What is the primary purpose of ARC?

ARC's primary purpose is to preserve the email authentication results (SPF and DKIM) across intermediaries like mailing lists and forwarders. This ensures that a legitimate email's authentication status isn't lost, which would otherwise cause DMARC to fail.

Does ARC replace SPF, DKIM, or DMARC?

No, ARC does not replace SPF, DKIM, or DMARC. It works alongside these protocols to enhance their effectiveness, particularly in scenarios where emails are forwarded, by providing a trusted chain of authentication. You can learn more about if ARC replaces DMARC or SPF/DKIM .

How does ARC help DMARC with email forwarding?

ARC provides a mechanism for recipient mail servers to verify that an email, even if forwarded, was originally authenticated. It allows the receiving server to trust the historical authentication results, preventing legitimate forwarded emails from failing DMARC and being blocked or sent to spam.

What happens if an email has a broken ARC chain?

If an email has a broken or invalid ARC chain, the recipient mail server might not be able to trust its previous authentication results. In such cases, if the email also fails SPF or DKIM at the final hop, it could still result in a DMARC failure, impacting deliverability.

Is ARC widely adopted by email providers?

Adoption of ARC is growing among major email providers and internet service providers (ISPs) as it helps improve the accuracy of DMARC evaluations, especially for forwarded messages and mailing lists. Many providers actively validate and add ARC headers to emails.

Does ARC validate the 'From' address? - ARC - Email authentication - Knowledge base

An illustration of an email being forwarded through multiple steps

Email authentication protocols like SPF, DKIM, and DMARC are crucial for verifying sender legitimacy and preventing spam or phishing. However, these protocols face challenges when emails are forwarded or sent through mailing lists, often leading to DMARC failures. This is where Authenticated Received Chain (ARC) comes into play, aiming to preserve authentication results across intermediaries.

A common question arises regarding ARC's capabilities: Does ARC validate the 'From' address? To fully understand ARC's function, it is important to distinguish between the various email addresses and headers involved in email transmission and authentication.

This article will explore the nuances of the 'From' address, the limitations of traditional email authentication methods, and how ARC works to maintain a chain of trust, even though it doesn't directly validate the 'From' address itself.

Understanding the 'From' address

The 'From' address, officially known as the RFC 5322 From header address, is what recipients see in their email client. It's the friendly name and email address that appears to be the sender. This address is distinct from the 'Mail-From' (or envelope 'From') address used by SPF, and the 'd= domain' in DKIM signatures. While it's the most visible identifier, it's also the easiest to spoof, making email authentication protocols essential for verifying its legitimacy indirectly.

DMARC policies are designed to check the alignment between the 'From' header domain and the domains authenticated by SPF and DKIM. This means that while SPF and DKIM don't directly validate the 'From' header, DMARC uses their authenticated domains to ensure they match the domain in the visible 'From' address. If they don't align, the email might fail DMARC authentication, potentially leading to it being rejected or quarantined.

The 'From' address and DMARC

Visibility: The 'From' address is what the end-user sees in their email client, making it critical for brand identity and trust.
Alignment: For DMARC to pass, the domain in the 'From' header must align with the domain that passed SPF or DKIM. To learn more, read about how DMARC authenticates the From header.
Spoofing Risk: Without proper authentication, the 'From' address can be easily forged by attackers, making email authentication vital.

The limitations of SPF, DKIM, and DMARC with forwarding

While SPF, DKIM, and DMARC are powerful, they have limitations. SPF, which checks if an email originated from an IP address authorized by the sending domain, breaks when an email is forwarded because the forwarding server's IP address will differ from the original sender's authorized IPs. Similarly, DKIM, which relies on a cryptographic signature of the email's headers and body, can break if the email content or certain headers are altered by a forwarding service or mailing list.

When SPF or DKIM fail due to forwarding, DMARC, which depends on their successful authentication and alignment, will also fail. This can lead to legitimate emails being marked as spam or rejected, even if they originated from a trustworthy source. This issue prompted the development of ARC, designed to preserve the authentication history across intermediate hops.

How SPF and DKIM work

SPF: Verifies the sending server's IP against a list of authorized IPs in the sender's SPF record. It authenticates the 'Mail-From' address, not the 'From' header.
DKIM: Uses a cryptographic signature attached to the email, which can be verified using a public key published in the sender's DNS. It authenticates the domain that signed the email.

Why they break with forwarding

SPF Failure: Forwarding changes the sending IP, causing SPF to fail. This is a common issue for mailing lists and personal forwarders.
DKIM Invalidates: Mailing lists often modify email headers or body content, which can break the original DKIM signature. Learn more about how to fix DKIM body hash mismatch failures.

ARC's role in preserving authentication

ARC (Authenticated Received Chain) acts as a chain of custody for email authentication results. When an email passes through an intermediate server, such as a mailing list or forwarding service, that server can apply its own ARC Seal, essentially vouching for the email's prior authentication status before any modifications were made. This chain of trust allows the final recipient mail server to evaluate the email's legitimacy even if SPF or DKIM fail at their specific hop.

Crucially, ARC does not validate the 'From' address directly. Instead, it captures and preserves the Authentication-Results header from the previous hop, along with a cryptographic signature of key email headers. The final receiving server can then verify this ARC chain. If the chain is valid, the receiver can choose to override a DMARC failure that resulted from forwarding, treating the email as authenticated due to the preserved history.

An illustration of multiple hands passing a sealed letter, representing ARC's chain of custody for email authentication

While ARC doesn't directly validate the 'From' address, it plays an indirect but vital role in ensuring email sender authenticity when emails traverse multiple systems. It allows recipient servers to see the email's original authentication status before it was potentially altered by a legitimate intermediary. Without ARC, many forwarded legitimate emails would fail DMARC checks, leading to deliverability issues. Therefore, ARC addresses a significant gap in the existing email authentication framework.

ARC's primary function is to re-authenticate an email in a specific way, not by re-validating the 'From' address, but by verifying the integrity of the authentication chain itself. This allows DMARC policies to be applied more accurately in complex email flows. For example,

Microsoft 365 uses ARC validation, and issues can arise if the ARC chain is broken or improperly signed, as highlighted in some support cases related to forwarding emails.

The collective strength of email authentication protocols

In summary, ARC does not validate the 'From' address directly. Its purpose is to preserve the authentication results generated by SPF and DKIM across forwarding hops and mailing lists. It provides a verifiable history of authentication that recipient servers can trust, even when intermediate changes would otherwise cause DMARC to fail. This ensures that legitimate forwarded emails, which might otherwise be blocked, can still reach the inbox, ultimately enhancing email deliverability.

Implementing DMARC, along with SPF and DKIM, is essential for robust email security. ARC complements these protocols by addressing their limitations in complex scenarios like email forwarding. Together, they create a comprehensive framework that helps prevent email spoofing (fake emails) and phishing while ensuring legitimate communications are delivered reliably. Understanding these protocols is key to maintaining a strong email presence.

For complete visibility into your email authentication, including DMARC and ARC results, consider using a DMARC monitoring tool. Suped provides AI-powered recommendations to help you fix issues and strengthen your policy, offering real-time alerts and a unified platform for all your email security needs. Our generous free plan makes advanced DMARC monitoring accessible for everyone.