What is the primary function of the ARC-Message-Signature header?

The primary function of the ARC-Message-Signature header is to provide a cryptographic signature of the email's state (including headers and body) at a specific point in its journey. This signature allows subsequent mail servers to verify that the message has not been tampered with by that particular intermediary, even if standard authentication like SPF or DKIM would otherwise fail.

How does ARC help with email forwarding and mailing lists?

ARC helps by preserving email authentication across legitimate forwarding and mailing list operations. When an email is forwarded, its headers or body might change, causing SPF and DKIM to break. ARC allows the intermediary to 'vouch' for these changes by adding its own signature to the ARC chain , enabling the final recipient to still verify the email's authenticity.

What information is included in the 'message's state' signed by ARC-Message-Signature?

The 'message's state' signed by the ARC-Message-Signature includes selected email headers (specified by the h= tag), a hash of the message body ( bh= tag), and the Authentication-Results header from the previous hop. This comprehensive signing ensures that any significant changes are detectable.

How can I monitor ARC authentication for my domain?

You can monitor ARC authentication by analyzing your DMARC reports . These reports contain details about SPF, DKIM, and ARC authentication results. Platforms like Suped offer DMARC monitoring tools with AI-powered recommendations to help you easily understand and act on these complex authentication results.

What ARC header contains a cryptographically signed copy of the message's state? - ARC - Email authentication - Knowledge base

An illustration of a person examining an email with various security headers, representing the complexity of email authentication.

Email authentication protocols like SPF and DKIM are crucial for verifying sender identity and preventing spoofing. However, these mechanisms often break when an email is legitimately forwarded or sent through a mailing list, leading to DMARC failures and messages potentially landing in spam folders. This issue created a significant gap in email security and deliverability.

The Authenticated Received Chain (ARC) protocol was developed to address this problem. ARC allows intermediaries, such as forwarding servers or mailing lists, to preserve the original authentication results and attest to any changes made to the message during transit. It creates a verifiable chain of custody for an email, ensuring its authenticity can still be validated by the final recipient.

Specifically, the ARC-Message-Signature header is the component that contains a cryptographically signed copy of the message's state. This signature allows subsequent receiving mail servers to verify that the message has not been tampered with since it passed through the signing intermediary, even if underlying authentication results like SPF or DKIM no longer align.

Understanding ARC's core function

The ARC-Message-Signature header, often abbreviated as AMS, acts as a digital fingerprint for the email at a specific point in its journey. It captures various elements of the message, including key headers and the body, and then creates a cryptographic signature. This signature is unique to that specific state of the message and is designed to detect any unauthorized modifications. If even a single character changes after the signature is applied, the verification will fail, indicating potential tampering.

The 'message's state' that the AMS signs includes the following important components:

Selected headers: The h= tag within the AMS specifies which email headers were included in the signature. This ensures that any changes to critical headers would invalidate the signature.
Message body hash: A hash of the entire email body is included, specified by the bh= tag. This prevents any alteration of the message content.
Authentication results: The previous Authentication-Results header from the previous hop is also signed, ensuring that those results are preserved and verifiable.

Example ARC-Message-Signature headertext

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
 s=arcselector; t=1678886400; bh=hash_of_body;
 h=from:to:subject:date:message-id:arc-authentication-results;
 b=long_cryptographic_signature_string

The role of cryptographic signatures

Cryptographic signatures are fundamental to ARC's integrity. Each time an email passes through an ARC-enabled intermediary, that intermediary calculates a hash of the relevant message parts and signs it with its private key. This signature is then appended as an ARC-Message-Signature header. The corresponding public key, usually found in the domain's DNS, allows the next hop in the email chain to verify the signature. This process creates a secure, tamper-evident record of the email's journey.

This mechanism ensures that if any part of the signed message state is altered, the signature verification will fail. The receiving server can then trust the ARC chain as long as each signature along the path validates correctly. This is particularly important for scenarios where mail servers might modify message headers or content in ways that would typically invalidate SPF or DKIM directly. The s= tag in the ARC-Message-Signature identifies the ARC selector, which points to the DNS record containing the public key for verification.

Maintaining message integrity

The cryptographic signature within the ARC-Message-Signature is essential for confirming that the email content and important headers have not been altered since the last ARC signer processed the message. This integrity is critical for preventing various forms of email fraud and spoofing that rely on modifying email content or sender information during transit. Without this cryptographic proof, mail servers would have no reliable way to trust forwarded messages.

