Comment 4 for bug 1808301

I have looked into this a bit. I'm not yet convinced everything is working 100%, but this particular bit is. It's looking for the Authentication-Results header field added by your domain when you received the message. In particular, the authserv-id in the A-R field in message must match the srv_id value passed to the function (the last parameter you pass in dkim.arc_sign in your example).

This makes sense for ARC because an ARC signature is meant to seal your local A-R results (as well as preserving a previous chain if one exists). It starts with your local A-R. Starting an ARC chain based on someone else's authentication verification would be a violation of the protocol.

Clearly this needs to be better documented, so leaving the bug open for better documentation.