The Authenticated Received Chain (ARC) protocol is a crucial email authentication standard designed to address a common problem that plagues mailing lists and forwarding systems. When an email is forwarded, it often fails SPF and DKIM checks at the final destination, even if it was perfectly legitimate when it was first sent. This happens because the forwarding server changes the sending IP address (breaking SPF) and can sometimes modify content like adding a footer (breaking the DKIM signature). ARC was developed to solve this exact issue. It creates a chain of custody for email messages, allowing each server that handles the message to see the authentication results from the previous 'hop'.
The protocol works by adding a new set of headers to an email at each step of its journey. The purpose of these headers is to preserve the initial authentication results, so the final receiving server can make a more informed decision, even if its own direct SPF and DKIM checks fail.
At the heart of the system is the ARC-Authentication-Results header. When a forwarding server or mailing list receives an email, it first performs the standard SPF, DKIM, and DMARC checks. It then records these results in a new ARC-Authentication-Results header that it prepends to the email before sending it on. This is where the a= tag comes into play.
The a= tag contains the results of the authentication validation performed by that intermediary server. Think of it as a snapshot of the email's authentication status at that point in its journey. This tag is essentially a copy of the original Authentication-Results header that the intermediary would have produced.
For example, the header might look something like this:
ARC-Authentication-Results: i=1; mx.forwarder.com; dkim=pass header.i=@originalsender.com; spf=pass smtp.mailfrom=@originalsender.com; dmarc=pass
Here, the a= tag isn't explicitly shown because the entire string represents the authentication results that are cryptographically sealed. The information within this header (dkim=pass, spf=pass) is what is preserved. The purpose of this tag is to:
When the final destination server receives the email, it sees a chain of one or more ARC header sets. It validates this chain by checking the cryptographic signatures in the ARC-Seal headers, starting with the newest and working backwards.
If the entire chain is valid, the receiving server adds its own final ARC-Authentication-Results header. However, this final header doesn't use an a= tag. Instead, it uses a cv= (chain validation) tag. The value will be either pass if the chain was valid, or fail if it was broken or tampered with.
In summary, the a= tag (or more accurately, the authentication results it represents) is the core payload of an ARC hop. It carries the original, verified authentication status through complex mail routing paths, allowing DMARC policies to be evaluated based on the preserved results rather than the final, broken ones. This ensures legitimate emails sent via mailing lists get delivered, not marked as spam.