Vouch by Reference
   HOME

TheInfoList



Click Here for Items Related To - Vouch by Reference
OR:
Vouch by Reference on:   [Wikipedia]   [Google]   [Amazon]

Vouch by Reference (VBR) is a protocol used in
Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, p ...
mail systems for implementing sender certification by third-party entities. Independent certification providers vouch for the reputation of senders by verifying the domain name that is associated with transmitted electronic mail. VBR information can be used by a
message transfer agent Within the Internet email system, a message transfer agent (MTA), or mail transfer agent, or mail relay is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host ...
, a mail delivery agent or by an email client. The protocol is intended to become a standard for email sender certification, and is described in RFC 5518.


Operation


Email sender

A user of a VBR email certification service signs its messages using DomainKeys Identified Mail (DKIM) and includes a ''VBR-Info'' field in the signed header. The sender may also use the
Sender Policy Framework Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF alone, though, is limited to detecting a forged sender claim in the envelope of the email, which is ...
to authenticate its domain name. The VBR-Info: header field contains the domain name that is being certified, typically the responsible domain in a DKIM signature (d= tag), the type of content in the message, and a list of one or more vouching services, that is the domain names of the services that vouch for the sender for that kind of content: VBR-Info: md=''domain.name.example''; mc=''type''; mv=''vouching.example'':''vouching2.example''


Email receiver

An email receiver can authenticate the message's domain name using DKIM or SPF, thus finding the domains that are responsible for the message. It then obtains the name of a vouching service that it trusts, either from among the set supplied by the sender or from a locally configured set of preferred vouching services. Using the
Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned t ...
, the receiver can verify whether a vouching service actually vouches for a given domain. To do so, the receiver queries a TXT resource record for the name composed: ''domain.name.example''._vouch.''vouching.example'' The returned data, if any, is a space-delimited list of all the types that the service vouches, given as lowercase ASCII. They should match the self-asserted message content. The types defined are transaction, list, and all. Auditing the message may allow to establish whether its content corresponds. The result of the authentication can be saved in a new header field, according to RFC 6212, like so: Authentication-Results: ''receiver.example''; vbr=pass header.mv=''vouching.example'' header.md=''domain.name.example''


Implementations and variations

OpenDKIM and MDaemon Messaging Server by Alt-N Technologies have been among the first software implementations of VBR. OpenDKIM provides a
milter Milter ( portmanteau for ''mail filter'') is an extension to the widely used open source mail transfer agents (MTA) Sendmail and Postfix. It allows administrators to add mail filters for filtering spam or viruses in the mail-processing chain. ...
as well as a standalone library. Roaring Penguin Software's CanIt anti-spam filter supports VBR as of version 7.0.8 released on 2010-11-09. Spamhaus has released ''The Spamhaus Whitelist'' that includes a domain based whitelist, the ''DWL'', where a domain name can be queried as, e.g., dwltest.com._vouch.dwl.spamhaus.org. Although the standard only specifies TXT resource records, following a long established
DNSBL A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whe ...
practice, Spamhaus has also assigned A resource records with values 127.0.2.0/24 for whitelist return codes. The possibility to query an address may allow easier deployment of existing code. However, their ''techfaq'' recommends checking the domain (the value of the d= tag) of a valid DKIM-Signature by querying the corresponding TXT record, and their ''howto'' gives details about inserting VBR-Info header fields in messages signed by whitelisted domains. By 2013, one of the protocol authors considered it a flop.


References

{{DEFAULTSORT:Vouch By Reference Email authentication Cryptographic protocols Spam filtering