When you look at the source of an email, you might come across a long string of technical headers. One of these, the ARC-Message-Signature, is part of a system called Authenticated Received Chain (ARC). ARC helps preserve email authentication results like SPF and DKIM, especially when an email is forwarded through intermediaries like mailing lists.
The bh= tag within this signature is a critical component. It stands for "body hash". Put simply, it's a cryptographic hash (a unique fingerprint) of the email's body content. Its purpose is to verify that the body of the message hasn't been tampered with or altered since the signature was applied. This tag functions almost identically to the bh= tag found in a standard DKIM signature, which ARC is built upon.
ARC is designed to create a chain of custody for an email as it moves from the sender to the final recipient, passing through various systems (known as mediators) along the way. Each mediator in the chain adds its own set of ARC headers to vouch for the authentication results it observed.
The ARC-Message-Signature, which includes the bh= tag, is central to this process. Here is how it works:
It's important not to confuse the ARC-Message-Signature with another header called the ARC-Seal. They have very different jobs. The ARC-Message-Signature signs the message headers and body, which is why it needs the bh= tag.
In contrast, the ARC-Seal signs the previous ARC headers themselves (the ARC-Message-Signature and ARC-Authentication-Results headers for a given instance). Its job is to prevent those headers from being tampered with. Since it doesn't cover the body of the message, it does not contain a bh= tag.
Besides the body hash, the ARC-Message-Signature contains several other important tags, many of which will look familiar if you've ever inspected a DKIM signature.
In summary, the bh= tag is a non-negotiable part of the ARC-Message-Signature. It acts as a cryptographic seal on the email body, providing a way for each handler in a forwarding chain to attest to the state of the content as they saw it. Without it, the entire purpose of signing the message would be undermined, as there would be no guarantee that the content you're reading is the same content that was originally authenticated. It's a key piece of the puzzle that helps build trust in a world of complex email routing.