Suped

Does ARC modify the email content?

The short answer is: yes, ARC (Authenticated Received Chain) does modify an email, but not in the way you might think. It doesn't alter the body or subject of your message. Instead, it adds a new set of headers to the email. So, while the overall email data is changed, the content that a person reads remains untouched.

This is a critical distinction. ARC was specifically designed to handle situations where an email is legitimately modified in transit, a common occurrence that can break standard email authentication protocols like SPF and DKIM. As Fastmail explains, its purpose is to preserve authentication results even when changes happen.

www.fastmail.com logo
Fastmail says:
Visit website
“ARC preserves email authentication results across subsequent intermediaries (“hops”) that may modify the message, and thus would cause email authentication mechanisms such as SPF and DMARC to fail.”
Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

How ARC modifies an email

When an email passes through an intermediary server, like a mailing list or an email forwarding service, this server can add ARC headers. This process involves a few steps. First, the intermediary validates the original email's SPF and DKIM records. Then, it adds its own digital signature to vouch for the email's authenticity at the point it was received.

The modification comes from adding three new headers to the email, as noted by cPanel.

  • ARC-Authentication-Results (AAR): This header records the initial authentication results. It essentially says, "When this email arrived here, it passed SPF and DKIM checks."
  • ARC-Message-Signature (AMS): This is a DKIM-like signature that covers the message headers and body, including the AAR header. It's the intermediary signing the message to say it's taking responsibility for its state.
  • ARC-Seal (AS): This header signs the previous ARC headers, creating a verifiable chain. If multiple intermediaries handle the email, each one adds its own set of ARC headers, creating a sequence of seals.

So, ARC's modification is an addition. It doesn't subtract or alter existing content; it adds a new layer of verifiable information.

Why is this modification necessary?

Email authentication protocols DMARC, SPF, and DKIM can fail when an email isn't sent directly from the sender to the recipient. This is a very common scenario.

sendmarc.com logo
Sendmarc says:
Visit website
DMARC, SPF, and DKIM can fail when emails are forwarded because the original authentication headers might change or disappear. The ARC protocol maintains these authentication results and adds a new layer of verification.

Consider a mailing list. When you send a message to the list, the list's server forwards it to all subscribers. During this process:

  • The sending server changes, which breaks SPF alignment because the email is now coming from the mailing list's IP, not the original sender's.
  • The mailing list might add a footer with unsubscribe information. This modifies the email's body, which breaks the DKIM signature.

With both SPF and DKIM failing, a strict DMARC policy would cause the email to be rejected or sent to spam, even though it's a legitimate message. ARC fixes this. The receiving server sees the failed SPF and DKIM but then checks the ARC chain. It can see that the email was authenticated before the mailing list forwarded it. If the receiving server trusts the mailing list (the ARC sealer), it can choose to accept the message.

unione.io logo
UniOne Blog says:
Visit website
The ARC protocol allows receiving servers to validate emails even when the original message has been altered in transit. For this, the intermediate servers must confirm that the original message was authenticated.

Conclusion: A beneficial modification

To wrap it up, ARC does modify emails by adding new headers. It does not, however, alter the core content like the subject or body that the end-user sees. This modification is not only harmless but essential for maintaining email deliverability in a world of email forwarders, mailing lists, and other intermediaries.

It builds a chain of trust that allows receiving mail servers to make more informed decisions, preventing legitimate emails from being incorrectly flagged as spam or rejected. In that sense, ARC's modification is a solution, not a problem.

Start improving your email deliverability today

Get started