Vouch by Reference (VBR) is a protocol used in Internet mail systems for implementing sender certification by third-party entities. Independent certification providers vouch for the reputation of senders by verifying the domain name that is associated with transmitted electronic mail. VBR information can be used by a message transfer agent, a mail delivery agent or by an email client.
The protocol is intended to become a standard for email sender certification, and is described in RFC 5518.[1]
A user of a VBR email certification service signs its messages using DomainKeys Identified Mail (DKIM) and includes a VBR-Info field in the signed header. The sender may also use the Sender Policy Framework to authenticate its domain name. The VBR-Info: header field contains the domain name that is being certified, typically the responsible domain in a DKIM signature (d= tag), the type of content in the message, and a list of one or more vouching services, that is the domain names of the services that vouch for the sender for that kind of content:
VBR-Info: md=domain.name.example; mc=type; mv=vouching.example:vouching2.example
An email receiver can authenticate the message's domain name using DKIM or SPF, thus finding the domains that are responsible for the message. It then obtains the name of a vouching service that it trusts, either from among the set supplied by the sender or from a locally configured set of preferred vouching services. Using the Domain Name System, the receiver can verify whether a vouching service actually vouches for a given domain. To do so, the receiver queries a TXT
resource record for the name composed:
domain.name.example._vouch.vouching.example
The returned data, if any, is a space-delimited list of all the types that the service vouches, given as lowercase ASCII. They should match the self-asserted message content. The types defined are transaction
, list
, and all
. Auditing the message may allow to establish whether its content corresponds. The result of the authentication can be saved in a new header field, according to RFC 6212, like so:
Authentication-Results: receiver.example; vbr=pass header.mv=vouching.example header.md=domain.name.example
OpenDKIM and MDaemon Messaging Server by Alt-N Technologies[2] have been among the first software implementations of VBR. OpenDKIM provides a milter as well as a standalone library. Roaring Penguin Software's CanIt anti-spam filter supports VBR as of version 7.0.8 released on 2010-11-09.[3]
Spamhaus has released The Spamhaus Whitelist[4] that includes a domain based whitelist, the DWL, where a domain name can be queried as, e.g., dwltest.com._vouch.dwl.spamhaus.org
. Although the standard only specifies TXT
resource records, following a long established DNSBL practice, Spamhaus has also assigned A
resource records with values 127.0.2.0/24 for whitelist return codes. The possibility to query an address may allow easier deployment of existing code. However, their techfaq [5] recommends checking the domain (the value of the d=
tag) of a valid DKIM-Signature
by querying the corresponding TXT
record, and their howto [6] gives details about inserting VBR-Info
header fields in messages signed by whitelisted domains. By 2013, one of the protocol authors considered it a flop.[7]
I don't know of any publisher of VBR other than the vestigial Spamhaus whitelist.
Original source: https://en.wikipedia.org/wiki/Vouch by Reference.
Read more |