Vouch by Reference
Encyclopedia
Vouch by Reference is a protocol used in Internet
mail systems for implementing sender certification by third-party entities. Independent certification providers vouch for the reputation of senders by verifying the domain name that is associated with transmitted electronic mail. VBR information can be used by a message transfer agent, a mail delivery agent
or by an email client.
The protocol is intended to become a standard for email sender certification, and is described in RFC 5518.
, but only the receiving MTA can reliably verify a domain name with this technique. The VBR-Info: header field contains the domain name that is certified, typically the responsible domain in a DKIM signature, the type of content in the message, and a list of domain names of services that the sender expects to vouch for the sender for that kind of content.
, that the vouching service actually vouches for that type of content for that domain. To do so, the receiver queries a
The returned data, if any, is a space-delimited list of all the types that the service certifies, given as lowercase ASCII. The types defined are
as well as a standalone library.
Roaring Penguin Software
's CanIt anti-spam filter supports VBR as of version 7.0.8 released on 2010-11-09.
Spamhaus has released The Spamhaus Whitelist that includes a domain based whitelist, the DWL, where a domain name can be queried as, e.g.,
practice, Spamhaus has also assigned
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
mail systems for implementing sender certification by third-party entities. Independent certification providers vouch for the reputation of senders by verifying the domain name that is associated with transmitted electronic mail. VBR information can be used by a message transfer agent, a mail delivery agent
Mail delivery agent
A mail delivery agent or message delivery agent is a computer software component that is responsible for the delivery of e-mail messages to a local recipient's mailbox...
or by an email client.
The protocol is intended to become a standard for email sender certification, and is described in RFC 5518.
Email sender
A user of a VBR email certification service signs its messages using DomainKeys Identified Mail (DKIM) by including a VBR-Info field in the signed header. The sender may also use the Sender Policy FrameworkSender Policy Framework
Sender Policy Framework is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF...
, but only the receiving MTA can reliably verify a domain name with this technique. The VBR-Info: header field contains the domain name that is certified, typically the responsible domain in a DKIM signature, the type of content in the message, and a list of domain names of services that the sender expects to vouch for the sender for that kind of content.
Email receiver
Using DKIM, an email receiver can verify that the message is properly signed, thus verifying the domain that is responsible for the message. It can verify, using the Domain Name SystemDomain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
, that the vouching service actually vouches for that type of content for that domain. To do so, the receiver queries a
TXT resource record for the name composed:The returned data, if any, is a space-delimited list of all the types that the service certifies, given as lowercase ASCII. The types defined are
transaction, list, and all.Implementations and variations
OpenDKIM and MDaemon by Alt-N Technologies have been among the first software implementations of VBR. OpenDKIM provides a milterMilter
Milter is an extension to the widely used open source mail transfer agents Sendmail and Postfix. It allows administrators to add mail filters for filtering spam or viruses very efficiently in the mail-processing chain...
as well as a standalone library.
Roaring Penguin Software
Roaring Penguin Software
Roaring Penguin Software, Inc. is a small business which sells computer software, particularly in the area of antispam. Headquartered in Ottawa, Canada, the company develops both free and commercial software primarily for the purpose of e-mail filtering....
's CanIt anti-spam filter supports VBR as of version 7.0.8 released on 2010-11-09.
Spamhaus has released The Spamhaus Whitelist that includes a domain based whitelist, the DWL, where a domain name can be queried as, e.g.,
dwltest.com._vouch.dwl.spamhaus.org. Although the standard only specifies TXT resource records, following a long established DNSBLDNSBL
A DNSBL is a list of IP addresses published through the Internet Domain Name Service either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time...
practice, Spamhaus has also assigned
A resource records with values 127.0.2.0/24 for whitelist return codes. The possibility to query an address may allow easier deployment of existing code. However, their techfaq recommends checking the domain (the value of the d= tag) of a valid DKIM-Signature by querying the corresponding TXT record, and their howto gives details about inserting VBR-Info header fields in messages signed by whitelisted domains.