Direct Trust
Alice Smith
9:14 AM
Verified Sender
Trusted Device
Subject: Notes from Tuesday’s sender policy review
I pulled the action items into one place and marked the device enrollment changes we should ship first.
Verified Authenticated Messaging ProtocolIdentity First Mail
Spam exists today because of weaknesses in legacy email. Email was never designed as an adversarial system, but we live in an adversarial world.
Sending millions of emails for spam / phishing / marketing is essentially free, and fighting it costs hundreds of millions of dollars.
VAMP aims to invert that equation through identity, cryptographic chain of custody, and marginal cost applied to the sender instead of the reciever, making bulk spam economically unviable.
Sending millions of emails for spam / phishing / marketing is essentially free, and fighting it costs hundreds of millions of dollars.
VAMP aims to invert that equation through identity, cryptographic chain of custody, and marginal cost applied to the sender instead of the reciever, making bulk spam economically unviable.
Do your users know who to trust?
Can your email do this?
VAMP turns provenance into something recipients can actually read: who sent the message, how it arrived, and whether the trust state is normal, new, degraded, or dangerous.
Device Change
Alice Smith
9:18 AM
Verified Sender
New Device
Subject: Updated rollout notes for Thursday
I am sending from my travel laptop this morning, but the plan and approvals are unchanged from the draft I shared yesterday.
Custody
Alice Smith
10:02 AM
Redistributed by team-updates@example.org
Subject: Updated schedule for the operator briefing
This message was authored by Alice and redistributed through the team updates list with the custody path preserved.
Consent
Launch Updates
10:11 AM
Subscription Consent Verified
Subject: The VAMP developer preview launches today
We opened the first wave of access this morning, published the launch notes, and included the rollout milestones for early adopters below.
First Contact Indicators
Sam Patel
10:02 AM
Verified Sender
First Contact
Subject: Covering for Alice
Hi, this is Alice’s coworker sam. I’m reaching out about the project so i can cover for Alice while she’s out next week.
Phishing Attempt
Alice S
10:49 AM
Unverified Domain
First Contact
Subject: Quick favor before the finance review?
I need you to send over a few prepaid cards before the meeting starts. Keep this between us and reply as soon as you can.
Why Change Email
Modern email is still organized around weak identity and after-the-fact defense.
The current system asks receivers to infer trust from headers, heuristics, and reputation after a message is already in motion. By that point, the protocol has already handed the receiver the cost and the risk.
- Email addresses are weak identity claims, not cryptographic principals tied to a real actor.
- Message handling is opaque; recipients rarely get a trustworthy chain of custody from origin to inbox.
- Attackers can send unsolicited bulk mail at near-zero marginal cost.
- Operators spend billions each year filtering abuse at industrial scale just to keep inboxes usable.
- Users are still expected to inspect headers, wording, and context manually to spot fraud.
VAMP starts from a different premise: identity should be verifiable before or during delivery, provenance should be explicit, and unauthorized scale should impose cost on the sender instead of being dumped on the receiver.
Identity-First Mail
VAMP changes the default story of a message.
This is not just a better spam filter. VAMP is a different substrate for email-shaped messaging: domain-authoritative identity, explicit custody, secure native transport, and sender accountability built into the protocol instead of layered on top of SMTP.
01
Domain-authoritative identity
The namespace owner is the identity authority. Trust begins at a domain trust anchor, not
at a string in a From field.
02
Encrypt to the user, sign with the device
Messages target the user for asynchronous, multi-device mail, while device signatures make origin-specific trust visible.
03
Make custody explicit
A message is not just payload plus signature. It is a cryptographically verifiable record of who originated it and which meaningful actors handled it.
04
Attach policy to the real edge
Native delivery runs from sender-edge to receiver-edge, giving the protocol a clean place to attach identity, policy, downgrade rules, and sender-side cost.
05
Make unauthorized scale expensive
Unauthorized bulk delivery should impose sender-side marginal cost instead of dumping the burden on receivers, filters, and incident response teams.
06
Prove consent for redistribution
Mailing lists, newsletters, and notifications should carry verifiable membership or subscription proof instead of relying on sender-maintained opt-in claims.
Trust Model
Trust flows from device to user to organization to domain.
VAMP is fundamentally domain-authoritative. Devices hold the signing keys, users remain the stable messaging principals, organizations manage enrollment and revocation, and domains act as the trust anchors for the namespace. Humans never touch the crypto.
Encryption: target the user identity, not each device.
Signing: device-level origin remains visible and policy-relevant.
Transport: sender-edge adds organizational attestation for external delivery.
Device
Cryptographic origin
Hardware-bound signing keys establish where user actions actually came from.
User
Stable messaging principal
The identity recipients reason about and the identity to which messages are encrypted.
Organization
Administrative authority
Enrolls devices, authorizes outbound transport, and revokes compromised state.
Domain
Trust anchor for the namespace
Defines which authority is actually responsible for identities under that domain.
Chain Of Custody
Every message already has a provenance story.
In VAMP, chain of custody is not a special mechanism reserved for mailing lists or forwarding. It is the normal shape of a message. That lets recipients distinguish authorship, redistribution, service-generated delivery, and explicit handling without relying on loose header conventions.
Human Message
Direct authorship
device → user → organization
List Redistribution
Explicit rebroadcast
device → user → list service → organization
Service Message
Application origin
service identity → organization
Published Now
Start with the pieces that define the model.
The current docs are research-heavy, but together they sketch the architecture: why the protocol exists, how native transport works, how sender accountability is enforced, and how identity-backed consent and redistribution should behave.
Why The Model Exists
Sender-Cost Enforcement, Downgrade Resistance, and Operator Value
The threat model, deployment argument, and the case for combining economics, identity, and transport semantics.
Transport
VAMP Native Transport Topology
Why native delivery is sender-edge to receiver-edge, with no third-party transit relay in the normal path.
Consent And Identity
WebAuthn-Style Subscription Authorization for VAMP
How device-backed assertions can make subscription consent recipient-verifiable instead of sender-asserted.
Sender Accountability
MTA-scoped, non-monetary sender-cost mechanics for VAMP
Domain-scoped budgets, first-contact controls, identity-preserving relay rules, and admin-visible governance.
Operational Baselines
Email volume baselines for VAMP threshold design
Public evidence for where human sending ends, bulk sending begins, and industrial abuse starts to become obvious.
Cost Primitives
Proof-of-Work Families for VAMP
A technical survey of sender-cost options, focused on cheap verification and hard-to-amortize abuse.