Suped

What ARC header contains the list of signed header fields?

When dealing with modern email authentication, particularly in scenarios involving email forwarding or mailing lists, understanding Authenticated Received Chain (ARC) is crucial. ARC helps preserve email authentication results (like SPF, DKIM, and DMARC) as an email travels from its origin to the final recipient, passing through various intermediary servers along the way.

proton.me logo
Proton says:
Visit website
Authenticated Received Chain (ARC) allows email providers to verify that emails are genuine when forwarded or sent from a mailing list.

A common question that comes up when dissecting email headers is about which specific ARC header contains the list of signed message fields. The short answer is the ARC-Message-Signature header. This header includes a tag, h=, which explicitly lists the header fields included in its cryptographic signature.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

Understanding the ARC header set

To fully grasp how ARC works, it's important to understand the three distinct headers that make up a single "hop" in the chain. Each intermediary server that handles the message adds a new set of these three headers.

  • ARC-Authentication-Results (AAR): This header is central to ARC's function. As described by Bento, it contains the authentication results from when the message was first received by the ARC-signing server. It essentially takes a snapshot of the SPF, DKIM, and DMARC validation status at that point in time, preserving it for the next server in the chain to inspect.
  • ARC-Message-Signature (AMS): This is the header that directly answers our question. The AMS is a DKIM-like signature that covers the message's content and select headers. The syntax is very similar to a standard DKIM-Signature. It contains a h= tag that lists which message headers (like From, To, Subject, etc.) have been signed. This ensures that these crucial headers have not been tampered with since this signature was applied.
  • ARC-Seal (AS): This header "seals" the ARC headers from the current hop. It's a signature that covers the AAR and AMS headers generated by the same server. Its purpose is to ensure the integrity of the ARC information itself, proving that the recorded authentication results and message signature have not been altered.

The h= tag in the ARC-Message-Signature

The h= tag within the AMS is a colon-separated list of header field names. This tells the receiving mail server exactly which parts of the email header were used to create the signature.

www.emailonacid.com logo
Email on Acid says:
Visit website
The list of signed header fields includes from:to:subject:date. This is the list of fields that have been “signed” to verify that they have not been changed.

For example, an h= tag might look like this: h=from:to:subject:date:message-id. This indicates that the ARC-Message-Signature has cryptographically signed the `From`, `To`, `Subject`, `Date`, and `Message-ID` headers. If any of these headers are changed after the signature is applied, the signature will fail validation, alerting the final recipient's mail server to a potential issue.

The chain of trust

When an email is forwarded through multiple servers (like a mailing list), each server adds its own set of ARC headers. This creates a sequence, or chain, of headers. The final mail server can then validate this chain, starting from the most recent ARC-Seal and working its way backward. If the entire chain is valid, the server can trust the original authentication results preserved in the very first ARC-Authentication-Results header, even if the forwarding process broke SPF and DKIM alignment along the way.

In summary, while all three ARC headers are vital for the system to work, the ARC-Message-Signature is the specific header that contains the list of signed header fields via its h= tag. This provides a verifiable record of the message's key headers at a particular point in its journey.

Start improving your email deliverability today

Get started