The short answer is yes, Authenticated Received Chain (ARC) does rely on DNS records to function correctly. However, it's not quite as straightforward as setting up a single, simple DNS record like you would for SPF or DMARC. ARC is an email authentication protocol designed to preserve email authentication results (like SPF and DKIM) when an email is forwarded, for example, by a mailing list or a forwarding service.
When an email passes through an intermediary (a “handler” in ARC terminology), that intermediary can sign the email with an ARC seal. This seal essentially says, “I received this email, and here were the original authentication results. I am now passing it along.” This process uses a cryptographic signature, much like DKIM.
For a receiving server to verify this ARC seal, it needs access to a public key. This public key is published in your domain's DNS, typically as a TXT record. So, while you might not create an "ARC record" in the same way you create a DMARC record, you do need to configure a DNS record that holds the public key for ARC validation.
How ARC uses DNS
The process is very similar to how DKIM works. An ARC-signing mail server uses a private key to create a signature and adds it to the email's headers. The corresponding public key is then published in a DNS TXT record. Anyone who wants to verify the signature can look up this public key in DNS.
The official RFC for ARC confirms this reliance on DNS, noting that validating a chain of ARC signatures can require multiple DNS lookups. This highlights just how integral DNS is to the entire ARC validation process.
This setup can sometimes cause confusion. As seen in a GitHub thread for OpenARC, users can struggle to set the correct DNS settings, sometimes attempting to reuse existing DKIM keys, which further complicates the setup. The record itself typically lives at a specific selector, for example: selector._arc.yourdomain.com.
Prerequisites for setting up ARC
Before you can even think about implementing ARC, you need to have your foundational email authentication protocols in place. ARC is not a replacement for SPF, DKIM, or DMARC; it's a layer on top of them.
- SPF and DKIM: These must be properly configured and passing for your domain. ARC's purpose is to preserve these results, so they need to exist in the first place. As cPanel notes, "Both DKIM and SPF must be enabled to use ARC."
- DMARC: While not a strict technical requirement for ARC to function, the entire point of ARC is to help legitimate, forwarded emails pass DMARC checks. Without a DMARC policy in place, the value of ARC is significantly diminished.
Setting up ARC can be a technical task involving server configurations and DNS management, which can be challenging. It's important to get it right to ensure that your forwarded emails don't face deliverability issues.
Conclusion
To sum it up, yes, a DNS record is required for ARC. It's not a new type of record but a TXT record containing a public key, published in a way that's very similar to DKIM. This DNS record allows receiving mail servers to verify the ARC signatures attached to forwarded emails, helping to preserve the original sender's authentication and improve email deliverability.
