What is ARC?

Authenticated Received Chain (ARC) is an email authentication protocol designed to preserve email authentication results as messages pass through intermediary servers, such as mailing lists or forwarders. ARC ensures that SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) checks remain valid even when emails are relayed, preventing legitimate messages from being flagged as spam or rejected due to authentication failures caused by intermediate modifications.

How Does ARC Work?

ARC works by creating a chain of authentication records that track an email’s journey across servers. Here’s the process:

1. Initial Authentication: The original sender’s mail server (MTA) authenticates the email using SPF, DKIM, and DMARC, ensuring it’s legitimate.
2. ARC Headers: Each server that handles the email (e.g., a mailing list or forwarder) adds ARC headers to the message. These headers include:
   • ARC-Seal: A cryptographic signature of the email’s authentication state.
   • ARC-Message-Signature: A signature of the email’s content, similar to DKIM.
   • ARC-Authentication-Results: A record of the server’s authentication checks.
3. Chain Validation: When the email reaches the final recipient’s server, it verifies the ARC chain by checking the signatures and results in the ARC headers. If valid, the recipient trusts the original authentication results, even if the email was modified (e.g., by adding a footer or changing headers).
4. DMARC Decision: The recipient uses the ARC-verified results to apply the sender’s DMARC policy, ensuring legitimate emails aren’t incorrectly quarantined or rejected.

For example, a mailing list might modify an email’s headers, breaking DKIM alignment. ARC allows the recipient to trust the original sender’s authentication, preserving the email’s legitimacy.

Why ARC Matters

ARC addresses challenges in email delivery, offering key benefits:

• Preserves Authentication: It maintains SPF, DKIM, and DMARC validity through relays, ensuring forwarded emails pass authentication checks.
• Reduces False Positives: Legitimate emails from mailing lists or forwarders are less likely to be marked as spam or rejected.
• Enhances Deliverability: By validating relayed emails, ARC improves the chances of messages reaching inboxes, especially for businesses using third-party services.
• Supports Complex Email Flows: ARC is critical for scenarios involving multiple intermediaries, like marketing platforms or discussion groups, where email modifications are common.

Things to Keep in Mind

Implementing ARC requires careful consideration:

• Adoption: Not all email servers support ARC yet, though major providers like Gmail and Microsoft 365 do. Check compatibility with your email partners.
• Configuration: Intermediary servers must be ARC-aware and correctly add ARC headers. Misconfigurations can weaken the chain’s trustworthiness.
• Dependency on DMARC: ARC is most effective with a strong DMARC policy (“quarantine” or “reject”). Ensure SPF and DKIM are properly set up first.
• Security Limits: ARC doesn’t prevent spoofing or phishing on its own; it relies on initial SPF, DKIM, and DMARC checks. Malicious intermediaries could forge ARC headers, so recipient servers must validate the chain rigorously.
• Monitoring: Use DMARC reports (RUA and RUF) alongside ARC to track authentication issues and ensure intermediaries comply.

Wrapping Up

ARC is a vital email authentication protocol that ensures SPF, DKIM, and DMARC results hold up as emails pass through intermediaries like mailing lists or forwarders. By creating a trusted chain of authentication records, ARC prevents legitimate messages from being misclassified, boosting deliverability and supporting complex email flows. For domain owners using third-party email services, ARC is an essential tool to maintain security and trust in a relayed email ecosystem.

‍