- ARC (Authenticated Received Chain) is an email authentication protocol that preserves original SPF, DKIM, and DMARC authentication results when emails are forwarded or relayed through intermediate servers.
- Without ARC, legitimate forwarded emails often fail DMARC checks because forwarding changes the message headers or sending IP, breaking SPF and DKIM alignment.
- ARC uses three special headers (AAR, AMS, AS) to create a cryptographically signed "chain of custody" that receiving servers can verify.
- Major providers including Gmail, Microsoft 365, and Yahoo already support ARC validation, making it increasingly important for organizations with strict DMARC policies.
- ARC supplements but does not replace SPF, DKIM, and DMARC. It is an additional trust layer for indirect mail flows.
If you have moved your DMARC policy to p=quarantine or p=reject, you may have noticed something frustrating: legitimate emails that are forwarded or sent through mailing lists start failing authentication checks and landing in spam, or worse, getting rejected entirely. This is the exact problem that ARC (Authenticated Received Chain) was designed to solve.
Defined in RFC 8617 and published in July 2019, ARC provides a mechanism for intermediate mail servers to cryptographically sign and preserve the original authentication results of a message as it passes through multiple hops. In this guide, we'll explain how ARC works, why it matters for your deliverability, and how it fits into the broader email authentication ecosystem.
The Email Forwarding Authentication Problem
To understand why ARC exists, you need to understand the limitations of existing authentication protocols when emails are forwarded.
How Forwarding Breaks SPF
SPF (Sender Policy Framework) validates that an email was sent from an IP address authorized by the sender's domain. When an email is forwarded, the forwarding server's IP address becomes the new sending IP. Since this IP is not listed in the original sender's SPF record, the SPF check fails at the final destination.
For example, if Alice sends an email from example.com to a mailing list at lists.company.com, and that list redistributes the message to Bob at recipient.com, the final receiving server sees the message arriving from lists.company.com's IP address, not example.com's authorized IP. SPF fails.
How Forwarding Breaks DKIM
DKIM (DomainKeys Identified Mail) signs specific parts of the email header and body with a cryptographic signature. When a mailing list or forwarding service modifies the message, such as adding a subject tag like "[ListName]", appending a footer, or changing headers, the DKIM signature becomes invalid because the signed content no longer matches.
How DMARC Fails as a Result
DMARC requires that at least one of SPF or DKIM passes and aligns with the From domain. When forwarding breaks both SPF and DKIM, DMARC fails. If the sender has published a strict DMARC policy (p=quarantine or p=reject), the receiving server may quarantine or reject the message entirely, even though it was a completely legitimate email.
What Is ARC (Authenticated Received Chain)?
ARC is an email authentication protocol that allows intermediate mail servers, such as mailing list managers, forwarding services, and email gateways, to sign the original authentication results of a message and preserve them as the email passes through multiple hops. By creating a verifiable "chain of custody," ARC enables the final receiving server to see that the email originally passed authentication, even if the current checks fail due to legitimate modifications in transit.
Think of ARC as a notarized trail of authentication stamps. Each server the email passes through adds its own stamp, vouching for the authentication results it observed. The final recipient can then review the entire chain and decide whether to trust the message based on its original authentication status rather than just the current (broken) checks.
The Three ARC Headers
ARC introduces three new email headers that work together to create the authentication chain. Each set of headers is numbered with an instance counter (i=1, i=2, etc.) that increments at each hop.
ARC-Authentication-Results (AAR)
This header records the authentication results (SPF, DKIM, DMARC) that the intermediate server observed when it received the message. It is essentially a copy of the standard Authentication-Results header, preserved under a new name so it cannot be overwritten by subsequent servers.
ARC-Authentication-Results: i=1; mx.forwarder.com;
dkim=pass header.d=example.com;
spf=pass smtp.mailfrom=example.com;
dmarc=pass header.from=example.comARC-Message-Signature (AMS)
This is a DKIM-like signature that covers the message headers and body at the point when the intermediate server processes it. It functions similarly to a standard DKIM signature but is specifically tied to the ARC chain. This allows the receiving server to verify that the message content has not been tampered with since the intermediate server processed it.
ARC-Message-Signature: i=1; a=rsa-sha256; d=forwarder.com;
s=arc-selector; c=relaxed/relaxed;
h=from:to:subject:date:message-id;
bh=abc123...=; b=xyz789...=ARC-Seal (AS)
The ARC-Seal is a cryptographic signature that covers all previous ARC header sets (AAR, AMS, and prior ARC-Seals). It includes a critical tag called cv (Chain Validation Status) that indicates whether the existing ARC chain was valid when this server processed the message.
