The ARC-Message-Signature header is one of three key components of the Authenticated Received Chain (ARC) protocol. In essence, ARC is an email authentication standard designed to solve a very common problem: authentication failures when an email is forwarded.
When an email travels from the sender to the recipient, it might pass through several intermediary servers, like mailing lists or forwarding services. These intermediaries can sometimes make small changes to the email, like altering the subject line or adding a footer. As Fastmail explains, when an intermediary alters a message, it can break the original DKIM signature, causing authentication to fail.
This creates a major headache for DMARC, which relies on SPF and DKIM alignment. If DKIM fails because of a forwarder, a legitimate email might be rejected or sent to spam. ARC was developed to fix this by preserving the original authentication results as the message is relayed.
How ARC creates a 'chain of custody'
The official ARC specification (RFC 8617) describes the protocol as providing an authenticated "chain of custody" for a message. It allows each server that handles the email to see the authentication results from the previous 'hop'. This is accomplished by adding a set of three headers to the email at each step of the journey.
- ARC-Authentication-Results (AAR): This header logs the original authentication results. When an intermediary server receives an email, it records the SPF, DKIM, and DMARC results it observed in this header.
- ARC-Message-Signature (AMS): This is a cryptographic signature, similar to DKIM. It signs the message's headers (including the ARC-Authentication-Results header just added) and the message body. This proves that the authentication results recorded by that specific intermediary have not been tampered with.
- ARC-Seal (AS): This header provides a signature of the previous ARC headers. It links the different ARC sets together, creating the verified chain from one server to the next.
The role of the ARC-Message-Signature
The ARC-Message-Signature is the part of the process that validates the message contents at a specific point in the chain. Think of it as a snapshot. When a mailing list server receives an email, it first adds the ARC-Authentication-Results header to say, "Here's what I saw for SPF and DKIM."
Next, it creates the ARC-Message-Signature. This signature effectively says, "I, the mailing list server, cryptographically swear that the authentication results I just recorded are accurate, and that the message content was like this when I processed it." It works much like a DKIM signature, using a public/private key pair to create a verifiable signature.
When the final recipient's mail server gets the email, the original DKIM signature might be broken. But it can now look at the chain of ARC headers. It can verify each ARC-Seal and ARC-Message-Signature to trust the journey the email took. If it trusts the intermediaries (for example, it knows that Google Groups is a legitimate forwarder), it can use the preserved authentication results from the ARC-Authentication-Results header to help pass DMARC.
In short, the ARC-Message-Signature is a critical piece of the ARC protocol that ensures the integrity of the authentication results recorded by each intermediary, ultimately helping improve deliverability for forwarded emails and mailing list messages.
What is the ARC-Authentication-Results header used for?
What ARC header contains a cryptographically signed copy of the message's state?
What is the 'bh=' tag in an ARC-Message-Signature header?
What ARC header contains the list of signed header fields?
What is the 'arc-authenticated-results' header?
What is the 's=' tag in an ARC-Message-Signature header?
