Every major fax provider calls their delivery confirmation “certified.” Every one of them controls the evidence themselves. This white paper explains why that fails under real audit scrutiny — and how open-standard cryptographic attestation, already proven in software supply-chain security, closes the gap.
When a healthcare organization, law firm, or government agency sends a critical fax, they receive a “delivery confirmation” — a PDF or portal entry that says the fax was delivered. This confirmation is described by every major fax provider as “certified,” “verified,” or “audit-ready.”
Under scrutiny, this claim does not hold.
The fax industry inherited its trust model from physical fax machines — where “proof of delivery” meant a confirmation page from the sending machine. That model has not evolved in thirty years, despite the move to cloud services where the stakes — HIPAA violations, legal disputes, regulatory enforcement — are substantially higher.
The question a compliance auditor, opposing counsel, or OCR investigator will ask is not “does this PDF say it was delivered?” The question is:
No major fax provider can answer yes to that question today. FaxSeal can.
The diagram below shows the proof chain for a traditional “certified fax” versus FaxSeal's cryptographic attestation. In the traditional model, every node in the chain is controlled by the same vendor. In the FaxSeal model, proof exits vendor control at step 3 — permanently, and before any dispute can arise.
The critical difference is not technical sophistication — it is independence. Sigstore Rekor, maintained by the Linux Foundation, is an append-only transparency log. Once an entry is submitted, it cannot be altered or deleted by anyone, including FaxSeal. The entry is public, permanent, and independently fetchable by any party with the entry ID.
This is the same model that Certificate Transparency logs brought to TLS certificates in 2013, and that Sigstore brought to software supply-chain security in 2021. FaxSeal is the first to apply it to fax delivery.
FaxSeal's Fax Attestation feature builds a two-event signed audit chain for every fax sent by an Enterprise organization or Partner API integration.
Both events are idempotent — if a webhook fires twice or a reconciler retries, the existing Rekor entry is preserved and no duplicate is created. The signing key never leaves FaxSeal's servers. Recipients and auditors verify using the public key, which is embedded in every bundle.
The following sequence shows exactly what happens from the moment a user clicks “Send” to the moment an auditor can independently verify delivery.
User uploads PDF, FaxSeal hands off to carrier
ECDSA signature over jobId, recipient hash, page count, timestamp
Hash + signature submitted to Sigstore Rekor. Entry is permanent and public.
Carrier callback received. FaxSeal generates SHA-256 hash of delivered document.
Second signed entry: document hash + delivery timestamp + send Rekor ID. Two-event chain sealed.
Download bundle once. Run openssl. No FaxSeal server, no login, no trust required.
The following demo shows the complete offline verification flow. The only network call is the initial bundle download. After that, the signature check runs entirely locally with no FaxSeal server, no Rekor connection, and no trust assumption beyond the public key.
The key insight: the math either checks out or it doesn't. There is no way to produce “Verified OK” from a forged or altered bundle without access to FaxSeal's private key.
Sigstore Rekor is a public log. Every entry is readable by anyone with the entry ID. This raises an obvious concern for healthcare use: does logging fax metadata to a public log create a HIPAA violation?
FaxSeal addresses this by hashing all identifiers before they enter the public log:
| Field | In public Rekor entry | Reasoning |
|---|---|---|
| Recipient fax number | SHA-256 hash only | Fax numbers are HIPAA identifiers when linked to PHI |
| Sender email | SHA-256 hash only | Email addresses are HIPAA identifiers |
| Job ID | Plain text | Internal identifier — no PHI linkage without FaxSeal access |
| Page count | Plain text | Non-identifying operational metadata |
| Timestamp | Plain text | Required for audit trail integrity |
| Document content | SHA-256 hash only (delivery event) | Proves content integrity without exposing content |
Organizations should consult their compliance counsel regarding their specific BAA obligations. FaxSeal's standard BAA covers the attestation feature. The Rekor entries themselves contain no PHI under the hashing scheme described above.
When OCR requests proof that a patient record was faxed to the correct facility on a specific date, a vendor-generated PDF is a claim, not evidence. A Rekor entry logged before any dispute arose is evidence.
Court filings, discovery documents, and settlement agreements require a provable chain of custody. The two-event attestation chain — signed at send and again at delivery — satisfies the same standard as certified mail with return receipt.
Federal agencies receiving FOIA responses or regulatory filings need to demonstrate receipt without relying on a private vendor's records. The Rekor entry is public, permanent, and subpoenable.
DEA Schedule II prescriptions faxed to pharmacies require documentation that the exact document was transmitted and received. The document hash in the delivery attestation proves content integrity end-to-end.
The following table compares the attestation capabilities of major fax providers against FaxSeal's implementation.
| Provider | Proof method | Independent? | Offline verify? | Open standard? | PHI in public log? |
|---|---|---|---|---|---|
| eFax | Carrier callback + PDF receipt | ✗ | ✗ | ✗ | — |
| RingCentral Fax | Delivery status in portal | ✗ | ✗ | ✗ | — |
| Sfax | HIPAA audit log (vendor-held) | ✗ | ✗ | ✗ | — |
| Consensus | Certified PDF receipt | ✗ | ✗ | ✗ | — |
| FaxSeal | ECDSA signature + Rekor log | ✓ | ✓ | ✓ | SHA-256 hashed |
The fax industry has operated on a thirty-year-old trust model: the vendor confirms delivery, the vendor generates the receipt, the vendor holds the audit log. For most use cases this has been acceptable. For healthcare, legal, and government use cases — where the question is not “did it send?” but “can you prove it in court or to a regulator?” — it is not.
Cryptographic transparency logs, proven in the software supply-chain security community, provide the missing piece: proof that exits vendor control at the moment of creation, is permanently logged to an independent append-only ledger, and is verifiable by any party with standard tools and no vendor relationship.
FaxSeal Fax Attestation is the first implementation of this model in the fax industry. It is available today on the Enterprise plan and via the Partner API.
Watch the interactive demo, read the technical overview, or contact us to activate for your organization.