Help Center › Sending safely

Sending safely

Watchword will never send a simulated phish to a domain you haven't proven you control. This page covers the domain-authorization gate, how to add and verify a sending domain with DNS-TXT, live send via the notification service, and exactly what's deferred.

Why this matters. A phishing simulator that will send to any address is a spam cannon and an inbox-injection backdoor waiting to be abused. Watchword replaces the old "static allowlist header" approach with a per-tenant, scoped, rotating authorization bound to a single proven domain. No proof, no send — ever.

1 · The domain-authorization gate (canSend)

canSend is the single gate every send must clear, evaluated per recipient. A recipient is only cleared when all of the following hold:

  1. The recipient's email is valid (has a domain).
  2. That domain is in the active tenant's list of authorized domains (i.e. it has been proven — see domain proof).
  3. A scoped allowlist token is present.
  4. The token is scoped to this tenant (a token from another tenant is rejected).
  5. The token is scoped to this exact domain (a token for a different domain is rejected).
  6. The token has not expired (tokens are short-lived — 24 hours).

If any check fails the recipient is refused, never sent, and the reason is reported (see the error reference). Recipients on unverified domains are simply skipped — one bad domain never blocks the rest of the audience.

Per-tenant scoped, rotating tokens

Instead of one global, never-rotated header, Watchword mints a fresh token per (tenant, domain) at send time. A token names the tenant and the one domain it's good for and expires in 24 hours. This means a leaked token can't be replayed against another tenant or another domain, and it can't sit around as a standing backdoor.

2 · Authorized send domains

Each tenant has its own list of authorized (verified) domains. A domain only earns its place on that list by passing a proof (below). You manage this list under Sign in / Cloud → Authorized send domains for the active tenant.

In the demo data, each client's authorized domains are pre-seeded from its roster's email domains so you can see the flow end-to-end. In a real deployment, a domain is added only after you complete the DNS-TXT proof.

3 · DNS-TXT domain proof — add & verify a sending domain

Proving a domain is a two-step challenge/response. You publish a unique TXT record we give you; Watchword looks it up and requires an exact match.

Step 1 — Get the DNS-TXT challenge

  1. Sign in (the panel lives in the Sign in / Cloud tab) and make sure the correct client is the active tenant.
  2. Under Authorized send domains, type the domain you want to authorize (e.g. acme.com) into the field.
  3. Click 1 · Get DNS-TXT challenge.
  4. Watchword shows you the record to create — a host and a value, for example:
_watchword-verify.acme.com   TXT   watchword-domain-verification=ten-acme-x7k29ab

Step 2 — Publish the TXT record at your DNS host

  1. Log in to wherever your domain's DNS is managed (Cloudflare, GoDaddy, Route 53, Namecheap, your registrar, etc.).
  2. Create a new TXT record:
    • Name / Host: _watchword-verify (most DNS UIs append the domain automatically; if yours wants the full host, use _watchword-verify.acme.com).
    • Type: TXT
    • Value / Content: the exact watchword-domain-verification=… string from the challenge — copy it verbatim, no extra spaces or quotes.
    • TTL: the default is fine.
  3. Save the record and wait for DNS to propagate (often a minute or two; can be up to an hour depending on your host and TTL).

Step 3 — Verify

  1. Back in Watchword, click 2 · Verify domain.
  2. Watchword performs a real DNS-over-HTTPS TXT lookup of the host and checks for an exact match of the challenge value.
  3. On success you'll see "Verified — [domain] added to authorized domains", and the domain now appears in the tenant's authorized list. canSend will clear recipients on it.
  4. On failure you'll see the reason (e.g. "TXT record not found or does not match"). Re-check the record and try again. See the domain-won't-verify troubleshooting.
Adding a domain is idempotent and safe. Verifying the same domain twice doesn't create duplicates. You can remove the TXT record after verification if you like — it's only needed at verify time.
M365 / Google OAuth domain proof is deferred. A second proof method — proving domain ownership via Microsoft 365 or Google Workspace OAuth — is planned (wave-next) and follows the same contract (prove ownership → the domain is authorized). Today, use DNS-TXT.

4 · Live send via the notification service

Once a campaign's domains are authorized, the Live send (active tenant) panel routes that campaign's audience through the shared notification service (POST /notify/send). This is gated as an MSP-tier capability and enforces canSend per recipient.

  1. Run a campaign in the Simulator so there's an audience to send.
  2. Go to Sign in / Cloud → Live send (active tenant). If your account has the MSP entitlement, you'll see Send latest campaign live; otherwise an upgrade note appears.
  3. Click Send latest campaign live. Watchword mints one scoped rotating token per authorized domain in the audience, runs each recipient through canSend, and hands cleared recipients to the notify transport.
  4. You'll get a summary toast: "Live send: N queued, M refused (domain gate)". Refused recipients are on unverified domains (or otherwise failed the gate) and were never sent.
What actually goes over the wire is PII-free. The payload carries the simulated lure subject and a campaign reference — never passwords, never captured data, never secrets. The send is idempotent per (campaign, recipient).
If you're signed out or offline, there's no live notify transport, so every recipient is refused with "no notify transport (offline)". Live send needs you signed in with the MSP entitlement.

5 · What's deferred (and what isn't)

PieceStatusDetail
The domain-auth gate (canSend)NowFully implemented and enforced per recipient.
Per-tenant scoped, rotating tokensNowMinted per (tenant, domain), 24-hour expiry.
DNS-TXT domain proofNowReal DNS-over-HTTPS lookup with exact-match verification.
Live send wiring (notify contract)NowRoutes a cleared audience through POST /notify/send.
The dedicated send runner (watchword-send)DeferredThe mail-transport service (SES/Postmark on a free tier) that persists an outbox and delivery log.
SPF / DKIM / DMARC setup wizard + deliverabilityDeferredEmail-authentication guidance and inbox-placement tuning.
Open / click webhooksDeferredReal engagement tracking. Today the behavioral model fills results.
Live SMS / voice / chat deliveryDeferredA2P 10DLC SMS, voice, and Slack/Teams nudges ride the deferred runner.
M365 / Google OAuth domain proofDeferredAlternative to DNS-TXT.

In short: the safety machinery for sending is built and active. The mail transport behind it is the deferred part — until it ships, campaigns are modeled locally, which is exactly why no email currently leaves your machine without your explicit live-send action.

← MSP multi-tenancy Next: Cloud / Pro →