Suped

Does ARC improve DMARC policy enforcement for forwarded mail?

Yes, Authenticated Received Chain (ARC) absolutely improves DMARC policy enforcement, specifically by addressing one of its most significant weaknesses: handling forwarded emails. While DMARC, along with SPF and DKIM, forms the bedrock of modern email authentication, its rigidity can cause legitimate emails to fail authentication checks when they pass through an intermediary, like a forwarding service or a mailing list.

ARC was developed to solve this exact problem. It creates a chain of custody for email authentication results, allowing a final receiving mail server to see that an email was authenticated correctly at a previous hop, even if the final checks fail. This prevents valid, forwarded emails from being incorrectly blocked or sent to spam due to a failed DMARC evaluation.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

Why forwarded emails break DMARC

To understand why ARC is so important, we first need to look at why DMARC struggles with forwarded messages. DMARC relies on the results of two other protocols, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), and requires at least one of them to pass and align with the domain in the 'From' header.

When an email is forwarded, the authentication chain often breaks:

  • SPF fails: SPF checks if the IP address sending the email is authorized in the sender's SPF record. When a message is forwarded, it's being sent from the forwarding server's IP, not the original sender's. This new IP is almost never listed in the original domain's SPF record, causing the check to fail.
  • DKIM can fail: DKIM creates a cryptographic signature of the email's content and certain headers. Intermediaries like mailing lists often add new text to the email, such as a footer with unsubscribe information. This modification alters the email body, which breaks the original DKIM signature, causing the check to fail.

When both of these checks fail, or fail to align, the forwarded email will fail the DMARC check. The receiving server then follows the sender's DMARC policy, which could be to quarantine or reject the message, even though it was originally legitimate.

How ARC preserves authentication results

ARC acts as a wrapper around the original authentication results, preserving them across multiple server hops. It doesn't replace DMARC, but rather extends it. As Sendmarc notes, ARC captures the original authentication results and adds special ARC headers to keep a record of these results as the email is forwarded.

sendmarc.com logo
Sendmarc says:
Visit website
ARC captures the original authentication results (from DMARC, SPF, and DKIM) when an email is forwarded and then adds ARC headers to preserve these results.

Here’s how it works: an intermediary server (like a mail forwarder) that supports ARC will perform its own SPF, DKIM, and DMARC checks on an incoming email. It then records these results in a new set of headers (the ARC headers) and cryptographically signs them. This creates a trusted and verifiable 'seal'. When the final mail server receives the email, it will see that the direct DMARC check fails. However, it can then check for a valid ARC chain. If the chain is present and comes from a trusted intermediary, the server can look at the preserved authentication results. If the original result was a 'pass', the receiving server can choose to trust the ARC results and override the local DMARC failure, delivering the email correctly.

monstermegs.com logo
MonsterMegs Blog | Web Hosting Tips & Insights says:
Visit website
ARC addresses a critical gap in email authentication by providing a reliable method for verifying the legitimacy of forwarded emails and those sent through mailing lists.

The impact on DMARC policy enforcement

By providing this extra layer of information, ARC makes DMARC enforcement more intelligent. It gives receiving systems the context they need to differentiate between a maliciously spoofed email and a legitimate email that has simply been forwarded. This is crucial for reducing the number of false positives where valid mail is blocked.

According to the IETF, the standards body behind the protocol, ARC helps to close a critical gap in authentication. Major mailbox providers like Google and Microsoft have widely adopted ARC, as it allows them to trust forwarded mail from known, reputable sources. This ensures that their users still receive important forwarded communications without compromising security.

In summary, ARC doesn't change your DMARC policy, but it drastically improves how that policy is enforced by others. It adds the necessary nuance for handling complex but common email routing scenarios, ensuring that DMARC's powerful protection against spoofing doesn't inadvertently block legitimate mail. For any organization that relies on email, ARC is a critical component for ensuring reliable message delivery in a DMARC-enabled world.

Start improving your email deliverability today

Get started