Sender Registry is an intelligence and decision-support platform, not a magic
guarantee that an email is safe. Here's exactly how it works, and what to do if
you think we've got something wrong.
Three separate questions, never one score.
Risk
How dangerous a message looks, from 0-100, based on the technical and semantic evidence found in it.
Confidence
How certain we are in that Risk figure. Thin evidence produces a low Confidence score even alongside a high Risk score, and vice versa.
Network Confirmation
How much of the network has independently corroborated this, from Unseen through to Verified. A sender nobody's seen before is Unseen, never "Safe."
Privacy & retention.
Raw forwarded email content is processed to extract evidence and is retained only
as long as genuinely needed, under a defined retention policy, not kept
indefinitely by default. Reports are private to the organisation that submitted
them; the network only ever shares aggregate, evidence-level intelligence (a
domain was seen, a campaign exists), never one organisation's private report
content with another.
Disputes & corrections.
Every registry record carries a real dispute process, not an afterthought. If
you're associated with a sender or domain in our registry and believe a record is
wrong, you can submit a dispute directly from that record's own page. We review
the evidence, and, if a correction is warranted, update the record and record
why. Historical assessment evidence is never silently deleted, whatever the
outcome.
Where is your business based?
You can change this at any time.
How Network Confirmation works
Every object in the registry (a sender, a domain, a campaign) moves through five
stages as independent evidence builds:
UNSEENNothing reported yet.
OBSERVEDOne report exists. A single data point, not yet corroborated.
CORROBORATEDA second, independent organisation has reported the same thing.
NETWORK CONFIRMEDFive or more independent organisations agree.
VERIFIEDTen or more independent organisations, the strongest confidence level.
This is deliberately separate from Risk and Confidence. How much of the network agrees
is a different question from how dangerous something looks, or how certain we are.
How Threat DNA works
Every campaign gets scored across 8 axes: infrastructure, domain patterns, message
templates, link behaviour, attachment patterns, target industries, target roles, and
campaign velocity. All plotted as a fingerprint.
Sender Registry compares every campaign's fingerprint against every other campaign's
using cosine similarity: the same technique used to compare documents by meaning, not
just matching words. A high match (we only ever suggest one above 55% similarity) means
two campaigns that look unrelated on the surface may share real infrastructure, even
under completely different domain names.
How the Intelligence Map works
Senders, domains, URLs, attachments, campaigns, brands and suppliers all become nodes
in a shared relationship graph, built from real evidence: a sender using a domain, a
domain appearing in the same report as another domain, a report belonging to a campaign.
On a phone, we deliberately don't force a giant graph onto a small screen. Instead you
get a focused view: the object you're looking at, and everything directly connected to
it, with a tap to move to any of those connections in turn.