Is ARC a replacement for DMARC?

No, ARC is not a replacement for DMARC. It works in conjunction with DMARC, SPF, and DKIM to enhance email authentication. While DMARC enforces policies on authenticated emails, ARC helps preserve the authentication results of legitimate emails that pass through intermediaries like mailing lists, preventing them from failing DMARC.

How does ARC help DMARC policies?

ARC provides a chain of verified authentication results from intermediaries. This allows receiving mail servers to trust the original authentication status of an email, even if forwarding or modifications would typically cause SPF or DKIM to fail. By preventing false DMARC failures for legitimate forwarded emails, ARC makes it safer for organizations to implement stricter DMARC policies (like p=reject), thereby strengthening overall anti-spoofing protection.

Does ARC directly stop spammers from spoofing my domain?

ARC does not directly stop spammers from spoofing your domain. Its role is to help preserve the authentication context of legitimate emails. The protocols that directly prevent spoofing are SPF, DKIM, and DMARC. ARC helps DMARC by ensuring that legitimate mail is not mistakenly blocked, which, in turn, allows for more effective deployment of strong DMARC policies.

The ARC-Seal is a cryptographic signature added by an ARC-enabled intermediary server. It signs the ARC-Authentication-Results header and the ARC-Message-Signature from the previous hop, along with other relevant headers. This seal ensures the integrity of the ARC chain, verifying that the authentication history has not been tampered with.

Can I have DMARC without ARC?

Yes, you can certainly have DMARC without ARC. DMARC, SPF, and DKIM are fully functional on their own for direct email flows. However, without ARC, legitimate emails that are forwarded through mailing lists or other intermediaries are much more likely to fail DMARC checks, potentially leading to deliverability issues. ARC improves DMARC's reliability in such complex scenarios.

Does ARC prevent email spoofing? - ARC - Email authentication - Knowledge base

A shield protecting an email envelope, symbolizing email security.

Email spoofing remains a persistent threat, with attackers constantly devising new ways to impersonate legitimate senders. To combat this, foundational email authentication protocols like SPF, DKIM, and DMARC have been widely adopted. While these protocols are highly effective in direct email flows, they often struggle when emails are forwarded or pass through mailing lists.

This is where Authenticated Received Chain (ARC) comes into play. It was developed to address specific shortcomings of existing authentication methods, particularly in scenarios involving intermediaries. The question of whether ARC directly prevents email spoofing is nuanced, as its role is more about preserving authentication context than direct prevention.

Understanding ARC requires a look at how it interacts with SPF, DKIM, and DMARC. It doesn't replace these protocols, but rather acts as a crucial enhancement. By providing a verifiable chain of authentication results, ARC helps email receivers make more accurate decisions, especially regarding emails that might otherwise fail DMARC checks due to legitimate forwarding.

Understanding ARC's mechanism

ARC is essentially a way for intermediate mail servers, such as mailing lists or forwarding services, to sign the original email authentication results before making changes that would typically break SPF or DKIM. This creates a trusted chain of custody for an email, ensuring its authentication history is transparent even after modifications.

The core components of ARC are the ARC-Seal, the ARC-Message-Signature, and the ARC-Authentication-Results headers. Each time an email passes through an ARC-enabled intermediary, a new set of these headers is added. The ARC-Authentication-Results header summarizes the authentication results (SPF, DKIM, DMARC) at that point in the email's journey. The signatures then verify that these results, and the email itself, haven't been tampered with since the last hop.

This chain of trust allows the final recipient mail server to validate the email's authenticity, even if an intermediate step would have otherwise caused a DMARC failure. It's not about re-authenticating the email's original sender directly, but rather providing a verifiable history that a legitimate sender's email passed initial authentication checks.

How ARC addresses forwarding challenges

Email forwarding and mailing lists are common sources of DMARC failures for otherwise legitimate emails. When an email is forwarded, the sending IP address often changes, causing SPF to fail. Similarly, mailing lists might modify the email's content (e.g., adding a footer), which can invalidate DKIM signatures. These changes make it difficult for DMARC to pass, potentially leading to legitimate emails being quarantined or rejected.

ARC mitigates these issues by creating a new, signed record of the original authentication results at each hop. If a mailing list receives an email that successfully passed SPF, DKIM, and DMARC, it will sign those results with its own ARC-Seal and forward the email. The receiving server can then examine this ARC chain. If the ARC chain is valid and signed by a trusted intermediary, the receiver can choose to override the DMARC failure and deliver the email.

This mechanism is crucial for the reliability of email flows involving intermediaries. It helps ARC subside the shortcomings of SPF, DKIM, and DMARC when emails are forwarded, ensuring that a forwarded email's original authenticity is preserved. To learn more about how ARC affects DMARC failures, you can read our guide on how to implement ARC. Microsoft, for example, allows administrators to configure trusted ARC sealers to ensure legitimate forwarded emails are not rejected.

