To understand the 'cv' tag, we first need to briefly touch on what Authenticated Received Chain (ARC) is. ARC is an email authentication protocol designed to preserve email authentication results (like SPF and DKIM) when an email is forwarded. This is a common scenario with mailing lists or forwarding services, which often break the original authentication and cause DMARC failures. ARC adds a new set of headers to the email at each 'hop' in its journey, creating a chain of custody.
The protocol, defined in RFC 8617, adds three new headers: ARC-Authentication-Results, ARC-Message-Signature, and ARC-Seal. Our focus is on the ARC-Seal header.
What is the ARC-Seal header?
The ARC-Seal header is like a tamper-proof seal for the ARC headers added at each step of the email's journey. It contains a cryptographic signature that covers the other ARC headers from that specific hop. Each ARC-Seal also includes a validation of the ARC-Seal from the *previous* hop. This creates the 'chain' in Authenticated Received Chain. A crucial part of this validation is the cv tag.
The role of the 'cv' tag
The cv tag in an ARC-Seal header stands for Chain Validation. Its job is to report the status of the ARC chain up to that point. When a server adds a new ARC set and seal, it first checks the validity of the previous ARC-Seal header. The result of that check is then recorded in the cv tag of the new seal.
The cv tag can have one of three values:
- cv=none: This is used for the very first ARC seal in the chain (where the instance tag, i, is 1). Since there is no prior seal to validate, the status is 'none'.
- cv=pass: This indicates that the signature of the previous ARC-Seal header in the chain was cryptographically valid. This is the desired outcome, as it shows the chain of trust is intact. You can see an example of this in real-world headers.
- cv=fail: This means the previous ARC-Seal header failed validation. This breaks the chain of trust and signals to the final receiving server that something went wrong. This could be due to a misconfiguration or a malicious modification of the ARC headers in transit. The IETF draft also refers to this as 'invalid'.
Why is the 'cv' tag important?
The cv tag is the final verdict on the integrity of the ARC chain. When a receiving mail server evaluates an incoming email, it looks at the entire chain of ARC headers. If the final ARC-Seal has a cv=pass, the server can trust the authentication results reported in the earliest part of the chain, even if the email's final hop fails SPF or DKIM.
Conversely, a cv=fail indicates a broken chain. A receiving server will likely disregard the ARC results entirely and fall back to its standard evaluation of SPF, DKIM, and DMARC on the message as it was received. This could lead to the message being rejected or sent to spam, which is the very problem ARC was designed to solve.
In short, the cv tag provides a simple, at-a-glance summary of the ARC chain's health, allowing mail servers to decide whether to trust the preserved authentication results.
