Suped

What is the 's=' tag in an ARC-Message-Signature header?

Before we dive into the specifics of the s= tag, it’s important to understand what ARC is. ARC, which stands for Authenticated Received Chain, is an email authentication protocol designed to solve a common problem with DMARC. When an email is forwarded, such as through a mailing list, it often breaks SPF and DKIM alignment, which can cause legitimate emails to fail DMARC checks. ARC works by preserving the initial authentication results across these intermediate hops.

vand3rlinden.com logo
VAND3RLINDEN says:
Visit website
ARC helps ensure the authenticity of emails as they are passed through various email servers, preserving authentication results which might otherwise be broken by forwarding.

It does this by adding new headers to the message at each step, creating a 'chain' of custody. One of these headers is the ARC-Message-Signature, which is where you'll find the s= tag.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What is the 's=' tag?

The s= tag in an ARC-Message-Signature header is the selector tag. Its function is identical to the selector tag found in a standard DKIM signature. Essentially, it’s a piece of information that tells receiving mail servers where to find the public key needed to verify the signature.

Think of it like a specific pointer. A domain might have several different cryptographic keys for signing emails, perhaps for different services or for key rotation purposes. The selector specifies which exact key was used to sign that particular message.

How the ARC selector works

The process mirrors how DKIM selectors work. When a mail server that supports ARC processes an email, it performs the following steps:

  • Signing: The server uses a private key associated with a specific selector to generate a cryptographic signature of the message headers and body. This private key is kept secret on the server.
  • Header Insertion: The server adds the ARC-Message-Signature header to the email. This header includes the signature itself (the b= tag), the domain that signed it (the d= tag), and the selector used (the s= tag).
  • Verification: When a downstream server receives the message, it reads the s= and d= tags. It then constructs a DNS query for a TXT record at selector._domainkey.domain (e.g., selector1._domainkey.example.com). This DNS record contains the public key corresponding to the private key used for signing.
  • Validation: The server uses this public key to validate the signature. If it's valid, the server knows the message hasn't been tampered with since it was signed by that specific hop.
github.com logo
GitHub says:
Visit website
This GitHub issue on the OpenARC project shows a real-world scenario where a user discusses using the same key to sign both DKIM and ARC headers, illustrating the close relationship and shared infrastructure between the two protocols.

Why are selectors important?

Selectors are a critical part of modern email authentication infrastructure. Their primary benefit is enabling seamless key management. With selectors, a domain administrator can:

  • Rotate keys: You can introduce a new key with a new selector (e.g., selector2) while the old one (selector1) is still active. This prevents authentication failures for in-transit emails during the transition.
  • Delegate signing: You can assign unique selectors to third-party services that send email on your behalf. This allows you to manage and revoke their signing permissions without affecting your own mail streams.
  • Isolate mail streams: A company can use different selectors (and keys) for different types of email, like transactional messages versus marketing newsletters, for better organization and security.

In summary, the s= tag is a fundamental component borrowed from DKIM that makes ARC signatures possible. It acts as a pointer to the correct public key, enabling secure verification and flexible key management for your email infrastructure.

Start improving your email deliverability today

Get started