What is an ARC-seal vs ARC-message-signature?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
And Here's the key difference. ARC-Message-Signature signs the actual email message. It's like a detective's signature on an evidence bag. It says "I verified this message was intact and authentic at this moment in time, and I'm putting my signature on it."
ARC-Seal is different. It doesn't sign the message itself. Instead, it signs the entire ARC set (the Message-Signature, the Authentication-Results header, and any previous ARC sets). It's like a chain lock. Each hop adds a seal that proves the whole chain hasn't been tampered with since the previous hop signed it.
Why does this matter? When a message passes through multiple forwarders, each one adds its own ARC-Message-Signature and ARC-Seal. The Message-Signature says "this email was valid when I touched it." The Seal says "and nobody changed the chain between me and the last person." Together they create an unbreakable chain of custody from the original sender all the way to the final recipient. Learn more about all three ARC headers if you need to understand how they fit together, or check out why ARC matters for forwarding to see the real-world impact.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.