What does RFC 9421 actually verify cryptographically?

RFC 9421 (HTTP Message Signatures) is the IETF standard that lets a client cryptographically sign specific components of an HTTP request — method, path, host, selected headers, body digest — using a key whose public half the recipient can verify. In the AI-crawler context, OpenAI, Anthropic, and Google use it to prove that a request claiming to come from GPTBot, ClaudeBot, or one of their search bots actually came from their infrastructure, not from a spoofer setting the user-agent string. Loamly's open-source detection layer verifies those signatures server-side and tags the request as a confirmed AI-engine fetch. The verification is not 'looks like an OpenAI IP' — it is 'the signature on this request validates against OpenAI's published public key.' That is what GA4's referrer-based logic cannot do.

How is Loamly different from Plausible, Fathom, or Simple Analytics?

Plausible, Fathom, and Simple Analytics now identify ChatGPT, Perplexity, and Claude as distinct referrers in their feeds — that is detection only. None do source-chain forensics, none do revenue attribution, and none verify the bot via RFC 9421 cryptographic signatures. They answer 'a referral arrived from a domain that resolves to ChatGPT.' Loamly answers 'this request was cryptographically signed by OpenAI's GPTBot infrastructure, the buyer who arrived from that conversation completed a $4,200 deal, and here is the source chain — which page the AI cited, which prompt produced the citation, which competitor it was compared against.' Different category.

Should I install Loamly or build my own AI-referral tracker?

Install Loamly. The 2026 GEO Plan ConnectEra ships explicitly calls for integration rather than rebuild — and that is the correct call. Loamly's stack combines RFC 9421 signature verification (which requires maintaining a registry of OpenAI, Anthropic, and Google's rotating public keys), behavioral fingerprinting for stripped-referrer cases, and native Stripe + CRM integration for revenue attribution. Each layer is non-trivial; the combined layer is unreplicable cheaply. Building your own buys you a worse version of detection-only, with none of the attribution. Use the $29-per-month monitoring tier plus a Slack or email digest layer that surfaces what Loamly captured to the people on your team who close the deals.

What does Loamly cost at SMB scale?

Monitoring starts at $29 per month, with a 30-day free trial and a free AI visibility check available without signup. Intelligence Reports — the source-chain forensics layer that explains WHY the AI recommended you, including the specific prompts, citations, and competitor comparisons — start at $990 for the Category Snapshot. For most ConnectEra clients (financial advisors, med-spas, B2B SaaS at $1M-$50M ARR), the $29 tier covers detection and revenue tagging through Stripe and the CRM integration. The $990 reports are commissioned quarterly when a positioning question matters enough to need the WHY answered, not just the WHO.

Loamly and RFC 9421: how cryptographic AI attribution beats GA4 in 2026

Loamly is the open-source AI referral analytics platform built on RFC 9421 — the same cryptographic-signature standard OpenAI, Anthropic, and Google use to verify their bots. Behavioral analysis covers stripped-referrer cases. Native Stripe and CRM integration delivers revenue attribution. Loamly's source-chain forensics answer WHY the AI recommended you, not just WHO came through. ConnectEra integrates Loamly rather than rebuilding the layer.

The 60 to 70 percent of ChatGPT-referred traffic that hides in GA4’s Direct bucket is not a configuration problem. It is a structural one. ChatGPT strips the referrer header before the request reaches your property; GA4 has no second mechanism to recover the source. The session lands as Direct, the conversion gets attributed to nothing, and the ROI of every piece of cited content disappears into the same blind spot.

Loamly is the open-source layer that closes the gap. It does it by verifying RFC 9421 — HTTP Message Signatures — the same cryptographic standard OpenAI, Anthropic, and Google now use to sign their crawler and user-fetch traffic.

What is Loamly and why does RFC 9421 matter?

Loamly is an open-source AI referral analytics platform built on RFC 9421, the IETF HTTP Message Signatures standard. OpenAI, Anthropic, and Google sign their bot traffic with it. Loamly verifies those signatures server-side, identifies the AI engine even when the referrer is stripped, and ties the visit to revenue through Stripe and CRM integrations.

