to learn more about the Coalition’s work, access resources on encryption policy, and join thousands of others in defending the right to private communication. Together, we are not only implementing technology but also protecting democracy, enabling free expression, and ensuring that the digital future remains free and open.

Conclusions

WKD represents more than just a technical protocol; it embodies a vision of how digital communication should work. A vision where privacy is the default, not optional, identity verification does not require trust in corporations or governments, and the infrastructure of trust is distributed, resilient, and under user control.

I implemented WKD not only because I could, but because I believe this vision is worth building.

As I wrote in my February 2023 article on WKD — published in unsuspecting times, well before the current wave of interest in decentralized identity — this technology represents a fundamental solution to the digital identity challenges we have been facing for decades. That early exploration laid the philosophical and practical groundwork that still guides my implementation today. Every domain that implements WKD strengthens the network, makes encrypted email more ubiquitous, and brings us closer to a world where private communication is the norm rather than the exception.

The tools exist. The standards are mature. Client support is widespread. What we need now is adoption—organizations and individuals choosing to take control of their cryptographic identities and secure their communications.

The internet we want—private, secure, decentralized—will not build itself. It requires conscious choices by people who understand both what is at stake and what is possible. WKD is one such choice, available today, that helps us move toward a better internet.

Will you join this movement? Will you implement WKD to help normalize the use of encrypted email?

The technical steps are documented, and the benefits are clear.

Our digital future depends on the infrastructure decisions we make today.

Hashtag correlati

#WebKeyDirectory, #WKD, #OpenPGP, #emailencryption, #digitalidentity, #privacy, #security, #Keyoxide