When you're digging into email headers, you might come across a set of headers prefixed with ARC. ARC stands for Authenticated Received Chain, an email authentication standard designed to preserve DMARC, SPF, and DKIM validation results when an email passes through an intermediary, like a mailing list or a forwarding service.
These intermediaries often modify email headers or content, which can break the original SPF and DKIM signatures, causing legitimate emails to fail DMARC checks. ARC addresses this by creating a secure, ordered chain of custody. The ARC-Seal header is a key part of this system, and within it, the i= tag plays a very specific and crucial role.
The role of the instance tag
The i= tag in an ARC-Seal header stands for "instance". It's a simple, mandatory counter that indicates the position of the system that added the seal in the forwarding chain.
Think of it as a seal number. Its purpose is to create an ordered sequence, allowing the final recipient's mail server to correctly validate the chain of ARC signatures. The process works like this:
- First hop: The first intermediary server (like a mailing list) receives an email. It validates the original SPF, DKIM, and DMARC. It then creates a set of ARC headers and signs them, adding an ARC-Seal with i=1.
- Second hop: If that email is passed to another forwarder, this second server validates the seal from the first hop (the one with i=1). If it's valid, the second server adds its own ARC-Seal, this time setting the instance to i=2.
- Final receiver: When the email arrives at its final destination, the receiving server sees multiple ARC-Seal headers with different i= values. It uses this number to validate the seals in the correct, reverse order, starting with the highest i value.
By following this numbered chain, the final mail server can confirm that the email's journey is authentic and that no unauthorized entity has tampered with it along the way. If the entire chain of seals is valid, the server can then trust the original authentication results reported in the ARC-Authentication-Results header (where i=1). This allows the server to potentially override a local DMARC fail, since it has proof from a trusted chain that the email was legitimate when it was first sent.
What is the 'i' tag in a DKIM signature?
What is the purpose of the ARC-Seal header?
What ARC header field indicates the chain validation status?
What is the 's=' tag in an ARC-Seal header?
What is the role of the 'cv' tag in an ARC-Seal header?
What ARC header contains a cryptographically signed copy of the message's state?
