{
  "$schema": "https://schemas.nightboxllc.com/email-security-policy/v1.json",
  "domain": "nightboxllc.com",
  "version": "1.0.0",
  "updated": "2026-05-08",
  "maintainer": {
    "organization": "Nightbox LLC",
    "uei": "UHCAB6UXXKF2",
    "contact": "artem@nightboxllc.com"
  },
  "scope": "Self-attested email-security posture for nightboxllc.com and all subdomains. Aligned to NIST SP 800-177 Rev. 2, NIST SP 800-53 Rev. 5, CISA BOD 18-01, and CISA Cybersecurity Performance Goals (CPG) 2.M.5/2.M.6. No third-party audit has been performed; this manifest is verifiable in real time via DNS and HTTPS lookups.",
  "controls": {
    "spf": {
      "enabled": true,
      "policy": "v=spf1 include:_spf.google.com ~all",
      "alignment": "strict (aspf=s)",
      "nist_800_177r2": "Section 4.2"
    },
    "dkim": {
      "enabled": true,
      "selector": "google",
      "key_algorithm": "RSA",
      "key_length_bits": 2048,
      "alignment": "strict (adkim=s)",
      "rotation_policy": "/.well-known/dkim-rotation-policy.json",
      "nist_800_177r2": "Section 4.5"
    },
    "dmarc": {
      "enabled": true,
      "policy": "p=reject",
      "subdomain_policy": "sp=reject",
      "percent": 100,
      "forensic_options": "fo=1",
      "aggregate_reporting": "rua=mailto:artem@nightboxllc.com",
      "failure_reporting": "ruf=mailto:artem@nightboxllc.com",
      "nist_800_177r2": "Section 4.6",
      "cisa_bod": "18-01 (mandatory p=reject for federal contractors)"
    },
    "mta_sts": {
      "enabled": true,
      "mode": "enforce",
      "policy_url": "https://mta-sts.nightboxllc.com/.well-known/mta-sts.txt",
      "rfc": "RFC 8461",
      "max_age_seconds": 86400,
      "mx_pinned": ["smtp.google.com", "*.google.com"],
      "cisa_cpg": "2.M.6"
    },
    "tls_rpt": {
      "enabled": true,
      "policy": "v=TLSRPTv1; rua=mailto:artem@nightboxllc.com",
      "rfc": "RFC 8460"
    },
    "dnssec": {
      "enabled": true,
      "algorithm": "RSASHA256 (algorithm 8)",
      "ds_at_parent": true,
      "key_tag": 34561,
      "digest_type": 2,
      "nist_sp": "800-81 Rev. 2"
    },
    "caa": {
      "enabled": true,
      "issuers_allowed": ["letsencrypt.org", "pki.goog"],
      "wildcard_issuance": "denied (issuewild ;)",
      "iodef": "mailto:artem@nightboxllc.com",
      "rfc": "RFC 8659"
    },
    "bimi": {
      "enabled": true,
      "selector": "default",
      "logo_url": "https://nightboxllc.com/bimi/logo.svg",
      "svg_profile": "Tiny 1.2 P/S",
      "vmc_status": "not-issued (cost-deferred; logo displays on Yahoo/Apple/Fastmail/AOL without VMC)"
    },
    "https_record": {
      "enabled": true,
      "rfc": "RFC 9460",
      "alpn": ["h3", "h2"]
    }
  },
  "tls": {
    "minimum_version": "TLS 1.2",
    "preferred_version": "TLS 1.3",
    "https_only": true,
    "hsts_max_age_seconds": 63072000,
    "hsts_includesubdomains": true,
    "hsts_preload": true,
    "nist_sp": "800-52 Rev. 2"
  },
  "outbound_path": {
    "smtp_provider": "Google Workspace",
    "outbound_smtp": "smtp.google.com",
    "submission_port": 587,
    "starttls_required": true
  },
  "compliance_alignment": {
    "nist_sp_800_177r2": "self-attested-aligned",
    "nist_sp_800_53r5_controls": ["SC-8", "SC-12", "SC-13", "SC-23", "SI-3", "SI-8"],
    "cisa_bod_18_01": "self-attested-compliant",
    "cisa_cpg_v2_m_5": "self-attested-compliant",
    "cisa_cpg_v2_m_6": "self-attested-compliant",
    "fedramp_rev5_email_subset": "self-attested-aligned",
    "omb_m_22_09_zero_trust": "/.well-known/zero-trust.json"
  },
  "verification": {
    "real_time_check_recipe": [
      "dig +short TXT nightboxllc.com",
      "dig +short TXT _dmarc.nightboxllc.com",
      "dig +short TXT google._domainkey.nightboxllc.com",
      "dig +short TXT _mta-sts.nightboxllc.com",
      "dig +short TXT _smtp._tls.nightboxllc.com",
      "dig +short TXT default._bimi.nightboxllc.com",
      "dig +short TYPE257 nightboxllc.com",
      "dig +short DS nightboxllc.com",
      "curl -sI https://mta-sts.nightboxllc.com/.well-known/mta-sts.txt"
    ],
    "third_party_validators": [
      "https://www.hardenize.com/report/nightboxllc.com",
      "https://internet.nl/mail/nightboxllc.com/",
      "https://dmarcian.com/dmarc-inspector/?domain=nightboxllc.com",
      "https://easydmarc.com/tools/domain-scanner?domain=nightboxllc.com"
    ]
  },
  "review_cadence": {
    "policy_review": "quarterly",
    "next_review": "2026-08-08",
    "incident_review": "within 24 hours of any DMARC reject anomaly"
  },
  "disclaimer": "This manifest is a self-attestation. Federal contracting officers and security reviewers are encouraged to independently verify each claim against live DNS and HTTPS endpoints before relying on it for compliance decisions."
}