ARC-Seal: i=1; a=rsa-sha256; d=forwarder.com;
s=arc-selector; t=1700000000;
cv=none;
b=def456...=The cv tag has three possible values:
- none: No prior ARC chain existed (this is the first hop)
- pass: The prior ARC chain was validated successfully
- fail: The prior ARC chain validation failed
You can examine ARC headers in any email by viewing the full message source. In Gmail, click the three dots menu and select "Show original." Look for headers starting with ARC- to see the authentication chain. Microsoft's Message Header Analyzer tool can also parse and display ARC headers in a readable format.
How ARC Works: Step by Step
Here is a complete example of ARC in action when an email is sent through a mailing list:
- Alice sends an email from alice@example.com to devlist@lists.company.com. The email passes SPF, DKIM, and DMARC at the mailing list server.
- The mailing list server records the authentication results in an ARC-Authentication-Results header (i=1), showing that SPF, DKIM, and DMARC all passed.
- The mailing list server creates an ARC-Message-Signature (i=1) that signs the current state of the message.
- The mailing list server creates an ARC-Seal (i=1) with
cv=none(since there was no prior ARC chain), signing all the ARC headers. - The mailing list modifies the message by adding a "[DevList]" subject prefix and a footer, then forwards it to bob@recipient.com.
- Bob's receiving server checks DMARC and finds it fails because the DKIM signature is now invalid (the message was modified) and SPF fails (the sending IP belongs to lists.company.com, not example.com).
- Bob's server checks the ARC chain. It validates the ARC-Seal, verifies the ARC-Message-Signature, and reads the ARC-Authentication-Results. The AAR shows the message originally passed DMARC at the mailing list server.
- If Bob's server trusts the mailing list as an ARC sealer, it can accept the message based on the ARC results despite the DMARC failure.
Important: ARC does not force receiving servers to accept messages. It provides additional authentication data that the receiving server may choose to use in its filtering decisions. Whether the server trusts a particular ARC sealer is entirely at the receiver's discretion.
ARC Support Among Major Providers
ARC has been adopted by all the major mailbox providers, though each implements trust decisions differently:
| Provider | ARC Sealing | ARC Validation | Notes |
|---|---|---|---|
| Gmail / Google Workspace | Yes | Yes | Early adopter; ARC deployed across Gmail, Google Workspace, and Google Groups |
| Microsoft 365 / Outlook | Yes | Yes | Admins can configure trusted ARC sealers in Defender portal |
| Yahoo / AOL | Yes | Yes | Supports ARC validation as part of DMARC processing |
| Proton Mail | Yes | Yes | Accepts ARC overrides only from a limited set of trusted sealers |
| Postfix (with OpenARC) | Yes | Yes | Available via the OpenARC milter for self-hosted mail servers |
ARC vs SPF, DKIM, and DMARC
ARC is not a replacement for existing authentication protocols. It is a supplementary protocol that addresses a specific limitation. Here is how it fits into the authentication stack:
| Protocol | Purpose | Limitation ARC Addresses |
|---|---|---|
| SPF | Verifies the sending server's IP is authorized | Fails when email is forwarded from a different IP |
| DKIM | Verifies message integrity via cryptographic signature | Fails when intermediaries modify headers or body |
| DMARC | Enforces alignment between SPF/DKIM and the From domain | Fails when both SPF and DKIM fail due to forwarding |
| ARC | Preserves original authentication results across hops | Enables receivers to trust forwarded mail that originally passed |
ARC was originally developed as a collaborative project between engineers at Google and other industry participants. The specification work was adopted by the IETF DMARC Working Group in June 2016, and the final RFC was published three years later in July 2019.
When Does ARC Matter Most?
ARC becomes critical in several common email scenarios:
- Mailing lists: Services like Mailman, Sympa, Google Groups, and corporate distribution lists frequently modify messages (adding subject tags, footers, or reply-to headers), which breaks DKIM.
- Email forwarding: When users set up auto-forwarding rules (e.g., forwarding all mail from an old address to a new one), SPF breaks because the forwarding server's IP is not in the original sender's SPF record.
- Email security gateways: Organizations that route inbound email through third-party security gateways or spam filters may see authentication failures if those gateways modify messages before delivery.
