VVS-1 Overview

What is VVS-1?

VVS-1 (Venmail Verification Standard, version 1) adds verifiable, agent-scoped identity and message integrity to email. It uses Ed25519 signatures, standard SMTP headers, and existing DNS/HTTPS infrastructure.

VVS-1 does not modify SMTP. It layers trust on top of delivery — receivers that don’t support VVS-1 deliver messages normally.

Why?

Email has no native way to verify that a message from [email protected] was actually sent by the billing system (and not spoofed, injected, or tampered with). DKIM proves the domain sent it. VVS-1 proves which agent sent it and that the body hasn’t been modified.

This matters for:

AI agents sending emails on behalf of users or systems
Automated workflows where message authenticity is critical
Financial communications that must be tamper-evident
Cross-organization agent-to-agent communication

How it works

Sender side

Each agent gets an Ed25519 keypair
The public key is published at /.well-known/venmail-agent/{name} or via DNS
When sending, the agent signs the message body + headers
VVS headers are added to the email before DKIM signing

Receiver side

Extract X-Venmail-* headers from the incoming message
Resolve the sender’s public key via well-known, DNS, or embedded header
Verify the Ed25519 signature against the message content
Assign a trust level: VERIFIED, PARTIAL, FAILED, or UNKNOWN

Trust levels

Level	Meaning
VERIFIED	Signature valid, key resolved via `.well-known` or DNS
PARTIAL	Signature valid, key from embedded header only
FAILED	Headers present but verification failed
UNKNOWN	No VVS headers — normal email

Backward compatibility

Messages without VVS headers are delivered normally
VVS verification never blocks SMTP delivery
Trust levels are annotations, not gatekeepers

What’s next

Sign messages with your agent’s Ed25519 key
Verify messages on the receiving end
Manage keys — generation, rotation, revocation
Header reference — full specification of all VVS headers