Example of ARC Headers in an Emailemail-header

ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: domain of sender@example.com designates 192.0.2.1 as permitted sender) smtp.mailfrom=sender@example.com;
 dkim=pass (signature was verified) header.d=example.com header.s=s1;
 dmarc=pass (p=none dis=none) header.from=example.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=example.org;
 s=arc-s1; t=1678886400; bh=SHA256HASH;
 h=From:Subject:Date:Message-ID:To;
 b=SIGNATURE_VALUE
ARC-Seal: i=1; a=rsa-sha256; t=1678886400; cv=none;
 d=example.org; s=arc-s1;
 bh=SHA256HASH;
 b=SIGNATURE_VALUE

ARC's indirect role in spoofing detection

ARC does not directly prevent email spoofing in the same way SPF, DKIM, or DMARC do by authenticating the sender's domain. For example, ARC does not validate the 'From' address or directly check if a message originates from an authorized source. Its primary function is to preserve existing authentication results through intermediary relays. This preservation, however, has a significant indirect impact on anti-spoofing efforts.

By ensuring that legitimate forwarded emails do not fail DMARC, ARC reduces the likelihood that a DMARC policy set to 'reject' will discard an authentic message. This allows domain owners to deploy stronger DMARC policies (p=quarantine or p=reject) with more confidence, knowing that legitimate traffic won't be unduly impacted. Strong DMARC policies are the most effective way to prevent spoofing, and ARC facilitates their widespread adoption.

Therefore, while ARC doesn't directly stop an attacker from sending a spoofed email, it strengthens the overall email authentication ecosystem. It makes the DMARC enforcement mechanism more robust and reliable, which in turn helps ensure email sender authenticity and reduces the success rate of spoofing attempts.

A visual representation of the Authenticated Received Chain, with servers adding links to a chain of trust.

ARC's contribution to anti-spoofing

ARC's strength lies in its ability to prevent false negatives for DMARC. When DMARC fails due to legitimate forwarding, ARC provides the necessary context for the receiving server to trust the original authentication. This allows for:

Increased DMARC adoption: Organizations are more likely to implement DMARC with a stricter policy when they know legitimate forwarded emails won't be blocked.
Reduced false positives: Valid emails are less likely to be mistakenly identified as spoofed, improving deliverability.
Enhanced trust: By providing transparent authentication history, ARC builds greater trust in the email ecosystem, making it harder for spoofed emails to slip through.

The larger authentication ecosystem

It's important to view ARC not as a standalone solution, but as a critical component of a comprehensive email authentication strategy. ARC does not replace DMARC or SPF/DKIM, but rather complements them by solving specific problems related to email forwarding. Think of SPF and DKIM as the initial layers of defense, DMARC as the policy enforcer, and ARC as the trusted messenger that carries authentication truth through complex mail flows.

Core authentication (SPF, DKIM, DMARC)

These protocols directly verify the sender's identity and message integrity. They are the first line of defense against spoofing.

SPF: Verifies the sending IP address against a list of authorized senders.
DKIM: Uses cryptographic signatures to ensure the email content hasn't been altered.
DMARC: Builds upon SPF and DKIM to enforce policies on unauthenticated emails.

Authenticated Received Chain (ARC)

ARC preserves authentication results across multiple hops, making DMARC effective in complex forwarding scenarios.

Chain of trust: Each intermediary signs the previous authentication results.
DMARC enhancement: Helps DMARC-enabled receivers trust forwarded emails.
Indirect anti-spoofing: Enables stricter DMARC policies by preventing false positives.

For a simple guide that covers the basics of SPF, DKIM, and DMARC, refer to our comprehensive article: A simple guide to DMARC, SPF, and DKIM. Implementing all these protocols together creates a robust defense against email fraud and strengthens your domain's reputation.

ARC's contribution to email security

Ultimately, ARC plays a vital, albeit indirect, role in preventing email spoofing. It doesn't directly block malicious emails, but it significantly enhances the effectiveness of DMARC by enabling it to function correctly even when emails are legitimately transformed or forwarded by intermediaries. This allows organizations to move to more aggressive DMARC policies like p=reject, which is the strongest stance against impersonation and spoofing.

For any organization serious about protecting its domain from spoofing and phishing attacks, implementing DMARC in conjunction with SPF and DKIM is non-negotiable. ARC ensures that these efforts are not undermined by the complexities of modern email delivery. To fully harness the power of DMARC and ensure your emails are always authenticated, robust DMARC monitoring is essential.

Suped provides the best DMARC monitoring and reporting tools on the market, offering unparalleled visibility into your email ecosystem. Our platform delivers AI-powered recommendations to help you fix issues and strengthen your policy, along with real-time alerts, a unified platform for DMARC, SPF, and DKIM, and SPF flattening. With our generous free plan, you can start securing your domain today and gain complete control over your email deliverability.