The Vouch By Reference (VBR) protocol allows senders to list certification providers to serve as sources of certification information for senders' outgoing mail. A receiver might directly trust the sender and not need to ask a certification provider for additional vouching; however, it is commonly expected that receivers won't trust all the senders they receive mail from, and will want to ask trusted certification providers to vouch for some of their incoming mail.
The steps to get vouching information for a piece of mail are fairly straightforward:
Obtain a useful domain name
Verify that each VBR header domain matches one such domain, and lists at least one certification provider that you trust for the type of mail
Validate that at least one of the trusted certification providers actually vouches for that sender sending that type of mail
Validating That the Message Is Vouched For
The recipient queries each of the trusted certification providers to see whether or not they vouch for the type of mail listed in the VBR-Info header. The method for doing this is described in the VBR specification. It is important to query only certification providers trusted by the recipient, which may be a subset of the certification providers listed in the VBR-Info header.
If none of the recipient's trusted certification providers are listed in a VBR-Info header, the message is not vouched for. If more than one trusted certification provider is listed, a receiver has the option of not querying the rest of them if one query provides a successful validation.
Best Practices
Recipients' logs should include information about success and failure of domain validation (such as for DKIM or Sender-ID) and certification provider lookups, in order to help diagnose errors.
If applicable, in messages delivered to users, recipients should provide an indication that a vouched DKIM signature was verified, to aid mail sorting in user mail applications.