When an email undergoes modifications by a legitimate intermediary, such as a mailing list adding a footer or changing the 'From' address, the original SPF or DKIM authentication might break. ARC steps in by allowing the intermediary to resign the message, essentially vouching for the changes. The final receiver can then trace this chain of trust by validating each ARC-Message-Signature in the ARC-Seal header. This is how ARC maintains authentication integrity across multiple hops.

ARC in the email authentication ecosystem

ARC doesn't replace DMARC, SPF, and DKIM; instead, it augments them, providing an additional layer of trust. When a message arrives, the receiving mail server first attempts standard SPF and DKIM checks. If these fail due to forwarding, the server then looks for ARC headers. It validates the ARC-Seal and the underlying ARC-Message-Signature headers to determine if the message originated from a trusted path. This allows the email to bypass traditional authentication failures caused by mailing list operations, improving deliverability for legitimate emails.

The entire chain of ARC headers is collectively known as the ARC chain, and it's essential for the final recipient to validate this chain to trust the message. If any link in the chain is broken (i.e., a signature fails to verify), the entire chain is considered invalid, and the email is treated with suspicion. This robust verification process helps to prevent message alteration by malicious actors even within a forwarding scenario.

An illustration depicting the Authenticated Received Chain (ARC) as a series of securely linked blocks, demonstrating preserved email authentication.

Ultimately, the combination of ARC-Message-Signature, ARC-Seal, and ARC-Authentication-Results provides a comprehensive framework. These are the three main ARC header fields that work in concert. The AMS proves the message's state at each hop, the ARC-Seal cryptographically protects this chain, and the ARC-Authentication-Results records the authentication findings at each stage. This robust system provides greater assurance of email provenance even with complex email routing.

Strengthening your email security with ARC

Implementing ARC is particularly beneficial for organizations that frequently send emails through mailing lists or forwarders, as it prevents legitimate emails from being incorrectly flagged as spam. Without ARC, these emails would often fail DMARC checks, impacting deliverability. The IETF has documented the usage of ARC to improve email deliverability in complex scenarios.

For senders, monitoring your DMARC reports (which include ARC results) is crucial for understanding how your emails are being authenticated and delivered. Platforms like Suped provide powerful DMARC monitoring solutions that consolidate data from various receivers, giving you a clear picture of your email's journey. Our AI-powered recommendations translate complex data into actionable steps, making it easier to identify and resolve authentication issues, including those related to ARC. This helps you understand DMARC reports from Google and Yahoo.

Without ARC

Authentication breaks: Forwarded emails often fail SPF and DKIM checks, leading to DMARC failures.
Increased spam risk: Legitimate messages risk being categorized as spam or rejected due to failed authentication.
Lost trust: Recipient mail servers have difficulty trusting the provenance of forwarded emails.

With ARC

Authentication preserved: ARC maintains authentication, allowing emails to pass DMARC even after forwarding.
Improved deliverability: Legitimate messages reliably reach the inbox, reducing false positives.
Enhanced trust: Recipient mail servers can verify the chain of custody and trust the email's authenticity.

The ARC-Message-Signature is a cornerstone of modern email security. It ensures that emails retain their verifiable identity even as they traverse complex networks, a critical feature for maintaining deliverability and protecting against evolving threats. By embracing ARC, organizations can significantly improve their email deliverability and enhance trust in their communications.

What ARC means for your domain

Understanding and properly implementing ARC, alongside robust DMARC, SPF, and DKIM policies, is essential for any sender committed to optimal email deliverability. The ARC-Message-Signature plays a pivotal role in this, providing the cryptographic proof needed to maintain trust in forwarded emails. As email routing becomes more complex, ARC's importance will only continue to grow.

Tag	Description
i=	ARC instance number, indicating its position in the chain.
a=	Signing algorithm used (e.g., rsa-sha256).
c=	Canonicalization algorithm for headers and body.
d=	Signing domain of the ARC message signature.
s=	Selector for the public key in DNS.
t=	Timestamp of when the signature was created.
bh=	Body hash of the email message.
h=	List of signed headers.
b=	The actual cryptographic signature data.

Leveraging a platform like Suped for DMARC monitoring allows you to gain deep insights into your email authentication performance, including ARC. Our unified platform provides real-time alerts and AI-powered recommendations to swiftly address any issues, ensuring your legitimate emails always reach their intended recipients. With a generous free plan, we make robust email security accessible to everyone.

The ARC-Message-Signature is a critical technical detail, but its impact is profound, directly affecting your emails' ability to arrive in the inbox securely. By ensuring this header is correctly generated and validated throughout the email delivery chain, you significantly enhance your email program's overall resilience and trustworthiness.