What is the relationship between 'ARC-Message-Signature' and DMARC?

The 'ARC-Message-Signature' allows DMARC to validate emails that have passed through intermediaries like mailing lists or forwarders. When SPF or DKIM alignment might break due to message alterations by these intermediaries, a valid ARC chain, confirmed by the signature, provides DMARC with enough trust to consider the email authentic.

Can I manually add an 'ARC-Message-Signature' header to my emails?

No, 'ARC-Message-Signature' headers are cryptographically generated and applied automatically by ARC-enabled mail servers or intermediaries. Manually adding them would invalidate the signature and compromise the integrity of the ARC chain. It's an automated process designed to be transparent to end-users.

What happens if an 'ARC-Message-Signature' fails validation?

If an 'ARC-Message-Signature' fails validation, it indicates that the email has been altered after that specific signature was applied, or that the signature itself is invalid. This does not automatically mean the email is spam, but it signals to the receiving server that a change occurred. The server may then use other factors, like IP reputation or content analysis, to decide the email's fate.

How does Suped help with ARC?

Suped's DMARC monitoring platform provides visibility into your email authentication results, including ARC. Our platform helps you understand when ARC is being used, if it's validating successfully, and identifies issues that might affect your deliverability. Our AI-powered recommendations help you take action to strengthen your email authentication.

What is the 'ARC-Message-Signature' header used for? - ARC - Email authentication - Knowledge base

An illustration of an email being securely passed between servers using ARC.

The Authenticated Received Chain (ARC) is a crucial email authentication system designed to maintain verifiable authentication results, like SPF and DKIM, even when an email passes through intermediate servers such as mailing lists or forwarding services. Without ARC, these intermediaries often break standard authentication, leading to legitimate emails failing DMARC checks and potentially being sent to spam (or junk folders). The 'ARC-Message-Signature' header is a core component of this system, providing a cryptographic signature of the message's state at each hop.

When an email is forwarded or sent via a mailing list, the original message headers can be altered or new headers added. This often causes the original SPF or DKIM authentication to break, as the sending domain no longer aligns with the server making the last hop. DMARC, which relies on the successful alignment of SPF and DKIM, would then fail for these otherwise legitimate emails. This is where ARC steps in, creating a "chain of custody" that allows receiving mail servers to verify the authenticity of the message history.

The 'ARC-Message-Signature' header, together with the 'ARC-Authentication-Results' and 'ARC-Seal' headers, forms the complete ARC chain. This signature specifically captures the key elements of the message at the point of signing, ensuring that any subsequent alterations can be detected. It’s essentially a snapshot, cryptographically signed, of the email's authenticity at a particular stage in its journey, making it a vital part of secure email delivery.

The 'ARC-Message-Signature' header explained

The core components of ARC-Message-Signature

The 'ARC-Message-Signature' header is a signed representation of the email's state at the moment it passes through an ARC-enabled intermediary. It includes several tags that define what was signed and how to verify the signature. Think of it as a digital fingerprint of the email, taken at a specific point in time, before any further changes might occur. This header plays a crucial role in validating the email's journey. You can learn more about the three main ARC header fields to get a broader understanding.

Key tags within this header include:

a=: The signing algorithm used (e.g., rsa-sha256).
b=: The cryptographic signature itself, which is a hash of the canonicalized signed headers and body hash. This is the core of the signature. More details can be found regarding the 's=' tag in an ARC-Message-Signature header.
bh=: The hash of the email body. This allows for verification of the message body's integrity. For a deeper dive, check out the 'bh=' tag in an ARC-Message-Signature header.
h=: A list of signed header fields. This specifies exactly which headers were included in the signature calculation. See what ARC header contains the list of signed fields.
s=: The selector used to find the public key for verification, similar to DKIM. This relates to the 's=' tag in an ARC-Message-Signature header.
t=: The signature timestamp.

Importance of bh= and b= tags

The bh= (body hash) tag ensures that the email body hasn't been tampered with since the signature was applied. Any modification to the body will cause this hash to fail verification. The b= (signature) tag is the actual cryptographic seal, tying all the signed elements together. Without these two, the 'ARC-Message-Signature' would not be able to guarantee the message's integrity at that point in its transmission.

Creating the cryptographic link

How the ARC-Message-Signature is generated

When an email first leaves the original sender, it's typically authenticated by SPF and DKIM. If it then passes through an intermediate server that is ARC-enabled, this server will perform its own authentication checks. After these checks, the intermediary creates an 'ARC-Authentication-Results' header, an 'ARC-Message-Signature' header, and an 'ARC-Seal' header. The 'ARC-Message-Signature' captures the results of these authentication checks and a hash of the message content. This entire set of ARC headers is then signed by the intermediary, forming a new link in the chain.

This process establishes a verifiable chain of custody for the email. Each ARC-enabled hop adds its own signed 'ARC-Message-Signature' and 'ARC-Seal' headers, creating a historical record. This allows the final receiving mail server to trace the email's authentication journey, even if some of the original authentication methods were broken along the way. This is crucial for distinguishing legitimate forwarded mail from spoofed messages.

