The arc-authenticated-results header is a core component of the Authenticated Received Chain (ARC) protocol. At its heart, ARC is an email standard designed to preserve email authentication results as a message travels from the original sender to the final recipient, especially when it passes through intermediary servers like mailing lists or forwarding services.
The problem is that these intermediary steps can often break standard email authentication. When a server forwards an email, it can alter things that cause SPF and DKIM to fail, which in turn can lead to a DMARC failure. ARC was developed to fix this by creating a verifiable chain of custody for authentication verdicts.
The three ARC headers
The ARC protocol works by adding a set of three distinct headers to an email at each intermediary server, or "hop," in its journey. According to the official IETF specification, these headers work together to create and validate the chain of trust.
- ARC-Authentication-Results: This is the header we're focusing on. It's a snapshot of the authentication results (SPF, DKIM, and DMARC) from the moment the server received the message, before any modifications were made.
- ARC-Message-Signature: This is a DKIM-like signature that covers the email's content plus the ARC-Authentication-Results header. It cryptographically proves that the message content and the recorded authentication results belong together and haven't been tampered with.
- ARC-Seal: This is the final piece. It's another DKIM-like signature that covers all the previous ARC headers. This header links each step in the chain together, ensuring the integrity of the entire ARC sequence.
A closer look at the arc-authenticated-results header
The arc-authenticated-results header is the foundation of the chain. Its purpose is to simply record what the authentication results were for the message at a specific point in time. It effectively says, "When this email arrived at my server, it passed SPF and DKIM, and therefore DMARC."
This is crucial because when the final recipient's server gets the email, the SPF alignment might be broken due to the forwarding IP, and DKIM might be broken due to a footer added by a mailing list. Without ARC, the server would just see these failures and potentially reject the message. However, by looking at the arc-authenticated-results header from a trusted intermediary (like Google or Microsoft), it can see the message was originally valid. If the ARC-Seal and ARC-Message-Signature also validate, the server can choose to trust the original results and deliver the email.
Why does this matter for email deliverability?
For anyone sending emails, particularly marketing or transactional messages that might be sent to mailing lists or forwarded among colleagues, ARC is incredibly important. It provides a safety net for your email authentication. The arc-authenticated-results header, as the record-keeper of the protocol, is what gives receiving servers the confidence to accept your emails even when standard authentication checks fail. It helps ensure your legitimate messages reach the inbox, protecting your deliverability and sender reputation in complex email environments.
What ARC header field indicates the chain validation status?
What is the ARC-Authentication-Results header used for?
What ARC header contains a cryptographically signed copy of the message's state?
What ARC header indicates the chain of authentication results?
Does ARC preserve original authentication results?
What ARC header contains the list of signed header fields?
