Vouch by Reference (VBR) is a protocol used in Internet mail systems for implementing sender certification by third-party entities. Independent certification providers vouch for the reputation of senders by verifying the domain name that is associated with transmitted electronic mail. VBR information can be used by a message transfer agent, a mail delivery agent or by an email client.
The protocol is intended to become a standard for email sender certification, and is described in RFC 5518.
A user of a VBR email certification service signs its messages using DomainKeys Identified Mail (DKIM) and includes a VBR-Info field in the signed header. The sender may also use the Sender Policy Framework to authenticate its domain name. The VBR-Info: header field contains the domain name that is being certified, typically the responsible domain in a DKIM signature (d= tag), the type of content in the message, and a list of one or more vouching services, that is the domain names of the services that vouch for the sender for that kind of content:
VBR-Info: md=domain.name.example; mc=type; mv=vouching.example:vouching2.example
An email receiver can authenticate the message's domain name using DKIM or SPF, thus finding the domains that are responsible for the message. It then obtains the name of a vouching service that it trusts, either from among the set supplied by the sender or from a locally configured set of preferred vouching services. Using the Domain Name System, the receiver can verify whether a vouching service actually vouches for a given domain. To do so, the receiver queries a <code>TXT</code> resource record for the name composed:
domain.name.example._vouch.vouching.example
The returned data, if any, is a space-delimited list of all the types that the service vouches, given as lowercase ASCII. They should match the self-asserted message content. The types defined are <code>transaction</code>, <code>list</code>, and <code>all</code>. Auditing the message may allow to establish whether its content corresponds. The result of the authentication can be saved in a new header field, according to RFC 6212, like so:
Authentication-Results: receiver.example; vbr=pass header.mv=vouching.example header.md=domain.name.example
OpenDKIM and MDaemon Messaging Server by Alt-N Technologies have been among the first software implementations of VBR. OpenDKIM provides a milter as well as a standalone library. Roaring Penguin Software's CanIt anti-spam filter supports VBR as of version 7.0.8 released on 2010-11-09.
Spamhaus has released The Spamhaus Whitelist that includes a domain based whitelist, the DWL, where a domain name can be queried as, e.g., <code>dwltest.com._vouch.dwl.spamhaus.org</code>. Although the standard only specifies <code>TXT</code> resource records, following a long established DNSBL practice, Spamhaus has also assigned <code>A</code> resource records with values 127.0.2.0/24 for whitelist return codes. The possibility to query an address may allow easier deployment of existing code. However, their techfaq recommends checking the domain (the value of the <code>d=</code> tag) of a valid <code>DKIM-Signature</code> by querying the corresponding <code>TXT</code> record, and their howto gives details about inserting <code>VBR-Info</code> header fields in messages signed by whitelisted domains. By 2013, one of the protocol authors considered it a flop.