What is the primary function of the ARC-Seal header?

The ARC-Seal header is responsible for cryptographically signing the previous ARC-Authentication-Results and ARC-Message-Signature headers. It also contains the 'cv' tag, which indicates the validation status of the ARC chain, ensuring integrity across forwarding hops.

How does ARC help DMARC for forwarded emails?

ARC helps DMARC by preserving the original email authentication results even after a message has been altered by a legitimate intermediary (like a mailing list). It creates a verifiable chain of custody, allowing the final recipient's mail server to confirm that DMARC failures are due to legitimate forwarding, not spoofing.

What are the common values for the 'cv' tag?

The most common values for the 'cv' tag are 'none', 'pass', and 'fail'. 'None' means no previous ARC-Seal was found. 'Pass' indicates that the preceding ARC-Seal and ARC-Message-Signature headers were valid. 'Fail' means validation of the previous ARC-Seal or ARC-Message-Signature failed.

Can I have DMARC without ARC?

Yes, you can implement DMARC without ARC. However, without ARC, legitimate emails that are forwarded or modified by intermediaries are highly likely to fail DMARC authentication checks. This can lead to these emails being quarantined or rejected, impacting your email deliverability .

What ARC header field indicates the chain validation status? - ARC - Email authentication - Knowledge base

An illustration showing the authenticated received chain concept

Email authentication protocols like SPF and DKIM are crucial for verifying sender identity and combating spoofing. However, a significant challenge arises when emails are forwarded or modified in transit by legitimate intermediaries like mailing lists or email providers. These alterations can cause DMARC authentication to fail, leading to legitimate emails being marked as spam.

The Authenticated Received Chain (ARC) was developed to address this issue by preserving email authentication results across multiple hops. A key component of ARC is a specific header field that indicates the chain validation status, giving receiving mail servers confidence in the email's legitimacy despite modifications. Specifically, the ARC-Seal header contains the 'cv' tag, which communicates the chain validation status.

The challenge of forwarding and DMARC

When an email is forwarded, its original headers can be altered or new ones added. This is a common and legitimate process, for instance, when an email from example.com is sent to a mailing list at mailinglist.org, and then redistributed to its subscribers. The act of redistribution may change the 'From' header, or the email might pass through an intermediary that alters the message body or headers. These changes often break the SPF and DKIM authentication records, causing DMARC to fail.

Without a mechanism to account for these changes, perfectly legitimate emails can be flagged as unauthenticated. This leads to a higher rate of false positives in spam detection and harms the sender's reputation, ultimately impacting deliverability. For organizations relying on email, this can mean critical communications never reach their intended recipients.

DMARC failures due to forwarding are a common headache for senders. Without ARC, legitimate emails passing through intermediate mail servers (like mailing lists or forwarders) can have their SPF or DKIM authentication broken. The receiving mail server, such as

Gmail or

Outlook, would then see these emails as unauthenticated, potentially sending them to spam or rejecting them outright. This is where ARC steps in to preserve trust.

Introducing the Authenticated Received Chain (ARC)

ARC provides a standardized way for intermediate mail servers to sign the email's original authentication results and its current state before forwarding. This creates a 'chain' of authentication results, allowing the final recipient's mail server to verify the legitimacy of the forwarding path. You can learn more about how to implement ARC and its impact on DMARC failures.

The ARC protocol introduces three new header fields: ARC-Authentication-Results, ARC-Message-Signature, and ARC-Seal. Each of these plays a vital role in building and verifying the chain. The ARC-Authentication-Results header (AAR) contains the authentication results from the previous hop. The ARC-Message-Signature header (AMS) provides a cryptographic signature of the message. Finally, the ARC-Seal header ties everything together by signing the ARC chain itself.

The ARC-Seal header and chain validation status

The ARC header field that specifically indicates the chain validation status is the ARC-Seal header. Within this header, the 'cv' tag (short for 'chain validation') provides the outcome of evaluating the existing ARC chain upon arrival at the mail server that is adding this header field. This tag is critical because it tells the next hop, or the final recipient's mail server, whether the previous ARC chain was properly validated.

