Yes, Authenticated Received Chain (ARC) absolutely adds a new digital signature to an email. In fact, adding this signature is the central mechanism that allows ARC to work. Its purpose is to preserve the original email authentication results as a message travels through intermediate servers, like mailing lists or forwarding services.
When an email is forwarded, the original authentication protocols like SPF and DKIM can break, which can cause legitimate emails to fail DMARC validation. ARC was created to solve this specific problem by adding a new layer of authentication that survives these modifications.
Why is a new signature needed?
Standard email authentication can be fragile. Imagine you send an email that is perfectly authenticated with SPF and DKIM. It then gets sent to a mailing list. The mailing list server receives your email and might add a small footer, like "To unsubscribe, click here". This small change breaks your original DKIM signature. Furthermore, when the mailing list server forwards the email to all its subscribers, the sending IP address belongs to the mailing list, not you, which causes SPF to fail.
Because both SPF and DKIM have now failed, the email will also fail DMARC alignment. The final recipient's server sees these failures and might reject the message or send it to spam, even though it was originally a legitimate email. ARC steps in to help ensure the authenticity of the message as it passes through these servers.
How ARC adds its signature and headers
When an ARC-supporting server (the intermediary) receives an email, it first validates the existing SPF and DKIM signatures. It then adds a set of its own headers to the email to record the results of that validation. These headers are then cryptographically signed to create the ARC signature.
This process involves adding three new headers to the email at each hop:
- ARC-Authentication-Results (AAR): This header snapshots the original authentication results. It records whether SPF, DKIM, and DMARC passed or failed before the intermediary processed the message.
- ARC-Message-Signature (AMS): This is the new digital signature. It's very similar to a DKIM signature, but with a crucial difference: it covers the original message headers and body, plus the ARC-Authentication-Results header it just added. This signature effectively says, "I vouch for the authentication results recorded above."
- ARC-Seal (AS): This is the final signature in the set. It signs the previous ARC headers (the AAR and the AMS). This "seals" the ARC results for that specific hop and creates a link in the chain.
The 'chain' in Authenticated Received Chain
If an email passes through multiple forwarding servers, each one adds its own set of ARC headers. This creates a chain of signatures that the final receiving server can validate. The server can check each ARC-Seal and ARC-Message-Signature in sequence, working its way back to the original message.
If the final recipient's server trusts the intermediaries in the chain (for example, it knows that Google and Microsoft are trusted mail handlers), it can look at the authenticated results preserved in the oldest ARC header. This allows it to see that the email was legitimate at the start of its journey, even if the final SPF and DKIM checks fail. As AutoSPF notes, ARC generates a trusted chain of authentication.
So, to conclude, ARC's core function is to add a new digital signature (and related headers) at each step. This creates a verifiable chain of custody that fixes a common and frustrating point of failure in the email ecosystem, helping your legitimate, forwarded emails reach the inbox.
