The short answer is: yes, ARC (Authenticated Received Chain) does modify an email, but not in the way you might think. It doesn't alter the body or subject of your message. Instead, it adds a new set of headers to the email. So, while the overall email data is changed, the content that a person reads remains untouched.
This is a critical distinction. ARC was specifically designed to handle situations where an email is legitimately modified in transit, a common occurrence that can break standard email authentication protocols like SPF and DKIM. As Fastmail explains, its purpose is to preserve authentication results even when changes happen.
How ARC modifies an email
When an email passes through an intermediary server, like a mailing list or an email forwarding service, this server can add ARC headers. This process involves a few steps. First, the intermediary validates the original email's SPF and DKIM records. Then, it adds its own digital signature to vouch for the email's authenticity at the point it was received.
The modification comes from adding three new headers to the email, as noted by cPanel.
- ARC-Authentication-Results (AAR): This header records the initial authentication results. It essentially says, "When this email arrived here, it passed SPF and DKIM checks."
- ARC-Message-Signature (AMS): This is a DKIM-like signature that covers the message headers and body, including the AAR header. It's the intermediary signing the message to say it's taking responsibility for its state.
- ARC-Seal (AS): This header signs the previous ARC headers, creating a verifiable chain. If multiple intermediaries handle the email, each one adds its own set of ARC headers, creating a sequence of seals.
So, ARC's modification is an addition. It doesn't subtract or alter existing content; it adds a new layer of verifiable information.
Why is this modification necessary?
Email authentication protocols DMARC, SPF, and DKIM can fail when an email isn't sent directly from the sender to the recipient. This is a very common scenario.
Consider a mailing list. When you send a message to the list, the list's server forwards it to all subscribers. During this process:
- The sending server changes, which breaks SPF alignment because the email is now coming from the mailing list's IP, not the original sender's.
- The mailing list might add a footer with unsubscribe information. This modifies the email's body, which breaks the DKIM signature.
With both SPF and DKIM failing, a strict DMARC policy would cause the email to be rejected or sent to spam, even though it's a legitimate message. ARC fixes this. The receiving server sees the failed SPF and DKIM but then checks the ARC chain. It can see that the email was authenticated before the mailing list forwarded it. If the receiving server trusts the mailing list (the ARC sealer), it can choose to accept the message.
Conclusion: A beneficial modification
To wrap it up, ARC does modify emails by adding new headers. It does not, however, alter the core content like the subject or body that the end-user sees. This modification is not only harmless but essential for maintaining email deliverability in a world of email forwarders, mailing lists, and other intermediaries.
It builds a chain of trust that allows receiving mail servers to make more informed decisions, preventing legitimate emails from being incorrectly flagged as spam or rejected. In that sense, ARC's modification is a solution, not a problem.
