Vouch by Reference
Vouch by Reference (VBR) is a protocol used in Internet mail systems for implementing sender certification by third-party entities. Independent certification providers vouch for the reputation of senders by verifying the domain name that is associated with transmitted electronic mail. VBR information can be used by a message transfer agent, a mail delivery agent or by an email client.
The protocol is intended to become a standard for email sender certification, and is described in RFC 5518.[1]
Operation
Email sender
A user of a VBR email certification service signs its messages using DomainKeys Identified Mail (DKIM) and includes a VBR-Info field in the signed header. The sender may also use the Sender Policy Framework to authenticate its domain name. The VBR-Info: header field contains the domain name that is being certified, typically the responsible domain in a DKIM signature (d= tag), the type of content in the message, and a list of one or more vouching services, that is the domain names of the services that vouch for the sender for that kind of content:
VBR-Info: md=domain.name.example; mc=type; mv=vouching.example:vouching2.example
Email receiver
An email receiver can authenticate the message's domain name using DKIM or SPF, thus finding the domains that are responsible for the message. It then obtains the name of a vouching service that it trusts, either from among the set supplied by the sender or from a locally configured set of preferred vouching services. Using the Domain Name System, the receiver can verify whether a vouching service actually vouches for a given domain. To do so, the receiver queries a TXT
resource record for the name composed:
domain.name.example._vouch.vouching.example
The returned data, if any, is a space-delimited list of all the types that the service vouches, given as lowercase ASCII. They should match the self-asserted message content. The types defined are transaction
, list
, and all
. Auditing the message may allow to establish whether its content corresponds. The result of the authentication can be saved in a new header field, according to RFC 6212, like so:
Authentication-Results: receiver.example; vbr=pass header.mv=vouching.example header.md=domain.name.example
Implementations and variations
OpenDKIM and MDaemon Messaging Server by Alt-N Technologies[2] have been among the first software implementations of VBR. OpenDKIM provides a milter as well as a standalone library. Roaring Penguin Software's CanIt anti-spam filter supports VBR as of version 7.0.8 released on 2010-11-09.[3]
Spamhaus has released The Spamhaus Whitelist[4] that includes a domain based whitelist, the DWL, where a domain name can be queried as, e.g., dwltest.com._vouch.dwl.spamhaus.org
. Although the standard only specifies TXT
resource records, following a long established DNSBL practice, Spamhaus has also assigned A
resource records with values 127.0.2.0/24 for whitelist return codes. The possibility to query an address may allow easier deployment of existing code. However, their techfaq [5] recommends checking the domain (the value of the d=
tag) of a valid DKIM-Signature
by querying the corresponding TXT
record, and their howto [6] gives details about inserting VBR-Info
header fields in messages signed by whitelisted domains. By 2013, one of the protocol authors considered it a flop.[7]
References
- ^ RFC 5518, "Vouch By Reference", P. Hoffman, J. Levine, A. Hathcock (April 2009)
- ^ "Alt-N Technologies: Email Certification". Alt-N Technologies. Retrieved 2016-06-24.
- ^ "CanIt 7.0.8 Release Announcement". Retrieved 2010-11-09.
- ^ Quentin Jenkins (2010-09-26). "Spamhaus Releases The Spamhaus Whitelist". News. Retrieved 2010-09-27.
- ^ "Whitelist Technical FAQ". Retrieved 2010-10-03.
- ^ "How to Use". Retrieved 2010-11-09.
- ^ John Levine (20 April 2013). "no hints for receivers". dmarc-ietf (Mailing list). Retrieved 24 June 2016.
I don't know of any publisher of VBR other than the vestigial Spamhaus whitelist.