What is the primary function of the 'arc-authenticated-results' header?

The primary function is to record and preserve the email authentication results (SPF, DKIM, DMARC) at each point an email passes through a trusted intermediary, like a forwarding service or mailing list. This prevents legitimate emails from failing DMARC due to modifications made during transit.

How does ARC prevent DMARC failures?

ARC prevents DMARC failures by providing a verifiable chain of authentication history. Even if SPF or DKIM break after forwarding, the final receiver can validate the ARC chain. This allows the receiver to determine that the email was legitimately authenticated at a previous step, overriding a potential DMARC fail.

What does 'i=' represent in the ARC-Authentication-Results header?

The 'i=' tag represents the ARC instance number. It indicates the position of that specific ARC signer in the chain, starting at 'i=1' for the first signer and incrementing with each subsequent ARC-signing intermediary.

Can I monitor ARC results for my domain?

Yes, you can monitor ARC results through DMARC reporting tools like Suped . These platforms aggregate DMARC reports, which include ARC data, helping you visualize and understand the authentication outcomes for your emails.

What is the 'arc-authenticated-results' header? - ARC - Email authentication - Knowledge base

An illustration of an open email envelope with abstract security elements and arrows, symbolizing the 'arc-authenticated-results' header and email forwarding.

The 'arc-authenticated-results' header is a crucial component of the Authenticated Received Chain (ARC) email authentication standard. When an email is forwarded or sent through a mailing list, its original authentication results (like SPF and DKIM) can break due to changes made during the intermediate hops. This header plays a vital role in preserving those authentication results, allowing downstream mail receivers to verify the email's legitimacy even after modifications.

Without ARC, an email that originally passed SPF and DKIM could fail DMARC checks after being forwarded, potentially leading to it being marked as spam or rejected. The 'arc-authenticated-results' header helps mitigate this problem by providing a verified chain of authentication history. This way, subsequent receivers can trust that the email's authentication status, despite appearing to fail, was valid at a previous point in its journey.

Understanding this header is essential for anyone dealing with email deliverability, especially when managing mailing lists, email forwarding services, or ensuring proper DMARC compliance. It acts as a digital fingerprint, confirming the integrity of the email's authentication status through various intermediaries. This process helps maintain a strong sender reputation and improves inbox placement.

How ARC enhances email authentication

The purpose of ARC

The primary goal of ARC is to preserve the email authentication results (SPF, DKIM, and DMARC) across intermediaries that might alter an email in transit. These alterations, like adding footers or modifying headers, can inadvertently break the original authentication signatures, especially DKIM. Without ARC, these legitimate emails would then fail DMARC verification at the final destination, potentially leading to rejection or placement in the spam folder.

ARC achieves this by creating a chain of 'seals' and 'authentication results' as an email passes through trusted intermediaries. Each intermediary (or ARC signer) adds three new headers: 'ARC-Authentication-Results', 'ARC-Message-Signature', and 'ARC-Seal'. The 'ARC-Authentication-Results' header specifically records the authentication results at that point, ensuring a transparent history of authentication decisions. For a deeper dive into the specific fields, you can explore RFC 8617, the official specification.

This mechanism is particularly beneficial for mailing lists and forwarding services, which inherently modify emails. By allowing mail receivers to trace back the authentication chain, ARC prevents legitimate emails from being incorrectly flagged as spoofed or malicious. It acts as a layer of trust, enabling a more reliable assessment of email authenticity in complex mail flows.

An illustration of a secure, digitally signed document with an unbroken chain link, symbolizing the integrity of ARC headers.

Anatomy of the 'arc-authenticated-results' header

Components of the 'arc-authenticated-results' header

The 'arc-authenticated-results' header encapsulates the authentication decisions made by an ARC-signing intermediary. This header is prefixed with 'ARC-' to distinguish it from the standard 'Authentication-Results' header, which records the final authentication outcome. Essentially, it's a snapshot of the email's authentication status at a specific point in its journey. You can learn more about its specific use in this article on our site.