The wedge is small to describe and load-bearing in practice. GA4 reads what the browser sends. AI engines do not always send the referrer, and ChatGPT in particular strips it on most clicks per MarTech and Aperitif Agency’s 2026 GA4 audits. Loamly reads what the request itself proves cryptographically — independent of what the browser headers say.

What RFC 9421 actually does

RFC 9421 is the IETF standard for HTTP Message Signatures. It lets a client sign a chosen subset of a request’s components — method, path, host, body digest, selected headers — with a key whose public half is published and rotatable. The receiving server validates the signature against that public key and decides whether the request is authentic.

In the 2026 AI-crawler landscape, three things make this material. First, OpenAI runs four distinct crawlers — GPTBot for training, OAI-SearchBot for the ChatGPT search index, ChatGPT-User for user-initiated fetches, and OAI-AdsBot for ad landing-page validation — per OpenAI’s 2026 crawler documentation. Second, Anthropic runs ClaudeBot, Claude-User, and Claude-SearchBot per ALM Corp’s February 2026 breakdown. Third, all of those bots are verifiable via signatures and reverse-DNS in 2026, and the published IP ranges (openai.com/gptbot.json, openai.com/searchbot.json, openai.com/chatgpt-user.json) propagate within roughly 24 hours.

Volume is no longer hypothetical. Per Vercel’s 2026 “Rise of the AI Crawler” analysis, GPTBot generated 569 million requests across Vercel’s network in a single month; Anthropic’s crawlers added 370 million; AI bots already account for 4.2% of all HTML page requests, and GPTBot traffic was up 305% year over year. RFC 9421 is what tells you which of those requests actually came from the engine that claimed to send them.

User-agent strings are spoofable. IP-range checks help but are operationally fragile when ranges rotate. The signature check is binary: it validates or it does not. That is the layer Loamly wraps for everyday operators.

How Loamly catches the 60-70% GA4 misses

Per MarTech’s 2026 analysis of how GA4 records traffic from Perplexity Comet and ChatGPT Atlas, GA4 logs perplexity.ai/referral and chat.openai.com/referral only when the referrer is sent. ChatGPT strips that header before reaching most properties. ChatGPT Atlas masks origin further. The result is the same one the GA4 AI-referral blind spot post breaks down in detail: roughly 60 to 70 percent of ChatGPT-referred traffic shows up in Direct.

Loamly’s detection runs in two passes. The first is RFC 9421 signature verification on every inbound request — if the signature validates against OpenAI, Anthropic, or Google’s published key, the visit is tagged with the engine and the bot identity (training crawler vs. search bot vs. user fetch). The second is behavioral fingerprinting for stripped-referrer human sessions: timing patterns, navigation depth, and entry-page signatures that statistically identify “this session arrived from an AI conversation” even when the request itself carries no signed identity.

The combination is what GA4 cannot do without rebuilding from scratch. GA4 has no signature-verification primitive and no behavioral-fingerprinting layer for AI sessions. Plausible, Fathom, and Simple Analytics now show ChatGPT, Perplexity, and Claude as distinct referrers in their feeds per LegalForge’s 2026 privacy-first analytics review — but they detect only when the referrer is sent. They share GA4’s blind spot for the stripped-referrer majority.

The 60-to-70 percent number is the one that matters operationally. It is also the number that changes the conversion premium ChatGPT-referred traffic produces from “interesting research finding” into “the dashboard your team works from.” A 31 percent conversion premium attributed to Direct is a 31 percent premium attributed to nothing.

Source-chain forensics: WHY the AI recommended you, not just WHO

Detection answers “an AI engine sent a buyer.” Source-chain forensics answer the harder question: which conversation, on which prompt, citing which of your pages, against which competitor, produced the click.

Loamly’s Intelligence Reports — starting at $990 for the Category Snapshot per the Loamly homepage — pair the per-visit attribution data with prompt-level monitoring. The output is a forensic chain: the prompt the user ran, the AI engine that handled it, the pages the engine cited (yours and competitors’), the comparison logic the engine surfaced, and the click that produced the session. For positioning decisions — pricing, messaging, the named competitor in the headline — that level of resolution is what unlocks decisions GA4 cannot inform.

