Skip to main content

Crate mailrs_arc

Crate mailrs_arc 

Source
Expand description

RFC 8617 Authenticated Received Chain (ARC).

ARC extends DKIM / SPF / DMARC across forwarders. Each forwarding hop adds a triplet of headers, indexed by an instance number i=N:

  • ARC-Authentication-Results (AAR) — the receiver’s Authentication-Results snapshot at this hop.
  • ARC-Message-Signature (AMS) — a DKIM-like signature over the message at this hop’s view.
  • ARC-Seal (AS) — a seal that signs the chain so far (this hop’s AAR + AMS + the prior hop’s AS).

Conformant downstream verifiers walk the chain from i=1 upward, verify each set’s AMS against the message and each set’s AS against the chain prefix, and reach a single chain-validation verdict (pass / fail) that downstream DMARC can override forwarder reputation with.

§What this crate covers (1.0)

  • header — parsers for the three header value shapes (AAR, AMS, AS). They share a tag-list syntax with DKIM-Signature so the scanner here is byte-for-byte equivalent in shape to mailrs_dkim::DkimHeader.
  • chainArcSet { i, aar, ams, seal } + ArcChain::extract to pull all sets out of a raw message and group them by instance.
  • verifyverify_chain(&ArcChain, &resolver, raw_message) walks the chain in instance order and returns ChainOutcome::Pass / Fail { reason }.

Cryptography (canonicalization + RSA-SHA256 / Ed25519-SHA256 signature verify) is delegated to mailrs_dkim — RFC 8617 §5 says ARC-Message-Signature uses the same algorithms and canonicalization as DKIM-Signature, so we route through the battle-tested implementation instead of duplicating ~400 LOC of header / body canon.

§What this crate does NOT cover (1.0)

  • ARC sealing (adding a new ARC set on outbound forward). A 1.1 release will add it; sealing requires DKIM signing key management, which deserves its own surface area.
  • ARC-Reject mode policy decisions — that’s a server-level concern; this crate returns the verdict, the server enforces.

Re-exports§

pub use chain::ArcChain;
pub use chain::ArcSet;
pub use crypto::verify_ams;
pub use crypto::verify_as;
pub use error::ArcError;
pub use header::Algorithm;
pub use header::ArcAuthResults;
pub use header::ArcMessageSignature;
pub use header::ArcSeal;
pub use header::ArcSealCv;
pub use header::Canon;
pub use seal::ArcSigningKey;
pub use seal::SealOpts;
pub use seal::SealedHeaders;
pub use seal::seal;
pub use verify::ChainOutcome;
pub use verify::verify_chain;
pub use verify::verify_chain_with_crypto;

Modules§

chain
ARC chain extraction.
crypto
ARC cryptographic verification (RFC 8617 §5).
error
Error type for ARC parsing + verification.
header
ARC header parsers (RFC 8617 §4.1).
resolver
DNS resolver trait for ARC public-key lookups.
seal
ARC sealing (RFC 8617 §5.1) — outbound forwarder builds and attaches the three headers that prove this hop’s view of the chain.
verify
ARC chain verification (RFC 8617 §5).

Traits§

ArcResolver
Minimal DNS interface — DKIM only needs TXT lookups.