Example ARC-Authentication-Results headertext

ARC-Authentication-Results: i=1; mx.example.com; spf=pass (sender IP is 192.0.2.1) smtp.mailfrom=sender@example.com; dkim=pass (signature was verified) header.d=example.com; dmarc=pass action=none header.from=example.com;

Let's break down the typical fields you'll find within this header:

i= This is the ARC instance number, indicating its position in the chain. It starts at 1 for the first ARC signer and increments with each subsequent signer.
Auth results: This section provides the results of SPF, DKIM, and DMARC checks performed by the current ARC signer. It will state whether each authentication method passed, failed, or resulted in an error.
Policy decision: It also includes the DMARC policy decision (e.g., 'p=none', 'p=quarantine', 'p=reject') that would have been applied based on these results.

The details within this header are critical for the final recipient's mail server to decide whether to trust the forwarded email. For example, a

Microsoft Defender system might look for specific values like arc=pass and oda=1 in the last ARC-Authentication-Results header to confirm the previous ARC verification and origin domain authentication, as outlined in their documentation.

ARC's role in DMARC success

How ARC works with DMARC

ARC is particularly effective in scenarios where DMARC authentication would otherwise fail. When an email is forwarded, the 'From' domain might remain the same, but the sending IP address (breaking SPF) or the message content (breaking DKIM) can change. A DMARC-compliant receiver would typically see these broken authentications and enforce the DMARC policy, potentially blocking a legitimate email.

Without ARC

SPF breaks: The forwarding server's IP is not authorized by the original sender's SPF record.
DKIM invalidates: Message content changes (e.g., footer added) invalidate the original DKIM signature.
DMARC failure: Both SPF and DKIM fail, leading to DMARC failure and potential rejection or spam classification.

With ARC

ARC-Seal: Intermediate server adds an ARC-Seal, signing the email's state before modification.
ARC-Authentication-Results: Records the initial passing authentication results.
ARC validation: The final receiver validates the ARC chain, allowing DMARC to pass despite intermediate failures.

The 'arc-authenticated-results' header is crucial for allowing mail receivers to properly evaluate the chain validation status of the ARC. This way, legitimate forwarded emails can reach the inbox, preventing unnecessary false positives. For businesses, this translates to better deliverability and reduced spam complaints from their forwarded communications.

If you're looking to monitor your domain's authentication health, including ARC, SPF, DKIM, and DMARC, consider using Suped. Our platform offers comprehensive insights and AI-powered recommendations to simplify email security. Our generous free plan helps you get started.

Understanding ARC statuses

Interpreting the 'arc-status' field

Within the 'arc-authenticated-results' header, you'll often encounter an 'arc-status' field or a similar indicator that summarizes the ARC validation for that particular hop. This status is critical for quickly assessing the integrity of the ARC chain. The most common values you will find are 'pass', 'fail', and 'none'.

Status	Meaning	Impact on deliverability
pass	The ARC-Seal and its associated authentication results were successfully validated.	Indicates trustworthiness, helps DMARC pass even with SPF/DKIM breaks.
fail	The ARC-Seal could not be verified, or the chain was broken or manipulated.	Suggests potential tampering, may lead to DMARC failure or spam classification.
none	No ARC-Seal was present or no ARC evaluation was performed.	ARC cannot provide any additional trust signals for DMARC evaluation.

The 'arc-status' field provides a quick summary. For a more detailed breakdown of this field, refer to our article on the 'arc-status' field. A 'pass' result, especially combined with an 'oda=1' (origin domain authenticated) flag, signals to the receiving server that the email's authentication was valid at some point and that the forwarding entity is trusted. This significantly reduces the likelihood of legitimate emails being blocked or flagged as suspicious due to forwarding. It's an important part of why ARC has gained traction among major email providers.

Proper implementation of ARC is crucial for optimal email deliverability. While ARC helps preserve authentication, it doesn't entirely prevent spam or phishing. It works in conjunction with SPF, DKIM, and DMARC to create a robust email security framework. For more information on implementing ARC, you can read our detailed guide.

Conclusion

Final thoughts on ARC and email security

The 'arc-authenticated-results' header is a fundamental element in the modern email authentication landscape. It provides transparency and trust in complex email delivery paths, particularly those involving forwarding services and mailing lists. By encapsulating historical authentication results, ARC ensures that legitimate emails are not unfairly penalized by strict DMARC policies.

For email senders and administrators, understanding this header and the broader ARC protocol is key to maintaining excellent email deliverability. Tools like Suped are designed to help you navigate these complexities, offering real-time alerts and AI-powered recommendations to simplify email authentication management. We believe that robust email security should be accessible to everyone, and our platform makes it easy to monitor and optimize your domain's performance.