This is the layer that maps to the AI buyer journey vs. Google organic comparison. The Google-organic buyer arrives with a query you can read in Search Console. The AI-referred buyer arrives with a conversation you cannot see — unless something on the path captured it. Loamly’s source-chain layer is that capture.

The free AI visibility check is the entry point. The $29-per-month monitoring tier covers continuous detection and the Stripe/CRM revenue tagging. Intelligence Reports are commissioned when a positioning question is worth the $990 to answer with primary data instead of guessing.

The Stripe + CRM revenue attribution

Detection without revenue tagging is half a system. Loamly’s native integration into Stripe and most major CRMs ties the AI-attributed session to the deal it produced — closed-won amount, sales cycle length, customer-LTV trajectory.

This is the input the AI-traffic ROI calculator methodology requires. The calculator takes monthly AI-referred sessions, the conversion-rate premium versus Google organic, the average deal size, and the gross margin to produce a dollar attribution for the GEO program. Two of those four numbers come from Loamly’s revenue tagging directly. One — the premium — is unmeasurable without Loamly’s detection layer because GA4 categorizes the AI-referred sessions as Direct and pools their conversion behavior with bookmark traffic and dark-social clicks.

For most ConnectEra clients, the operating loop looks like this: Loamly tags every inbound session with engine + bot identity + behavioral fingerprint. Stripe (or the CRM) ties the session to the eventual closed-won amount. A weekly Slack or email digest surfaces the top engines, the top cited pages, and the revenue produced. Quarterly, the $990 Intelligence Report runs to refresh source-chain forensics on the highest-value queries. The full stack — detection, attribution, forensics, digest — costs less per month than most agencies charge to run a single GA4 audit.

Why ConnectEra integrates Loamly rather than rebuilding it

The 2026 GEO Plan calls for integrating Loamly rather than building a parallel attribution layer. Three reasons make that the correct call.

First, RFC 9421 verification is non-trivial to maintain. The OpenAI, Anthropic, and Google public keys rotate. Their bot-IP JSON files (openai.com/gptbot.json, openai.com/searchbot.json, openai.com/chatgpt-user.json) update on roughly 24-hour propagation cycles. Loamly maintains the registry. Building from scratch means owning that ops burden permanently while delivering a worse detection rate during every key rotation.

Second, the behavioral-fingerprinting layer for stripped-referrer cases is statistical work that requires volume to calibrate. Loamly has it because Loamly sees aggregate AI-referred behavior across its customer base. A single ConnectEra client’s traffic is not enough to train a reliable fingerprinter. Integration buys the cross-client signal at $29 per month per property.

Third, the Stripe and CRM integrations are commodity engineering only when somebody has already done them. Loamly ships HubSpot, Salesforce, Pipedrive, Stripe, and several smaller-CRM connectors as native integrations. Replacing those with a custom Zapier-and-Postgres stack costs more in ops than the entire Loamly bill.

The wedge ConnectEra owns is the layer above Loamly: turning detection into decisions. The dashboard, the digest, the quarterly Intelligence Report read-out, the rebuild of the landing page when source-chain forensics show the AI is comparing you against the wrong competitor. Loamly is the instrument. The decisions are the work.

The same logic applies on the access side. The bots Loamly identifies in attribution are the same bots the Shopify robots.txt audit covers on the access side — GPTBot, ClaudeBot, PerplexityBot, OAI-SearchBot, Claude-SearchBot, and the rest. Allowing them in robots.txt is the prerequisite. Verifying their visits with RFC 9421 and tying them to revenue is what Loamly does after the access is granted. The two layers compose; neither replaces the other.

What’s in this hub

This article is the AI-attribution post in the Convert AI Traffic to Revenue pillar. The siblings cover the rest of the loop:

The GA4 AI-referral blind spot — why the dashboard is hiding the conversions, in mechanical detail.
The 31% conversion premium — what AI-referred traffic actually does once it lands, and what a 31% lift on attributed sessions is worth.
The AI buyer journey vs. Google organic — why the buyer Loamly is tagging behaves differently from the Google-organic buyer.
The AI-traffic ROI calculator methodology — the math that turns Loamly’s outputs into a dollar number for the GEO program.

