When you look into the source of an email, you'll find a series of headers that tell the story of its journey and its authenticity. One of these is the Authenticated Received Chain, or ARC. ARC is an email authentication protocol designed to preserve DMARC, SPF, and DKIM authentication results when an email is forwarded or passes through a mailing list. This process involves adding a set of ARC headers to the email. The final header in this set is the ARC-Seal, which contains several important tags, including the s= tag.
The purpose of the ARC protocol is to create a verifiable chain of custody, allowing a final mail server to validate the authentication results from the initial hop, even after the message has been modified by intermediaries.
What the 's=' tag does
In an ARC-Seal header, the s= tag stands for 'selector'. Its function is very similar to the selector tag used in DKIM (DomainKeys Identified Mail). It's a simple string of text that helps the receiving mail server locate the correct public key needed to verify the ARC signature.
When a mail server adds an ARC-Seal, it uses a private key to cryptographically sign the previous ARC headers in the chain. The public part of that key is published in a DNS TXT record. The s= tag specifies which public key to use, as a domain might have multiple keys for rotation or for different sending services. The receiving server combines the selector with the domain from the d= tag to perform a DNS lookup, retrieve the key, and validate the signature.
The anatomy of an ARC-Seal header
The s= tag is just one piece of the puzzle. An ARC-Seal header contains several required tags that work together.
According to the official IETF draft for ARC, a valid ARC-Seal must contain the following tags:
- i= (instance): A number indicating which ARC set this is in the chain, starting at 1.
- cv= (chain validation): The validation status of the ARC chain up to that point. It will be 'none' for the first hop and can be 'pass' or 'fail' for subsequent hops.
- d= (domain): The domain that applied the seal.
- s= (selector): The key selector used for the signature verification, as we've discussed.
- t= (timestamp): The time the seal was applied.
- a= (algorithm): The algorithm used to generate the signature (e.g., rsa-sha256).
- b= (signature): The actual digital signature of the ARC headers.
In short, the s= tag is a pointer. It doesn't contain the key itself, but it tells the receiving server exactly where to find the key in the DNS records of the signing domain. This mechanism is what allows the entire ARC-Seal to be validated, ensuring the integrity of the authentication chain and helping legitimate, forwarded emails reach the inbox.