The 'cv' tag's value reflects whether the previous ARC-Seal and ARC-Message-Signature headers were valid and correctly signed. If the chain is intact and valid, the 'cv' tag will indicate this, allowing subsequent mail servers to trust the original authentication results provided in the ARC-Authentication-Results header. This ensures that a legitimate email forwarded through multiple intermediaries can still pass DMARC. More details can be found in RFC 8617, the official specification for ARC.

The 'cv' tag essentially serves as a trust indicator for the entire chain of custody. A receiving server can examine the 'cv' tag to determine if the preceding ARC elements were correctly formed and signed, thereby confirming that the email hasn't been tampered with since the last legitimate ARC-signing entity. Understanding the role of the 'cv' tag is key to grasping ARC's functionality.

Example ARC-Seal header with 'cv' tagemail-header

ARC-Seal: i=1; a=rsa-sha256; t=1678886400; cv=pass;
 s=arcselector; d=example.org;
 bh=AbCdEfGhIjKlMnOpQrStUvWxYz+=
 b=SignatureValue

Interpreting chain validation results

The 'cv' tag within the ARC-Seal header can have different values, each indicating a specific status of the ARC chain's validation. These values are crucial for email receivers to decide whether to trust the preserved authentication results or to treat the email as potentially suspicious.

Understanding these values helps in diagnosing deliverability issues and ensuring that your emails are correctly authenticated even after being forwarded. Properly configured ARC implementations contribute significantly to maintaining a positive sender reputation and improving inbox placement. The chain of authentication results is only as strong as its weakest link.

Value	Meaning	Implication
none	No previous ARC-Seal was found or validated.	The email has not traversed any ARC-signing intermediaries, or no valid ARC chain could be established.
pass	The previous ARC-Seal and ARC-Message-Signature headers were valid.	The ARC chain is intact, and previous authentication results can be trusted for DMARC evaluation.
fail	Validation of the previous ARC-Seal or ARC-Message-Signature failed.	Indicates a potential issue with the ARC chain, possibly due to tampering or misconfiguration. Requires further investigation.

ARC's impact on email deliverability

The primary benefit of ARC is its ability to ensure that legitimate emails, even after modification or forwarding, can still pass DMARC authentication. This directly translates to improved email deliverability. Without ARC, these emails would frequently land in spam folders, or be rejected entirely, frustrating both senders and recipients.

Without ARC

When an email is forwarded, changes to headers or content can invalidate SPF and DKIM, leading to DMARC failure. This often results in emails being treated as suspicious.

Reputation impact: Sender reputation can suffer when legitimate forwarded emails are flagged as spam by ISPs like Microsoft or Google.
Deliverability issues: Legitimate messages may be quarantined or rejected due to DMARC failures, never reaching the inbox.

With ARC

ARC preserves the original authentication results, allowing receiving servers to distinguish legitimate forwarding from malicious spoofing, even if SPF/DKIM break.

Reputation protection: By maintaining the authenticity of forwarded emails, ARC helps protect and even enhance sender reputation.
Improved inbox placement: DMARC-compliant emails with a valid ARC chain are far more likely to land in the primary inbox.

An illustration showing the successful validation of an ARC seal.

Monitoring ARC and DMARC for optimal performance

While ARC solves a critical problem for forwarded emails, its effectiveness relies on proper implementation and ongoing monitoring. Understanding when your emails are being forwarded and how their ARC chain is being validated is crucial for maintaining consistent deliverability. This is where a robust DMARC monitoring solution becomes invaluable.

Platforms like Suped offer comprehensive DMARC monitoring that includes insights into ARC validation. Our AI-powered recommendations tell you exactly what actions to take to fix authentication issues, ensuring your legitimate emails always reach their destination. With our generous free plan, it's never been easier to take control of your email security.

Ensuring email integrity with ARC

The 'cv' tag within the ARC-Seal header is a small but mighty component of the ARC protocol. It serves as a vital signal for email servers, indicating whether the chain of authentication results remains valid through various intermediaries. This mechanism is indispensable for preventing legitimate, forwarded emails from being mistakenly flagged as spam due to DMARC authentication failures.

By understanding and properly implementing ARC, organizations can significantly improve their email deliverability rates and protect their sender reputation. As email authentication standards continue to evolve, ARC stands out as a crucial tool in the ongoing effort to secure email communications and ensure they reach the inbox consistently.