What problem does ARC solve that SPF, DKIM, and DMARC cannot?

ARC solves the problem of legitimate emails failing SPF, DKIM, and DMARC checks after being forwarded or processed by mailing lists. These intermediaries often modify email content or change the sending server's IP, which breaks standard authentication. ARC preserves the original authentication status, ensuring deliverability.

Can I implement DMARC without SPF, DKIM, or ARC?

You can publish a DMARC record without SPF or DKIM , but it won't be effective. DMARC relies on the results of SPF and/or DKIM to perform its authentication checks and enforce policies. ARC is an additional layer for specific scenarios and isn't required for basic DMARC implementation, though it's highly recommended for improved deliverability.

Is ARC necessary for all email senders?

ARC is primarily beneficial for organizations that operate mailing lists, email forwarding services, or other intermediaries that might modify emails in transit. If you only send direct emails without any intermediate hops, ARC is less critical for your immediate needs. However, as an email receiver, validating ARC helps distinguish legitimate forwarded mail from spoofed messages.

What is an ARC-Seal, and why is it important?

An ARC-Seal is a header added by an ARC-enabled intermediary that signs the previous ARC headers and other message content, creating a verifiable chain of custody. It's important because it allows recipient mail servers to confirm that an email's authentication status, even if SPF or DKIM failed, was legitimate at an earlier point in its journey, preserving its original sender's intent.

Does ARC replace DMARC or SPF/DKIM? - ARC - Email authentication - Knowledge base

An illustration showing an email envelope flowing through a chain of interlocking links representing SPF, DKIM, and DMARC, with ARC as a complementary link.

Email authentication protocols like SPF, DKIM, and DMARC are fundamental to ensuring that emails are legitimate and not forged. They play a crucial role in preventing spam, phishing, and other malicious activities. However, the internet's email infrastructure involves various intermediaries, such as mailing lists and forwarding services, which can inadvertently break these authentication mechanisms. This is where the Authenticated Received Chain (ARC) protocol comes into play, designed to maintain email authentication results across these intermediary hops.

Many email senders often wonder if ARC is meant to replace the existing suite of email authentication standards. It's a valid question, given the increasing complexity of email security. Understanding the distinct roles of each protocol is key to grasping why they all remain essential components of a robust email security posture. I often see confusion around this topic, but the answer is straightforward once you delve into how each system operates.

In short, ARC does not replace DMARC, SPF, or DKIM. Instead, it acts as an additional layer of authentication that allows recipient mail servers to validate the original authentication status of an email, even if it has been modified or redirected by intermediaries. This allows the intent of the original sender to be preserved, preventing legitimate emails from failing DMARC checks simply due to routing changes. Let's explore why each of these protocols is still vital and how they fit together.

The foundational pillars: SPF, DKIM, and DMARC

To appreciate ARC's role, we first need a clear understanding of the established authentication protocols. SPF, DKIM, and DMARC work together to verify email sender identity and email integrity. SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of a domain. It's like a list of approved postal offices for your mail. If an email originates from a server not on this list, it may be flagged as suspicious.

DKIM (DomainKeys Identified Mail) provides a way for senders to digitally sign their emails, allowing recipients to verify that the email hasn't been tampered with in transit and that it indeed originated from the claimed domain. This digital signature is cryptographically linked to the sending domain, adding a layer of integrity and authenticity. Troubleshooting DKIM issues is a common task for maintainers of email systems.

DMARC (Domain-based Message Authentication, Reporting, & Conformance) builds on SPF and DKIM by instructing recipient mail servers on what to do with emails that fail authentication (e.g., quarantine, reject, or none) and provides reporting mechanisms for domain owners. This helps prevent direct domain spoofing and gives visibility into email sending practices across the internet. Managing your DMARC policy is essential for brand protection. For comprehensive DMARC monitoring and actionable insights, platforms like Suped can provide invaluable assistance with AI-powered recommendations to optimize your email deliverability and security.

The forwarding challenge and ARC's solution

While SPF, DKIM, and DMARC are robust, they encounter issues when emails are forwarded or sent through mailing lists. When an email passes through an intermediary server, it often undergoes modifications. The intermediary might rewrite the 'From' address, add a footer, or simply relay the email from its own servers. These changes, though legitimate, can break SPF and DKIM authentication.

Problem: authentication failure for legitimate emails

When an email is forwarded, the SPF check often fails because the IP address of the forwarding server is typically not authorized in the original sender's SPF record. Similarly, DKIM can break if the email body or headers are modified by the intermediary, invalidating the digital signature. These failures, in turn, can lead to DMARC failing, even for emails that are entirely legitimate, causing them to be quarantined or rejected.

This is precisely the problem ARC was designed to solve. ARC provides a way for mail handlers (like forwarding services or mailing lists) to sign an email's original authentication results, along with any modifications they made. This creates a chain of custody, allowing the final recipient's mail server to see the full authentication history and trust the legitimacy of the email, despite intermediate changes. You can learn more about ARC's role in addressing mailing list issues.

