When dealing with modern email authentication, particularly in scenarios involving email forwarding or mailing lists, understanding Authenticated Received Chain (ARC) is crucial. ARC helps preserve email authentication results (like SPF, DKIM, and DMARC) as an email travels from its origin to the final recipient, passing through various intermediary servers along the way.
A common question that comes up when dissecting email headers is about which specific ARC header contains the list of signed message fields. The short answer is the ARC-Message-Signature header. This header includes a tag, h=, which explicitly lists the header fields included in its cryptographic signature.
Understanding the ARC header set
To fully grasp how ARC works, it's important to understand the three distinct headers that make up a single "hop" in the chain. Each intermediary server that handles the message adds a new set of these three headers.
- ARC-Authentication-Results (AAR): This header is central to ARC's function. As described by Bento, it contains the authentication results from when the message was first received by the ARC-signing server. It essentially takes a snapshot of the SPF, DKIM, and DMARC validation status at that point in time, preserving it for the next server in the chain to inspect.
- ARC-Message-Signature (AMS): This is the header that directly answers our question. The AMS is a DKIM-like signature that covers the message's content and select headers. The syntax is very similar to a standard DKIM-Signature. It contains a h= tag that lists which message headers (like From, To, Subject, etc.) have been signed. This ensures that these crucial headers have not been tampered with since this signature was applied.
- ARC-Seal (AS): This header "seals" the ARC headers from the current hop. It's a signature that covers the AAR and AMS headers generated by the same server. Its purpose is to ensure the integrity of the ARC information itself, proving that the recorded authentication results and message signature have not been altered.
The h= tag in the ARC-Message-Signature
The h= tag within the AMS is a colon-separated list of header field names. This tells the receiving mail server exactly which parts of the email header were used to create the signature.
For example, an h= tag might look like this: h=from:to:subject:date:message-id. This indicates that the ARC-Message-Signature has cryptographically signed the `From`, `To`, `Subject`, `Date`, and `Message-ID` headers. If any of these headers are changed after the signature is applied, the signature will fail validation, alerting the final recipient's mail server to a potential issue.
The chain of trust
When an email is forwarded through multiple servers (like a mailing list), each server adds its own set of ARC headers. This creates a sequence, or chain, of headers. The final mail server can then validate this chain, starting from the most recent ARC-Seal and working its way backward. If the entire chain is valid, the server can trust the original authentication results preserved in the very first ARC-Authentication-Results header, even if the forwarding process broke SPF and DKIM alignment along the way.
In summary, while all three ARC headers are vital for the system to work, the ARC-Message-Signature is the specific header that contains the list of signed header fields via its h= tag. This provides a verifiable record of the message's key headers at a particular point in its journey.
What is the purpose of the ARC-Seal header?
What ARC header field indicates the chain validation status?
What is the ARC-Authentication-Results header used for?
What ARC header contains a cryptographically signed copy of the message's state?
What ARC header indicates the chain of authentication results?
What are the three main ARC header fields?