Example ARC-Message-Signature headeremail

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=arcselector;
 h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version:DKIM-Signature;
 bh=AbCdEfGhIjKlMnOpQrStUvWxYzAB=;
 b=RstUvwXyZAbCdEfGhIjKlMnOpQrStUvWxYzAbCdEfGhIjKlMnOpQrStUvWxYzAbCdEfGhIjKlMnOpQrStUvWxYzAbCdEfGhIjKlMnOpQrStUvWxYzAbCdEfGhIjKlMnOpQrStUvWxYzAbCdEfGhIjKlMnOpQrStUvWxYz

If any part of the signed message (headers or body) is altered after an 'ARC-Message-Signature' is applied, the signature validation will fail. This failure indicates that the message has been tampered with or corrupted at some point after that specific ARC signer processed it. It does not necessarily mean the email is malicious, but it flags a change that needs further investigation. However, ARC does not prevent email spoofing directly, it helps in validating the path.

How ARC helps DMARC and intermediate servers

Validation and DMARC alignment preservation

Upon receiving an email with ARC headers, the final mail server performs its own ARC validation. It checks each 'ARC-Seal' and 'ARC-Message-Signature' header in the chain, starting from the most recent. The receiving server validates the cryptographic signature against the signed message parts and the body hash. This allows the server to determine the chain validation status.

If the chain of signatures is valid, the receiving server can trust the authentication results reported by the previous ARC signers, as recorded in the 'ARC-Authentication-Results' header. This trust is crucial for DMARC. Even if the original SPF and DKIM fail due to forwarding, a valid ARC chain signals to the DMARC validator that the email is legitimate and its authentication history is intact. This is especially important for services like

Google and Microsoft who rely heavily on authentication.

Traditional authentication

SPF and DKIM can break with mailing lists or forwarding, leading to DMARC failure.
No verifiable history of email authentication results for intermediaries.
Legitimate emails may be marked as spam or rejected due to perceived authentication failures.

Authentication with ARC

ARC preserves authentication results, allowing DMARC to pass for legitimate forwarded mail.
Cryptographic chain of custody provides verifiable history of all authentication results.
Improves deliverability for mailing lists and forwarders, reducing false positives for spam.

Ultimately, the 'ARC-Message-Signature' provides the proof needed for an email's integrity throughout its journey. Without this cryptographic snapshot, the entire ARC system would lack its fundamental security mechanism, leaving forwarded and mailing list emails vulnerable to DMARC failures and decreased deliverability. Understanding what ARC header contains a copy of the message's state is essential for deliverability professionals.

Enhancing deliverability through ARC

Practical implications for email deliverability

For anyone involved in email marketing or managing email infrastructure, the 'ARC-Message-Signature' header has significant practical implications. It’s the key mechanism that prevents legitimate emails from being incorrectly flagged as spam when they pass through common email intermediaries. This directly impacts email deliverability, ensuring that your messages reach the inbox, even when traditional authentication methods are challenged. If your emails are frequently forwarded, ARC can make a huge difference.

Without ARC, mail servers enforcing strict DMARC policies would likely reject or quarantine emails from mailing lists or forwarded messages, even if they originated from a reputable sender. The 'ARC-Message-Signature' header, by vouching for the email's integrity at each hop, helps maintain the sender's reputation and avoid unnecessary blocklisting (or blacklisting). This is especially vital for bulk senders and organizations that use complex email routing.

Implementing and monitoring ARC, alongside SPF, DKIM, and DMARC, is a best practice for modern email security and deliverability. Tools like Suped provide comprehensive DMARC monitoring that includes insights into ARC validation, allowing you to identify and troubleshoot issues. Our AI-powered recommendations can help you interpret your DMARC reports and ensure your ARC chain is functioning correctly, improving overall email deliverability. This unified platform simplifies complex email authentication for everyone.

A magnifying glass examining an ARC-Message-Signature header.

Conclusion

Securing the email chain

The 'ARC-Message-Signature' header is an indispensable part of the Authenticated Received Chain protocol. It serves as a cryptographic proof of the email's authenticity at various stages of its journey through intermediate mail servers. By capturing and signing critical message components, it allows receiving mail servers to reconstruct and validate the email's authentication history, even when traditional SPF and DKIM might otherwise fail.

Its primary function is to preserve DMARC alignment for legitimate forwarded emails and messages from mailing lists. This not only safeguards sender reputation but also significantly improves email deliverability by preventing legitimate communications from being misclassified as spam. Understanding this header is crucial for maintaining robust email security and ensuring your emails consistently reach their intended recipients.

Adopting ARC-enabled practices and leveraging DMARC monitoring solutions like Suped ensures that your email infrastructure is resilient against authentication breaks, contributing to a more secure and reliable email ecosystem for everyone involved.