Skip to main content

Technical Infrastructure

When an AI agent assesses a website’s credibility, the first thing it checks is not your products but your technical infrastructure. Just as a bank reviews your credit history before approving a loan, AI agents inspect your domain’s security posture first. This chapter covers every technical infrastructure element that affects AI trust evaluation, ordered by importance.

2.1 SSL/TLS Certificates

What is SSL: SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are protocols that encrypt website communications. The lock icon in your browser’s address bar indicates an active SSL/TLS connection. Why AI agents care: A website without SSL is immediately flagged as “insecure.” This is the most basic threshold. Configuration guidelines:
ItemRecommendationNotes
Certificate typeDV (Domain Validation) is sufficientOV/EV certificates earn additional trust points
Certificate authorityLet’s Encrypt (free) or commercial CASelf-signed certificates are penalized
Protocol versionTLS 1.2+TLS 1.0/1.1 are not acceptable
Certificate chainCompleteIntermediate certificates must not be missing
Getting started for free: Most hosting providers (Cloudflare, Vercel, Netlify) automatically provide SSL. If yours does not, use Let’s Encrypt with Certbot to obtain a free certificate. Verification: Visit https://yourdomain.com and confirm the browser shows a lock icon. For detailed analysis, use SSL Labs.

2.2 DNSSEC

What is DNSSEC: DNS Security Extensions. It uses digital signatures to ensure DNS resolution results have not been tampered with. Plain-language explanation: You write “deliver to 123 Main Street, New York” on a shipping label. DNSSEC ensures that address cannot be changed to “456 Oak Avenue, Chicago” during transit. Why it matters: DNS hijacking is a real security threat. AI agents check whether your domain has DNSSEC enabled as an important security signal. Configuration steps:
  1. Confirm your domain registrar supports DNSSEC (most do)
  2. Enable DNSSEC in your registrar’s dashboard:
    • Cloudflare: Dashboard → DNS → DNSSEC → Enable (one click)
    • Namecheap: Domain List → Select domain → Advanced DNS → DNSSEC → Enable
    • GoDaddy: My Products → DNS → DNSSEC → Add
    • Google Domains: DNS → DNSSEC → Enable
  3. Wait for propagation: Typically 24-48 hours
Verification: 
# Verify using dig
dig +dnssec yourdomain.com

# Or use an online tool
# https://dnssec-debugger.verisignlabs.com/
DNSSEC is free, and most registrars require just one toggle. This is one of the highest-ROI security configurations you can make.

2.3 DMARC + SPF + DKIM

These three protocols work together to prevent your email domain from being spoofed. AI agents check all three.

SPF (Sender Policy Framework)

Purpose: Tells mail servers “only these IPs/servers are authorized to send email on behalf of my domain.” Configuration: Add a TXT record to your DNS: 
Name: @ (or your domain)
Type: TXT
Value: v=spf1 include:_spf.google.com include:sendgrid.net ~all
Replace the include: entries with your actual email service providers. Common ones:
  • Google Workspace: include:_spf.google.com
  • Microsoft 365: include:spf.protection.outlook.com
  • Zoho: include:zoho.com
  • Resend / Amazon SES: include:amazonses.com

DKIM (DomainKeys Identified Mail)

Purpose: Adds a digital signature to every email you send, allowing recipients to verify the email genuinely came from you. Configuration: Typically provided by your email service. Obtain the DKIM key from your Google Workspace / Microsoft 365 admin panel, then add a TXT record to your DNS.

DMARC (Domain-based Message Authentication)

Purpose: Tells recipients “here is how to handle emails that fail SPF and DKIM verification.” Configuration: Add a TXT record to your DNS: 
Name: _dmarc
Type: TXT
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com
DMARC policy options:
  • p=none — Monitor only, take no action (use during initial rollout)
  • p=quarantine — Quarantine suspicious emails (recommended)
  • p=reject — Reject outright (strictest; use only after confirming SPF/DKIM work correctly)
Start with p=none and monitor for a few weeks. Once you confirm legitimate emails pass verification, upgrade to p=quarantine. Setting p=reject immediately may cause legitimate emails to be blocked.
Verification: 
# Check SPF
dig TXT yourdomain.com

# Check DMARC
dig TXT _dmarc.yourdomain.com

# Online tool
# https://mxtoolbox.com/

2.4 HSTS (HTTP Strict Transport Security)

What is HSTS: Tells browsers “this domain must always use HTTPS,” preventing downgrade attacks to HTTP. Configuration: Add the following HTTP response header: 
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Platform-specific setup:
  • Nginx: Add add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; to your server block
  • Cloudflare: SSL/TLS → Edge Certificates → Always Use HTTPS + HSTS → Enable
  • Apache: Add Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" to .htaccess

2.5 CAA Records

What is CAA: Certificate Authority Authorization — specifies which CAs are permitted to issue certificates for your domain. Why it matters: Prevents unauthorized CAs from issuing certificates for your domain. AI agents check this configuration. Configuration: Add a CAA record to your DNS: 
Name: @
Type: CAA
Value: 0 issue "letsencrypt.org"
If you use multiple CAs, add one record for each.

2.6 Configuration Priority

If your time is limited, configure in this order:
PriorityItemTime RequiredDifficulty
1SSL/TLS5 minutesLow (usually already present)
2SPF + DMARC15 minutesLow
3DNSSEC5 minutesLow (one-click enable)
4DKIM15 minutesMedium (requires email provider coordination)
5HSTS5 minutesLow
6CAA5 minutesLow
The entire setup takes approximately one hour. Once complete, your Security dimension (S dimension) score will see a significant improvement.
Next chapter: Schema.org in Practice — Making your product information machine-readable for AI agents