How ARC preserves authentication integrity

ARC works by adding specific headers to an email as it passes through each hop. These headers form a verifiable chain, hence the name Authenticated Received Chain. Each time an ARC-enabled intermediary processes an email, it adds three new headers:

ARC-Authentication-Results: This header summarizes the authentication results (SPF, DKIM, DMARC) at the time the intermediary received the email.
ARC-Message-Signature: This is a DKIM-like signature of the entire email, including the ARC-Authentication-Results header and the original message content. This signature is created by the intermediary.
ARC-Seal: This header signs the previous ARC-Message-Signature and other ARC headers, effectively sealing the chain. Each intermediary adds its own ARC-Seal, allowing the recipient to trace the path and verify each link in the chain.

When an email arrives at the final destination, the recipient mail server can validate the ARC chain. If a trusted ARC sealer (like a known mailing list or forwarding service) has signed the email, their ARC-Seal can override DMARC failures that might have occurred due to forwarding. This ensures that legitimate emails still reach the inbox, while DMARC continues to protect against direct spoofing. Microsoft provides guidance on configuring trusted ARC sealers in Defender.

Example ARC headerstext

ARC-Authentication-Results: i=1; mx.example.org;
  spf=pass smtp.mailfrom=sender@example.com;
  dkim=pass header.d=example.com;
  dmarc=pass action=none header.from=example.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.example.org;
  s=s1; t=1678886400; bh=...; h=...; b=...
ARC-Seal: i=1; a=rsa-sha256; t=1678886400; cv=none; d=mx.example.org;
  s=s1; bh=...; b=...

This mechanism allows mail providers to confidently accept emails that would otherwise fail standard authentication checks, significantly improving deliverability for legitimate forwarded mail. For a deeper dive into how to implement ARC, you can refer to our detailed guide.

ARC: a necessary complement, not a replacement

The key takeaway is that ARC is designed to work in conjunction with SPF, DKIM, and DMARC, not to replace them. These foundational protocols are still the first line of defense against email fraud. ARC merely extends their functionality by providing a reliable way to preserve authentication status through complex email paths. Without SPF, DKIM, and DMARC, there would be no initial authentication for ARC to record and attest to.

Without ARC

An email sent from sender.com passes SPF/DKIM/DMARC.

Forwarding service (e.g., a mailing list) modifies the email (adds header/footer, changes mail path).

Recipient mail server receives email. SPF fails (forwarding server IP not authorized). DKIM may fail (content modified). DMARC fails because both SPF and DKIM failed or didn't align.

Legitimate email is rejected or sent to spam, impacting deliverability and user experience.

With ARC

An email sent from sender.com passes SPF/DKIM/DMARC.

Forwarding service (e.g., a mailing list) receives email, records original authentication results, modifies email, and then signs it with ARC-Authentication-Results, ARC-Message-Signature, and ARC-Seal.

Recipient mail server receives email. SPF/DKIM may still fail, but it validates the ARC chain. If the ARC chain is valid and from a trusted intermediary, the original authentication status is preserved.

Legitimate email passes DMARC, as ARC overrides the intermediate failures, ensuring inbox delivery.

The Global Cyber Alliance emphasizes that ARC does not replace DMARC, but rather complements it for improved security. All protocols are necessary for a comprehensive email security strategy. This multi-layered approach ensures that your email infrastructure is both secure and resilient against common deliverability challenges. For instance, while ARC ensures sender authenticity after forwarding, it doesn't prevent email spoofing directly in the way DMARC does.

An illustration showing SPF, DKIM, and DMARC as three strong pillars supporting a bridge, with ARC as a reinforcing arch beneath it, symbolizing their complementary roles in email security.

Protocol	Primary function	Role with forwarding/mailing lists	Replaces others?
SPF	Authorizes sending IPs for a domain.	Often breaks as forwarding changes source IP.	No
DKIM	Verifies email content integrity and sender identity with a digital signature.	Breaks if email content or headers are modified.	No
DMARC	Policy for failed SPF/DKIM, reporting on domain email usage.	Fails if underlying SPF/DKIM checks fail for forwarded emails.	No
ARC	Preserves original authentication results across intermediaries.	Enables legitimate forwarded emails to pass DMARC.	No

The complementary nature of ARC, SPF, DKIM, and DMARC

In conclusion, ARC does not replace DMARC or the foundational SPF and DKIM protocols. Instead, it serves as a critical enhancement, enabling email authentication to function effectively in environments where messages are commonly forwarded or processed by intermediaries. Think of SPF, DKIM, and DMARC as the primary security gates for your email, while ARC is a special pass that allows authorized couriers to move packages through those gates without triggering false alarms.

A comprehensive email security strategy requires the implementation of all these protocols. You need SPF to define authorized senders, DKIM to ensure message integrity, and DMARC to enforce policies and gain visibility. ARC then steps in to ensure that your legitimate emails, especially those handled by mailing lists or forwarding services, don't get unfairly blocked or sent to the spam folder. This layered approach is the most effective way to safeguard your domain and ensure optimal email deliverability.

Monitoring the performance of these protocols is crucial for maintaining strong email deliverability and protecting against abuse. Platforms like Suped offer unified DMARC, SPF, and DKIM monitoring with AI-powered recommendations to help you understand your authentication results and take actionable steps. This integrated approach simplifies complex email security tasks and helps you proactively address potential issues, including those related to ARC and email forwarding.