What is ARC and why does it matter?

What is ARC?

ARC (Authenticated Received Chain) is an email authentication system designed to preserve authentication results across intermediaries, such as mailing lists or forwarders. It helps maintain trust in email authentication when messages pass through multiple hops.

 

How ARC Works?

ARC adds a set of headers to the email that record the authentication status at each hop, allowing the final recipient to evaluate the original authentication results even if the message was modified in transit

• ARC-Authentication-Results (AAR): Records SPF, DKIM, and DMARC checks from each handler.
• ARC-Message-Signature (AMS): DKIM-like signature of the message and headers.
• ARC-Seal (AS): Cryptographically signs and verifies the entire ARC chain.

Each hop adds its own set of headers, creating a trustworthy audit trail.

 

Not another protocol! Why Was ARC Introduced?

Because SPF, DKIM, and DMARC often break when an email is forwarded:

• SPF fails when a message is forwarded because the sending IP changes
• DKIM signatures break when a mailing list or forwarder modifies content (like adding a footer)
• DMARC, which depends on SPF/DKIM passing, fails as a result

These failures can cause legitimate emails to be rejected or sent to spam.
ARC solves this by preserving the original authentication results so that receiving mail servers can still trust the message even after multiple hops.

 

How to Find ARC Information in DMARC Reports

DMARC reports typically include information about SPF and DKIM alignment, but ARC is not a mandatory part of DMARC. However, some advanced DMARC reporting tools may include ARC-related data. To find ARC information, look for headers such as 'ARC-Authentication-Results', 'ARC-Message-Signature', and 'ARC-Seal' in the raw email headers. These indicate the presence of ARC and its validation status.

• ARC-Seal: Indicates the integrity of the ARC chain.
• ARC-Message-Signature: Contains a cryptographic signature of the message.
• ARC-Authentication-Results: Shows the authentication results recorded by the previous hop.

How to Interpret ARC in DMARC Reports

Interpreting ARC involves checking the validity of the ARC chain and the consistency of authentication results. If the ARC-Seal validates correctly and the chain is intact, it means the message's authentication history is trustworthy. If any ARC component fails validation, it may indicate tampering or an untrusted intermediary. Security policies can use ARC results to make informed decisions about message acceptance.