When dealing with modern email authentication, particularly in scenarios involving email forwarding or mailing lists, understanding Authenticated Received Chain (ARC) is crucial. ARC helps preserve email authentication results (like SPF, DKIM, and DMARC) as an email travels from its origin to the final recipient, passing through various intermediary servers along the way.
A common question that comes up when dissecting email headers is about which specific ARC header contains the list of signed message fields. The short answer is the ARC-Message-Signature header. This header includes a tag, h=, which explicitly lists the header fields included in its cryptographic signature.
To fully grasp how ARC works, it's important to understand the three distinct headers that make up a single "hop" in the chain. Each intermediary server that handles the message adds a new set of these three headers.
The h= tag within the AMS is a colon-separated list of header field names. This tells the receiving mail server exactly which parts of the email header were used to create the signature.
For example, an h= tag might look like this: h=from:to:subject:date:message-id. This indicates that the ARC-Message-Signature has cryptographically signed the `From`, `To`, `Subject`, `Date`, and `Message-ID` headers. If any of these headers are changed after the signature is applied, the signature will fail validation, alerting the final recipient's mail server to a potential issue.
When an email is forwarded through multiple servers (like a mailing list), each server adds its own set of ARC headers. This creates a sequence, or chain, of headers. The final mail server can then validate this chain, starting from the most recent ARC-Seal and working its way backward. If the entire chain is valid, the server can trust the original authentication results preserved in the very first ARC-Authentication-Results header, even if the forwarding process broke SPF and DKIM alignment along the way.
In summary, while all three ARC headers are vital for the system to work, the ARC-Message-Signature is the specific header that contains the list of signed header fields via its h= tag. This provides a verifiable record of the message's key headers at a particular point in its journey.
What is the purpose of the ARC-Seal header?
What ARC header field indicates the chain validation status?
What is the ARC-Authentication-Results header used for?
What ARC header contains a cryptographically signed copy of the message's state?
What ARC header indicates the chain of authentication results?
What are the three main ARC header fields?