Vouch By Reference (VBR) protocol
allows senders to list
certification providers to serve as sources of certification
information for senders' outgoing mail.
A receiver might directly trust the sender and not need to ask
a certification provider for additional vouching; however, it is
commonly expected that receivers won't trust all the senders
they receive mail from, and will want to ask trusted certification
providers to vouch for some of their incoming mail.
The steps to get vouching information for a piece of mail are
Obtain a useful domain name
Verify that each VBR header domain matches one such domain, and
lists at least one certification provider that
you trust for the type of mail
Validate that at least one of the trusted certification providers
actually vouches for that sender sending that type of mail
Validating That the Message Is Vouched For
The recipient queries each of the trusted certification providers
to see whether or not they vouch for the type of mail listed in the
header. The method for doing this is described in the
It is important to query
certification providers trusted by the recipient, which may be a
subset of the certification providers listed in the
If none of the recipient's trusted certification providers are listed in
a VBR-Info header, the message is not vouched for.
If more than one trusted certification provider is listed, a receiver has
the option of
not querying the rest of them if one query provides a successful validation.
Recipients' logs should include information about success and failure of
domain validation (such as for DKIM or Sender-ID)
and certification provider lookups, in order to help diagnose
If applicable, in messages delivered to users, recipients should
provide an indication that a vouched DKIM signature was verified, to aid
mail sorting in user mail applications.