The hub itself — Convert AI Traffic to Revenue — sequences all six posts in the cluster.

Run the audit

If 60 to 70 percent of your ChatGPT-referred traffic is currently hiding in GA4 Direct, the math on the GEO program looks worse than it is. Loamly closes the measurement gap; ConnectEra installs the integration, wires the Stripe and CRM tags, and stands up the digest layer that turns the data into a weekly decision input.

Run a ConnectEra GEO and attribution audit on your site — the audit verifies your robots.txt allow rules, schema graph, and AI-citation surface, then layers Loamly’s RFC 9421 detection and revenue attribution on top so the next 90 days of AI-referred traffic produces a measurable revenue line, not another quarter of Direct.

Frequently asked questions

What does RFC 9421 actually verify cryptographically?: RFC 9421 (HTTP Message Signatures) is the IETF standard that lets a client cryptographically sign specific components of an HTTP request — method, path, host, selected headers, body digest — using a key whose public half the recipient can verify. In the AI-crawler context, OpenAI, Anthropic, and Google use it to prove that a request claiming to come from GPTBot, ClaudeBot, or one of their search bots actually came from their infrastructure, not from a spoofer setting the user-agent string. Loamly's open-source detection layer verifies those signatures server-side and tags the request as a confirmed AI-engine fetch. The verification is not 'looks like an OpenAI IP' — it is 'the signature on this request validates against OpenAI's published public key.' That is what GA4's referrer-based logic cannot do.
How is Loamly different from Plausible, Fathom, or Simple Analytics?: Plausible, Fathom, and Simple Analytics now identify ChatGPT, Perplexity, and Claude as distinct referrers in their feeds — that is detection only. None do source-chain forensics, none do revenue attribution, and none verify the bot via RFC 9421 cryptographic signatures. They answer 'a referral arrived from a domain that resolves to ChatGPT.' Loamly answers 'this request was cryptographically signed by OpenAI's GPTBot infrastructure, the buyer who arrived from that conversation completed a $4,200 deal, and here is the source chain — which page the AI cited, which prompt produced the citation, which competitor it was compared against.' Different category.
Should I install Loamly or build my own AI-referral tracker?: Install Loamly. The 2026 GEO Plan ConnectEra ships explicitly calls for integration rather than rebuild — and that is the correct call. Loamly's stack combines RFC 9421 signature verification (which requires maintaining a registry of OpenAI, Anthropic, and Google's rotating public keys), behavioral fingerprinting for stripped-referrer cases, and native Stripe + CRM integration for revenue attribution. Each layer is non-trivial; the combined layer is unreplicable cheaply. Building your own buys you a worse version of detection-only, with none of the attribution. Use the $29-per-month monitoring tier plus a Slack or email digest layer that surfaces what Loamly captured to the people on your team who close the deals.
What does Loamly cost at SMB scale?: Monitoring starts at $29 per month, with a 30-day free trial and a free AI visibility check available without signup. Intelligence Reports — the source-chain forensics layer that explains WHY the AI recommended you, including the specific prompts, citations, and competitor comparisons — start at $990 for the Category Snapshot. For most ConnectEra clients (financial advisors, med-spas, B2B SaaS at $1M-$50M ARR), the $29 tier covers detection and revenue tagging through Stripe and the CRM integration. The $990 reports are commissioned quarterly when a positioning question matters enough to need the WHY answered, not just the WHO.

Written by

Billy Reiner Founder · ConnectEra

Billy builds AI-citable sites for practices, advisors, and B2B SaaS. Over 80 migrations in the last 18 months — every one with a live audit, a fixed price, and a 7-day rebuild.

Get my free growth plan

When you're ready

Ready to be the page ChatGPT cites?

Tell us where your site is at. You get back your free growth plan — your platform blocker, your industry's citation gap, and the next move. Yours to keep, whether you hire us or not.