- Account migration: During email migrations where mail flows through relay servers, ARC preserves authentication through the transition.
If your organization uses a strict DMARC policy and you receive reports showing legitimate emails failing authentication after being forwarded, ARC is likely the solution. Check your DMARC configuration and review aggregate reports for patterns of forwarding-related failures.
How to Configure ARC
For Microsoft 365 Administrators
If you receive forwarded emails that fail DMARC due to intermediary modifications, you can configure trusted ARC sealers in Microsoft Defender:
- Open the Microsoft Defender portal at security.microsoft.com
- Navigate to Email & Collaboration > Policies & Rules > Threat Policies > Email Authentication Settings
- Select the ARC tab
- Click "Add" and enter the trusted signing domain (the domain shown in the
d=value of the ARC-Seal header from the intermediary) - Save the configuration
For Self-Hosted Mail Servers
If you run Postfix, Sendmail, or another MTA, you can implement ARC using the OpenARC milter. The general process involves installing the OpenARC package, configuring your DKIM-like signing keys, and integrating the milter into your MTA's processing pipeline. Mailing list managers like Sympa (v6.2.38+) and Mailman also include built-in ARC support.
ARC Limitations to Understand
ARC is not a silver bullet. There are important limitations to keep in mind:
- Trust is discretionary. The receiving server decides whether to trust a given ARC sealer. There is no universal trust list.
- ARC does not verify sender identity. It only preserves and relays previous authentication results. A malicious intermediary could theoretically forge ARC headers.
- ARC headers can be stripped. An intermediary that does not support ARC may strip ARC headers from the message, breaking the chain.
- Not all intermediaries seal. If a forwarding service does not add ARC headers, the chain of custody has a gap that cannot be bridged.
Tip: Even with ARC deployed, you should still maintain properly configured SPF, DKIM, and DMARC records. ARC is a safety net for indirect mail flows, not a substitute for proper authentication on direct sends. Use the SPF checker and DMARC checker to verify your baseline setup.
Troubleshooting ARC Issues
If you are seeing forwarded emails fail despite ARC being present, check these common issues:
- Untrusted sealer: The receiving server does not trust the intermediary's ARC seal. You may need to add the sealer's domain to your trusted ARC sealers list (in Microsoft 365) or adjust your filtering policy.
- Broken chain: One intermediary in the forwarding path does not support ARC, creating a gap in the chain. The
cv=failvalue in a later ARC-Seal header indicates this. - Missing ARC headers: The intermediary does not implement ARC at all. In this case, you may need to contact the intermediary or adjust your DMARC policy for that specific mail flow.
- Key rotation issues: If the intermediary has rotated their ARC signing keys without updating DNS, the ARC-Seal signature validation will fail.
You can inspect ARC headers by viewing the full message source in your email client. Use the email header analyzer tool to parse and display ARC chain details in a readable format.
Frequently Asked Questions
ARC (Authenticated Received Chain) is an email authentication protocol defined in RFC 8617 that preserves the original SPF, DKIM, and DMARC authentication results when emails are forwarded or relayed through intermediate servers. It allows the final receiving server to verify that a message originally passed authentication, even if forwarding broke the standard checks.
No. ARC supplements DMARC but does not replace it. You still need properly configured SPF, DKIM, and DMARC records for your domain. ARC only provides additional authentication data for situations where standard checks fail due to legitimate forwarding or relaying. It is an extra trust layer, not a primary authentication mechanism.
If your domain sends emails directly to recipients and you do not operate a forwarding service or mailing list, you do not need to implement ARC sealing. However, if you receive forwarded emails that fail DMARC, you should configure trusted ARC sealers in your mail system so you can accept those messages. If you operate a mailing list or forwarding service, implementing ARC sealing will help your users' messages pass authentication at their final destination.
View the full message headers (in Gmail: three dots > "Show original"; in Outlook: File > Properties > Internet Headers). Look for headers beginning with ARC-Authentication-Results, ARC-Message-Signature, and ARC-Seal. You can also use an email header analyzer tool to parse and display the ARC chain in a readable format.
This is the classic problem ARC solves. When emails are forwarded, the forwarding server's IP breaks SPF and modifications to the message break DKIM. If both fail, DMARC fails too. If the sender has a strict DMARC policy (quarantine or reject), the message gets filtered. The solution is to either configure trusted ARC sealers at the receiving end, or ensure the forwarding service implements ARC sealing so the original authentication results are preserved.