The short answer is no, Authenticated Received Chain (ARC) does not prevent a message from being altered after it's signed. This might sound counterintuitive, but its primary purpose is different. ARC is designed to preserve the original email authentication results (like SPF and DKIM) when a message is legitimately modified by an intermediary, such as a mailing list or an email forwarder.
When an email travels from the sender to the recipient, it sometimes passes through intermediate servers. These intermediaries can make changes, like adding a footer to messages on a mailing list, which in turn breaks the original DKIM signature. This causes the message to fail DMARC authentication, even though the email is legitimate. ARC was developed to solve this specific problem.
How ARC handles message modification
Instead of preventing changes, ARC creates a verifiable chain of custody for the email's authentication status. Each server or service that handles the message and is ARC-enabled will perform a few key steps:
- Validate the incoming email: The intermediary first checks the email's SPF, DKIM, and DMARC status.
- Record the results: It records these authentication results in a new header field called ARC-Authentication-Results.
- Sign the email: The intermediary then adds its own cryptographic signature (an ARC-Seal and ARC-Message-Signature) which covers the original authentication results and the (potentially modified) message content.
When the final recipient's mail server gets the email, it might see that the current DKIM signature is broken. However, it can also see the ARC chain. It can validate each ARC seal, working its way back to see the original, passing authentication results. As Stellastra points out, "ARC ensures that even if DKIM signatures are altered en route, the original signature's validity is preserved and verifiable by subsequent" intermediaries.
The role of cryptography in ARC
While ARC doesn't prevent alteration, its cryptographic signatures prevent unauthorized alteration from going unnoticed. The ARC-Seal is a key component. It's a DKIM-like signature that covers the previous ARC headers. If a malicious actor were to intercept an email and try to tamper with the recorded authentication results, they would invalidate the ARC-Seal.
This creates a tamper-evident log. The receiving server can trust the chain of authentication as long as all the cryptographic seals are intact. If a seal is broken, it knows that something is wrong and can treat the email with suspicion. This system allows a receiving server to trust that modifications were made by known, legitimate intermediaries (like Microsoft 365 or Google Groups) and not by a random attacker.
Conclusion
To summarize, ARC doesn't stop message alteration. Instead, it provides a secure and verifiable way to see an email's authentication history. It acknowledges that legitimate modifications happen, and it preserves the original authentication results through a cryptographic chain of trust. By doing so, ARC fixes a critical flaw in the DMARC ecosystem and significantly improves email deliverability for messages that pass through intermediaries.
