Vouch by Reference
|This article relies on references to primary sources. (October 2012)|
Vouch by Reference (VBR) is a protocol used in Internet mail systems for implementing sender certification by third-party entities. Independent certification providers vouch for the reputation of senders by verifying the domain name that is associated with transmitted electronic mail. VBR information can be used by a message transfer agent, a mail delivery agent or by an email client.
A user of a VBR email certification service signs its messages using DomainKeys Identified Mail (DKIM) and includes a VBR-Info field in the signed header. The sender may also use the Sender Policy Framework to authenticate its domain name. The VBR-Info: header field contains the domain name that is being certified, typically the responsible domain in a DKIM signature (d= tag), the type of content in the message, and a list of one or more vouching services, that is the domain names of the services that vouch for the sender for that kind of content:
VBR-Info: md=domain.name.example; mc=type; mv=vouching.example:vouching2.example
An email receiver can authenticate the message's domain name using DKIM or SPF, thus finding the domains that are responsible for the message. It then obtains the name of a vouching service that it trusts, either from among the set supplied by the sender or from a locally configured set of preferred vouching services. Using the Domain Name System, the receiver can verify whether a vouching service actually vouches for a given domain. To do so, the receiver queries a
TXT resource record for the name composed:
The returned data, if any, is a space-delimited list of all the types that the service vouches, given as lowercase ASCII. They should match the self-asserted message content. The types defined are
all. Auditing the message may allow to establish whether its content corresponds. The result of the authentication can be saved in a new header field, according to RFC 6212, like so:
Authentication-Results: receiver.example; vbr=pass header.mv=vouching.example header.md=domain.name.example
Implementations and variations
OpenDKIM and MDaemon Messaging Server by Alt-N Technologies have been among the first software implementations of VBR. OpenDKIM provides a milter as well as a standalone library. Roaring Penguin Software's CanIt anti-spam filter supports VBR as of version 7.0.8 released on 2010-11-09.
Spamhaus has released The Spamhaus Whitelist that includes a domain based whitelist, the DWL, where a domain name can be queried as, e.g.,
dwltest.com._vouch.dwl.spamhaus.org. Although the standard only specifies
TXT resource records, following a long established DNSBL practice, Spamhaus has also assigned
A resource records with values 127.0.2.0/24 for whitelist return codes. The possibility to query an address may allow easier deployment of existing code. However, their techfaq  recommends checking the domain (the value of the
d= tag) of a valid
DKIM-Signature by querying the corresponding
TXT record, and their howto  gives details about inserting
VBR-Info header fields in messages signed by whitelisted domains.
- RFC 5518, "Vouch By Reference", P. Hoffman, J. Levine, A. Hathcock (April 2009)
- "MDaemon Messaging Server". Alt-N Technologies. Retrieved 2013-09-05.
- "CanIt 7.0.8 Release Announcement". Retrieved 2010-11-09.
- Quentin Jenkins (2010-09-26). "Spamhaus Releases The Spamhaus Whitelist". News. Retrieved 2010-09-27.
- "Whitelist Technical FAQ". Retrieved 2010-10-03.
- "How to Use". Retrieved 2010-11-09.