rjp logo pattern

How .well-known, a hidden website folder, builds trust for your domain

The secret directory

Most people think of a website as pages for humans.

But modern websites also need to communicate clearly with machines; browsers, email providers, mobile operating systems, and security scanners. That’s where .well-known comes in.

You’ll almost never see it in a navigation menu. You won’t find it linked in a footer. But .well-known is an important trust and interoperability layers on the modern web.

TL;DR
.well-known is a standardized folder at the root of your website that allows machines and AI agents to find official domain information in a predictable place.

For most organizations, the most valuable file to publish is: /.well-known/security.txt

Part 2 will get into how .well-known can be used to build trust for your email systems.

What is .well-known?

.well-known is a standardized directory at the root of a domain used to publish official, machine-readable files that other systems expect to find in a predictable location.

Example: https://example.com/.well-known/

The standard is defined by the Internet Engineering Task Force in RFC 8615, which formalized the idea that certain files should live in a known, trusted place instead of being scattered across random URLs.

Think of it as a public bulletin board for automated systems.

IETF

Why .well-known exists

Before .well-known, services had to:

  • Guess where files lived
  • Scrape pages
  • Follow redirects
  • Or rely on undocumented conventions

That caused:

  • Fragile integrations
  • Security risks
  • Inconsistent behavior across platforms

.well-known solves this by saying:
“If you want to make an official statement about your domain, put it here.”

Why .well-known matters today

Modern platforms actively look for .well-known files to:

  • Verify domain ownership
  • Improve security
  • Enhance user experience
  • Display brand trust signals

If those files are missing, platforms often fall back to guessing. This is how things like favicons end up representing your brand in email inboxes.

Common .well-known files, and what they do

Here are the most useful ones for most organizations:

1. security.txt

Purpose: (strongly recommended)

Provides a standard way for security researchers to report vulnerabilities responsibly.
/.well-known/security.txt

This file is defined by RFC 9116 and is increasingly expected by enterprises, auditors, and security tooling.

2. bimi-logo.svg

Purpose: (increasingly important)

Increases brand recognition, improves inbox trust, reduces phishing confusion, and makes your emails look intentional and professional.

There are other really important ones like for SSL (often scripted to be handled automatically by the server), app ownership validation or password resets. These can be added as your organization finds need for them.

How to set up .well-known

  1. Create a .well-known directory at your site root
  2. Ensure it is publicly accessible over HTTPS
  3. Bypass CMS rewrite rules (WordPress especially)
  4. Host only standards-based files

Once in place, many services will start using it automatically.

.well-known may feel like a small technical detail today, but it’s quickly becoming part of the internet’s trust layer as the place where browsers, inboxes, apps, and AI systems look first when they need to verify that a domain is real, secure, and professionally operated.

Coming Next: Verified Email Logos with BIMI

In Part 2, we’ll cover:

  • Why email clients show your favicon as your sender icon
  • What BIMI is and how it works
  • How to design a BIMI-compliant SVG logo
  • How .well-known ties it all together

Posted

by

Jeff Rainey

Work with us

We will give you the right tools to reach the right people.

Start the Conversation