When you delve into the technical headers of an email, you'll find a lot of information about its journey and authentication status. One of the more recent and important additions is Authenticated Received Chain (ARC). It was designed to solve a very common problem: email authentication, specifically DMARC, often breaks when an email is forwarded or passes through a mailing list.
Before ARC, a server forwarding an email would often inadvertently invalidate SPF and DKIM signatures. Because DMARC relies on the results of SPF and DKIM, this meant many legitimate emails were being rejected or sent to spam. ARC creates a way to preserve those original authentication results.
By adding a new set of cryptographic signatures at each 'hop', ARC builds a chain of custody that a final receiving server can verify. The result of this verification is where the cv=pass tag comes into play.
The ARC headers and the chain of custody
To understand the chain validation result, you first need to know what makes up the chain. ARC introduces three new email headers:
- ARC-Authentication-Results (AAR): This header snapshots the original authentication results (SPF, DKIM, DMARC) before the intermediary server processed the email.
- ARC-Message-Signature (AMS): This is a DKIM-like signature that includes a snapshot of the message headers and body.
- ARC-Seal (AS): This is a signature of the previous ARC headers, essentially linking them together in a chain.
Each server that forwards the email, like a mailing list processor, adds its own set of these three headers. This creates a sequential chain that documents the email's path.
Understanding the chain validation (cv) result
When a destination mail server receives an email containing ARC headers, it validates the entire chain. It checks the signature of each link to ensure nothing has been broken or tampered with along the way. The result of this comprehensive check is reported in the cv (Chain Validation) tag.
This tag can have one of three states: pass, fail, or none. A fail result indicates the chain was invalid, while none means no ARC chain was present to begin with.
What does `cv=pass` mean?
A cv=pass result is the goal of the ARC protocol. It means the receiving server has successfully validated the entire chain of ARC signatures, right back to the first one. This confirms that all intermediaries that handled the message were ARC-compliant and that the chain of custody is trustworthy.
The purpose of this result is to give the receiving server enough confidence to potentially override a local DMARC failure. For instance, if a forwarded email fails DMARC due to changes made by a mailing list, the server can check the ARC chain. If it finds cv=pass and the original ARC-Authentication-Results header shows a dmarc=pass, it can choose to trust the original sender and deliver the message. In essence, cv=pass is a strong signal that helps legitimate, forwarded emails reach the inbox.
