Suped

What is the purpose of the ARC 'cv=pass' result?

When you delve into the technical headers of an email, you'll find a lot of information about its journey and authentication status. One of the more recent and important additions is Authenticated Received Chain (ARC). It was designed to solve a very common problem: email authentication, specifically DMARC, often breaks when an email is forwarded or passes through a mailing list.

Before ARC, a server forwarding an email would often inadvertently invalidate SPF and DKIM signatures. Because DMARC relies on the results of SPF and DKIM, this meant many legitimate emails were being rejected or sent to spam. ARC creates a way to preserve those original authentication results.

proton.me logo
Proton says:
Visit website
Authenticated Received Chain (ARC ) allows email providers to verify that emails are genuine when forwarded or sent from a mailing list.

By adding a new set of cryptographic signatures at each 'hop', ARC builds a chain of custody that a final receiving server can verify. The result of this verification is where the cv=pass tag comes into play.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

The ARC headers and the chain of custody

To understand the chain validation result, you first need to know what makes up the chain. ARC introduces three new email headers:

  • ARC-Authentication-Results (AAR): This header snapshots the original authentication results (SPF, DKIM, DMARC) before the intermediary server processed the email.
  • ARC-Message-Signature (AMS): This is a DKIM-like signature that includes a snapshot of the message headers and body.
  • ARC-Seal (AS): This is a signature of the previous ARC headers, essentially linking them together in a chain.

Each server that forwards the email, like a mailing list processor, adds its own set of these three headers. This creates a sequential chain that documents the email's path.

vand3rlinden.com logo
VAND3RLINDEN says:
Visit website
ARC (Authenticated Received Chain) sealing is a way to help ensure the authenticity of email messages as they pass through various email servers.

Understanding the chain validation (cv) result

When a destination mail server receives an email containing ARC headers, it validates the entire chain. It checks the signature of each link to ensure nothing has been broken or tampered with along the way. The result of this comprehensive check is reported in the cv (Chain Validation) tag.

This tag can have one of three states: pass, fail, or none. A fail result indicates the chain was invalid, while none means no ARC chain was present to begin with.

What does `cv=pass` mean?

A cv=pass result is the goal of the ARC protocol. It means the receiving server has successfully validated the entire chain of ARC signatures, right back to the first one. This confirms that all intermediaries that handled the message were ARC-compliant and that the chain of custody is trustworthy.

www.propublica.org logo
ProPublica says:
Visit website
While a validated DKIM signature guarantees that you have the same email that was sent; a validated ARC signature can guarantee that you have the same email that was sent through a chain of forwarders.

The purpose of this result is to give the receiving server enough confidence to potentially override a local DMARC failure. For instance, if a forwarded email fails DMARC due to changes made by a mailing list, the server can check the ARC chain. If it finds cv=pass and the original ARC-Authentication-Results header shows a dmarc=pass, it can choose to trust the original sender and deliver the message. In essence, cv=pass is a strong signal that helps legitimate, forwarded emails reach the inbox.

Start improving your email deliverability today

Get started